On 3 мая 2012 11:26:55 Rob Landley wrote: > On 05/03/2012 03:52 AM, Roman Khimov wrote: > > On 2 мая 2012 12:01:49 Rob Landley wrote: > >> I repeat: I have no clue what you're trying to accomplish here. > > > > Shortly: immutable read-only rootfs. > > I've used squashfs, isofs, cramfs, and romfs. None of them are so > immutable that mount --move doesn't work.
Well, that kind of immutability doesn't work for us for several reasons, let's say there are times (like special boot modes) when we do need to write something to rootfs in a normal way. To reboot then in normal operating mode with that rootfs locked up again. Thus the original question with 'mount --move' --- when we load up RSBAC rule that prohibits remounting rootfs original switch_root stops working because of 'mount --move' failure. > > Which RSBAC can provide with proper rule > > set (and the rule set can be prevented from changing by rsbac_freeze). > > You're trying to "protect" the operating system from the root user. This > is the part that seems crazy at a conceptual level. RSBAC allows us to make root a bit less root than usual and we do want that additional level of protection. It's not to say that it's the only way we protect our system, but that is an additional level for sure. _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
