On 26/08/2015 01:00, Etienne CHAMPETIER wrote: > This patch series rework a bit ujail, > and add capabilities support to it
nice > > Seccomp filter are very powerful but not totally generic, > each arch can have different set of syscalls, > each libc can use different syscall for the same function, > and seccomp isn't supported on all arch. > > Capabilities are more high level, but still can restrict > jail to a sane minimum of privileges. > > Patch 4 is a bit big and i can split it if needed, just tell me how will have a closer look next few days there seem to be a way to escape from the rebind mount jail that QCA has found and i have not had the time yet to finish my jailfs module. it runs and loads, i can do mounts and access files inside them using normal shell calls. however if is point a jail instance at the mountpoint it oops horribly. i suspect that i am either using vfs wrong or am missing locking/ref-counting somewhere. i'll throw the code onto github later today or tomorrow and post the link. maybe someone with more knowledge of vfs can help fix it. _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel