Hello.
I've implemented new security model based on kauth(9) framework,
secmodel_securechroot(9). Its purpose is to completely isolate
chrooted processes from the host system, that is to prevent all destructive
changes by chrooted processes even if they are run under root privileges
and to
On Sat, 09 Jul 2011, Aleksey Cheusov wrote:
· Adding and enabling a ppp(4) interface is not allowed.
· Adding and enabling a sl(4) interface is not allowed.
· Adding and enabling a strip(4) interface is not allowed.
· Adding and enabling a tun(4) interface is not
· Adding and enabling a ppp(4) interface is not allowed.
· Adding and enabling a sl(4) interface is not allowed.
· Adding and enabling a strip(4) interface is not allowed.
· Adding and enabling a tun(4) interface is not allowed.
· Adding and enabling
On Sat, Jul 09, 2011 at 12:03:50PM +0300, Aleksey Cheusov wrote:
DESCRIPTION
The securechroot security model is intended to protect the system
against destructive modifications by chroot-ed processes. If
enabled, secmodel_securechroot applies the following restrictions
to
On Sat, 9 Jul 2011, Alan Barrett wrote:
On Sat, 09 Jul 2011, Aleksey Cheusov wrote:
· Adding and enabling a ppp(4) interface is not allowed.
· Adding and enabling a sl(4) interface is not allowed.
· Adding and enabling a strip(4) interface is not allowed.
·
· Setting the process resource limits is not allowed.
Lowering should still be possible.
i'm not sure the point of this one, really. if this configuration
is desired, then set rlimit max == cur to whatever you want before
starting the chroot. ie, this can be done already with
On Nov 29, 7:06am, Joerg Sonnenberger wrote:
} On Sat, Jul 09, 2011 at 12:03:50PM +0300, Aleksey Cheusov wrote:
} DESCRIPTION
} The securechroot security model is intended to protect the system
} against destructive modifications by chroot-ed processes. If
} enabled,
On Sat, Jul 09, 2011 at 12:03:50PM +0300, Aleksey Cheusov wrote:
Hello.
I've implemented new security model based on kauth(9) framework,
secmodel_securechroot(9). Its purpose is to completely isolate
chrooted processes from the host system, that is to prevent all destructive
changes by