On Thu, Nov 15, 2012 at 05:23:04PM +0000, Emmanuel Dreyfus wrote: > On Thu, Nov 15, 2012 at 11:03:15AM -0500, Thor Lancelot Simon wrote: > > This strikes me as profoundly dangerous. Among other things, it > > means you can't allow any program running in a chroot to receive > > unix-domain messages any more since they might get passed a file > > descriptor to code they should not be able to execute. > > We can restrict it to VREG vnodes.
Last I checked, most executable code was accessed by VREG vnodes. Thor
