Hi! From 'http://www.solucorp.qc.ca/miscprj/s_context.hc?dp=0&full=1&prjstate=1&nodoc=0':
> Note that the new system calls (new_s_context and set_ipv4root) are not
> controlled by capabilities. They are by nature irreversible. Once a virtual
> server is trapped in a chroot/s_context/ipv4root box, it can't escape from
> the parameters of this trap.
From net/socket.c:
> asmlinkage int sys_set_ipv4root (__u32 ip[], int nbip, __u32 bcast)
> {
[...]
> }else if (ip_info == NULL
> || ip_info->ipv4[0] == 0
> || capable(CAP_NET_ADMIN)){
> // We are allowed to change everything
> ret = 0;
So the docs say no capability enables one to break out of ipv4root, but the
source suggests otherwise.
Am I misinterpreting the source or is it a mismatch between theory and
practice?
CU/Lnx Sascha
--
Registered Linux User #77587 (http://counter.li.org/)
bomb terrorist afghanistan PGP encrypt CIA FBI BND MAD StaSi anschlag strike sex pussy
xxx kill bj hitler Gates MS Windows ZV ZDV
msg00391/pgp00000.pgp
Description: PGP signature
