Subject: Re: chroot(2)
To: None <>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-kern
Date: 10/04/1998 08:47:40
> I still like the idea of being able to dissable syscalls for a
> process and its children.

This could be useful, though it can also be dangerous, especially when
a new syscall gets added (eg, pread/pwrite - if you the application
author have disabled read/write, how are you to know that you now need
to disable pread/pwrite as well?) or renamed (consider versioning).

> I think it would be worthwhile though to avoid limiting the feature
> to non-root chroot(2)'d processes.

Heh.  I don't think I ever suggested blanket forbidding certain
syscalls to non-root-chroot()ed processes.  I suggested suppressing
set-id bits (which when not suppressed would be used by exec*(), but I
don't suggest disabling exec*()) and I suggested disabling chdir/fchdir
when the to-be-changed-to directory is not under the processes' root

					der Mouse

		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B