Subject: Re: replace chroot() with a chroot overlay file system?
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: David Maxwell <david@crlf.net>
List: tech-security
Date: 11/02/2005 11:35:08
On Tue, 01 Nov 2005, Steven M. Bellovin wrote:
> I'm thinking out loud here, so I may easily be confused, but...
> 
> What if we replaced the chroot() system call by an overlay file
> system, mounted over some subtree?  The advantage is that that file
> system could be mounted read-only, nosuid, nodev, even noexec.

One problem that comes to mind - what if you want multiple processes
chroot()ed into the same space? It seems that you would end up with
stacked mounts, and the older ones can't be unmounted via the exising
stackable filesystem model, until the newer ones are released.

Additionally, is it possible you might want 'noexec' etc, to apply to
only some of the processes in that chrooted area? I don't that works
with the filesystem thought.

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
(About an Amiga rendering landscapes) It's not thinking, it's being artistic!
					      - Jamie Woods