Re: Relax the prohibition of usage fchdir(2) to quit a chroot

[christos%astron.com@localhost (Christos Zoulas)]

In article 
<trinity-8dd4abc6-77a8-4d9d-889b-54aa9678554f-1411294647535@3capp-mailcom-bs16>,
Kamil Rytarowski <n54%gmx.com@localhost> wrote:
>Thanks Marc,
>
>Well, right the better word is 'add feature' and we would change the
>discussion from 'don't touch anything' to 'let's add chroot restrictions
>swappable in runtime, that's a cool feature opening opportunities' and
>then to mind-storm ideas what and how to restrict.
>
>In some other way we might end up with floating patches around ;-)
>
>With kind regards.

I think that while I agree with the answer given (adding sysctls like that
break the security model) there are alternatives which might help you to
achieve your goal:

- create a hard link to the file you want to change inside the chroot
- give access to the subtree using a loopback mount.
- create a named pipe that can be used from a process outside the chroot
  to exchange data.
- if you want to get adventurous you can write a tiny LKM that lets you
  open a device node that points to the file descriptor you want.

christos