[rsbac] change chroot syscall by rsbac_jail one

Javier J. Martínez Cabezón tazok.id0 at gmail.com
Sun Feb 22 14:26:41 CET 2009

Hi, I was thinking why don't you change directly the chroot syscall
(NR_61 in svn) by the rsbac syscall_jail one?

You could add a config option CONFIG_CHANGE_CHROOT_BY_JAIL, if defined
all chroots calls will "jump" to rsbac_jail one.
I think that userspace programs will use rsbac_jail without knowing
the change since they still calling sys_chroot.

So I think you can do the same as some rootkits do...change syscall_table :).

Configuration of the jail could be done using data from kerneland, by
default the behaviour (parameters) of rsbac_jail could be the same as
chroot, only changing / dir but with all restrictions of rsbac_jail,
we could for example indicate later which will be the maximum
capabilities, IP etc...

I think with this one problem could be solved (people don't want to
change software source code to use jails) making it transparent for
the user.

What do you think?

More information about the rsbac mailing list