From: Nils Toedtmann <user-mode-linux-user@ni...> - 2005-03-13 15:36:07
Am Sonntag, den 13.03.2005, 14:21 +0000 schrieb Antoine Martin:
> On Sun, 2005-03-13 at 14:14 +0000, Antoine Martin wrote:
> > > Am Freitag, den 11.03.2005, 20:22 +0100 schrieb Nils Toedtmann:
> > > > Am Freitag, den 11.03.2005, 19:35 +0100 schrieb Blaisorblade:
> > > > > First: could you put the resulting procedure into the UML Wiki?
> > > > [chroot stuff]
> > > >
> > > > I'll do so as soon as i have time, hopefully this weekend. If it does
> > > > not occur til wednesday, remind me (my memory is aweful).
> > >
> > > Please read, comment, test, correct, rewrite:
> > I just had a quick look, this is quite similar to what I had done, good
> > stuff! One comment: screen does not have to be inside the chroot for
> > chroot to work (I don't know about compartment)
True, but i _want_ it to be inside the chroot (to prevent escaping the
chroot via attacking screen) and to be owned by the uml user (such that
he can reconnect to that console), not by root.
> the phrack url should probably point to the issue that mentions how to
> use /dev/kmem, but I can't remember which one (36?)
I found one example. They had several issues on this.
> - although 99% of us
> mere mortals will just trust what it says without actually trying it.
> hardenning the kernel can also be done using selinux (my policy isn't
> good enough to be published though)
> I don't have cpuinfo in my chroot and it works...
In SKAS mode it gives only a warning now. Older versions just exited
without appropriate error message.
> > I will read up some more.
> > antoine
Thanks. Included your comments in the wiki:
> > > <http://uml.harlowhill.com/index.php/Chroot>