[LEDE-DEV] [PATCH procd 7/7] jail: don't CLONE_NEWUTS if we don't change hostname

John Crispin john at phrozen.org
Mon May 30 03:01:09 PDT 2016



On 30/05/2016 11:59, Etienne Champetier wrote:
> Hi John,
> 
> 2016-05-30 9:33 GMT+02:00 John Crispin <john at phrozen.org>:
>>
>>
>> Hi Etienne,
>>
>> why dont we want to do that ?
> 
> If you modify the hostname of the router you might want to propagate
> it into the jail, it depends
> 
> Please don't merge this patch, i will improve it a bit:
>  no -h => no CLONE_NEWUTS
>  -h => CLONE_NEWUTS
>  -h <newhostname> => CLONE_NEWUTS + sethostname()
> 
> CLONE_NEWUTS is not a security feature,
> sethostname() require CAP_SYS_ADMIN which allow you to escape jail
> (mknod + mount for exemple)

ok, i'll merge 1-6 and leave 7/7 out. i wondered abotu this because
there are 3 states (the ones you listed) and the code only handles 2.

	John



More information about the Lede-dev mailing list