Hi, If I understood you correct earlier, the only policy you needed to enforce was to prevent double-chrooting. If that is the case, why is it not sufficient to keep a "process-has-used-chroot" flag in current->security which is set on the first call to capable(CAP_SYS_CHROOT) and inherited by forked children, after which calls to capable(CAP_SYS_CHROOT) are refused?
Of course if you need to do more, then a hook might be necessary. -serge - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
