Hi!
Note that the new system calls (new_s_context and set_ipv4root) are not
controlled by capabilities. They are by nature irreversible. Once a virtual
server is trapped in a chroot/s_context/ipv4root box, it can't escape from
the parameters of this trap.
asmlinkage int sys_set_ipv4root (__u32 ip[], int nbip, __u32 bcast)
{
[...]
}else if (ip_info == NULL
|| ip_info->ipv4[0] == 0
|| capable(CAP_NET_ADMIN)){
// We are allowed to change everything
ret = 0;
So the docu says no capability enables one to break out of ipv4root, but the
source suggests otherwise.
Am I missing some important fact or is it a mismatch between theory and
practice?
CU/Lnx Sascha
--
Registered Linux User #77587 (http://counter.li.org/)
bomb terrorist afghanistan PGP encrypt CIA FBI BND MAD StaSi anschlag strike sex pussy
xxx kill bj hitler Gates MS Windows ZV ZDV
