1 |
Running a chroot jailed service in a chroot jailed VM...cool xD |
2 |
|
3 |
It's kind of redundant but I don't know if it's worthy. |
4 |
|
5 |
On 11/3/06, Antoine Martin <antoine@××××××××××.uk> wrote: |
6 |
> |
7 |
> -----BEGIN PGP SIGNED MESSAGE----- |
8 |
> Hash: SHA1 |
9 |
> |
10 |
> > <snip> |
11 |
> > |
12 |
> >> Nick[1] made a post about minimizing Gentoo a while back. |
13 |
> >> But that topic was mainly about the disk usage. |
14 |
> >> I suppose you would benefit from a system that uses the -Os flag to |
15 |
> Another useful approach is to use a custom disk image with just busybox |
16 |
> + the software to run/test. |
17 |
> |
18 |
> > Would a server in a VM actually be more secure than a server in a |
19 |
> > "hardened" chroot jail? |
20 |
> IMO yes, but since you can have both... |
21 |
> |
22 |
> > (though I'd guess that a hardened system would be the best basis for a |
23 |
> > server, VM or chroot; and the logical placement of a VM would be within |
24 |
> > a chroot jail?). |
25 |
> A properly configured VM running in a hardened chroot is going to be |
26 |
> (almost) impossible to escape. |
27 |
> |
28 |
> Note you can also contain your VMs with SELinux (both inside and out). |
29 |
> I've posted some pages on how to do this with UML here: |
30 |
> http://uml.nagafix.co.uk/SELinux/ |
31 |
> |
32 |
> Antoine |
33 |
> -----BEGIN PGP SIGNATURE----- |
34 |
> Version: GnuPG v1.4.5 (GNU/Linux) |
35 |
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
36 |
> |
37 |
> iD8DBQFFS3pBrTBrLRG7eDcRAhCcAKCD/WOug/w7B+GN8TsmABB5UQA0LQCeOG04 |
38 |
> MEZwfrAf9Ie/1WXWsU5gfeg= |
39 |
> =VVh9 |
40 |
> -----END PGP SIGNATURE----- |
41 |
> -- |
42 |
> gentoo-hardened@g.o mailing list |
43 |
> |
44 |
> |