Running a chroot jailed service in a chroot jailed VM...cool xD<br><br>It's kind of redundant but I don't know if it's worthy.<br><br><div><span class="gmail_quote">On 11/3/06, <b class="gmail_sendername">Antoine Martin</b>
 &lt;<a href="mailto:antoine@...">antoine@...</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">-----BEGIN PGP SIGNED MESSAGE-----
<br>Hash: SHA1<br><br>&gt; &lt;snip&gt;<br>&gt;<br>&gt;&gt; Nick[1] made a post about minimizing Gentoo a while back.<br>&gt;&gt; But that topic was mainly about the disk usage.<br>&gt;&gt; I suppose you would benefit from a system that uses the -Os flag to
<br>Another useful approach is to use a custom disk image with just busybox<br>+ the software to run/test.<br><br>&gt; Would a server in a VM actually be more secure than a server in a<br>&gt; &quot;hardened&quot; chroot jail?
<br>IMO yes, but since you can have both...<br><br>&gt; (though I'd guess that a hardened system would be the best basis for a<br>&gt; server, VM or chroot; and the logical placement of a VM would be within<br>&gt; a chroot jail?).
<br>A properly configured VM running in a hardened chroot is going to be<br>(almost) impossible to escape.<br><br>Note you can also contain your VMs with SELinux (both inside and out).<br>I've posted some pages on how to do this with UML here:
<br><a href="http://uml.nagafix.co.uk/SELinux/">http://uml.nagafix.co.uk/SELinux/</a><br><br>Antoine<br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.4.5 (GNU/Linux)<br>Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org">
http://enigmail.mozdev.org</a><br><br>iD8DBQFFS3pBrTBrLRG7eDcRAhCcAKCD/WOug/w7B+GN8TsmABB5UQA0LQCeOG04<br>MEZwfrAf9Ie/1WXWsU5gfeg=<br>=VVh9<br>-----END PGP SIGNATURE-----<br>--<br><a href="mailto:gentoo-hardened@g.o">
gentoo-hardened@g.o</a> mailing list<br><br></blockquote></div><br>