> If it can be transmited over IP, its a much more serious issue, as all
> one has to do is crack a jail (root inside the jail), crack the local
> system (regular user) run a program that talks to the local system over
> ip, and have the cracked regular user pass a fd in.
But of course you would have no more access outside the jail than the
cracked user. I would expect connections into the jail to behave as if
they were on another machine, which would prevent fd passing. At least the
last time I played with fd passing it didn't work between machines, that
may have been a bug rather than a security features, of course.
-- bill davidsen <davidsen@tmr.com> CTO, TMR Associates, Inc Doing interesting things with little computers since 1979.- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/