Hi! There is a new trivial ebuild for compartment in attachment, while compartment itself is a very interesting security tool for running privileged and/or network services in a compartment. This tool supports dropping privs to a user and/or group, chrooting and Linux Capabilities, plus initialization scripts. master:/SUSE/develop/compartment/compartment-1.1 # SuSE secure compartment v1.1 Marc Heuse http://www.suse.de/~marc Syntax: ./compartment [options] /full/path/to/program Options: --chroot path chroot to path --user user change uid to this user --group group change gid to this group --init program execute this program/script before doing anything --cap capset set capset name. This option can be used several times. --verbose be verbose --quiet do no logging (to syslog) --fork fork (if everything is fine) Hints: always try to chroot; use --user&group if possible; chroot and chown all files to another user than root if you use capabilties. Read the README file! Known capset names: none CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_FS_MASK CAP_KILL CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_LINUX_IMMUTABLE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_CHROOT CAP_SYS_PTRACE CAP_SYS_PACCT CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG (see linux/capability.h for more information) master:/SUSE/develop/compartment/compartment-1.1 # Reproducible: Always Steps to Reproduce: 1. 2. 3.
Created attachment 11310 [details] compartment e-build I'd propose to place this ebuild in portage/app-admin/ category.
Chances are I'll take this bug. I've written alot of software like it so I'll end up reviewing the source code and the such before taking it on, however I wont be able to jump into it for a week or so..
Hey before I jump into this.. Do we have a few more people that would want to see this tool in portage?
I'd like to thank Sergey for the ebuild contribution, however as nobody is speaking up for us to support this I'm going to take the liberty and change the resolution to LATER.