2.6.1 Playing with /usr/sbin/chcontext
The /usr/sbin/chcontext utility
is used to enter into a new security context. The
utility switch the security context and execute
a program, specified on the command line. This
program is now isolated and can't see the other
processes running on the server.
The experiment with this, start two command
windows (xterm), as the same user ID. In each window
execute the following commands:
Using chcontext: first window
Using chcontext: second window
In the first window, you start the xterm command (or any command you like). In the second window you execute chcontext. This starts a new shell. You execute pstree and see very little. You attempt to kill the xterm and you fail. You exit this shell and you are back seeing all processes.
Here is another example. You switch context and
you get a new shell. In this shell you start an xterm.
Then you switch context again and start another sub-shell.
Now the sub-shell is again isolated.
Using chcontext several times
Processes isolated using chcontext are doubly isolated: They can't see the other processes on the server, but the other processes can't see them either. The original security context (0) when you boot is no better than the other: It sees only process in security context 0.
While playing with chcontext, you will notice an exception. The process 1 is visible from every security context. It is visible to please utilities like pstree. But only root processes in security context 0 are allowed to interact with it.