From: "Lorenzo Hernández García-Hierro" <lorenzo@gnu.org>
To: Chris Wright <chrisw@osdl.org>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-security-module@wirex.com"
<linux-security-module@wirex.com>
Subject: Re: [PATCH] sys_chroot() hook for additional chroot() jails enforcing
Date: Tue, 08 Feb 2005 15:42:58 +0100 [thread overview]
Message-ID: <1107873778.3754.271.camel@localhost.localdomain> (raw)
In-Reply-To: <20050207143427.B469@build.pdx.osdl.net>
[-- Attachment #1.1: Type: text/plain, Size: 1001 bytes --]
El lun, 07-02-2005 a las 14:34 -0800, Chris Wright escribió:
> * Lorenzo Hernández García-Hierro (lorenzo@gnu.org) wrote:
> > Attached you can find a patch which adds a new hook for the sys_chroot()
> > syscall, and makes us able to add additional enforcing and security
> > checks by using the Linux Security Modules framework (ie. chdir
> > enforcing, etc).
>
> If you want to make a change like this, collapse the
> capable(CAP_SYS_CHROOT) check behind this hook, no point having two
> outcalls from same call site.
Right, did it.
New patch attached and also available at:
http://pearls.tuxedo-es.org/patches/sys_chroot_lsm-hook-2.6.11-rc3.patch
> What logic do you expect to put behind
> the chroot() hook?
For example a chdir() handling function as grsec does, and also any
other check that comes up to mind.
Cheers and again thanks for the comments,
--
Lorenzo Hernández García-Hierro <lorenzo@gnu.org>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
[-- Attachment #1.2: sys_chroot_lsm-hook-2.6.11-rc3.patch --]
[-- Type: text/x-patch, Size: 2991 bytes --]
diff -Nur linux-2.6.11-rc3/fs/open.c linux-2.6.11-rc3.chroot-lsm/fs/open.c
--- linux-2.6.11-rc3/fs/open.c 2005-02-06 21:40:40.000000000 +0100
+++ linux-2.6.11-rc3.chroot-lsm/fs/open.c 2005-02-08 15:29:40.544611912 +0100
@@ -578,9 +578,9 @@
error = permission(nd.dentry->d_inode,MAY_EXEC,&nd);
if (error)
goto dput_and_out;
-
- error = -EPERM;
- if (!capable(CAP_SYS_CHROOT))
+
+ error = security_chroot(&nd);
+ if (error)
goto dput_and_out;
set_fs_root(current->fs, nd.mnt, nd.dentry);
diff -Nur linux-2.6.11-rc3/include/linux/security.h linux-2.6.11-rc3.chroot-lsm/include/linux/security.h
--- linux-2.6.11-rc3/include/linux/security.h 2005-02-06 21:40:27.000000000 +0100
+++ linux-2.6.11-rc3.chroot-lsm/include/linux/security.h 2005-02-08 15:30:54.434378960 +0100
@@ -1008,6 +1008,10 @@
* @ts contains new time
* @tz contains new timezone
* Return 0 if permission is granted.
+ * @chroot:
+ * Check permission to change the current root by sys_chroot() syscall.
+ * @nd contains the nameidata struct passed by sys_chroot()
+ * Return 0 if permission is granted.
* @vm_enough_memory:
* Check permissions for allocating a new virtual mapping.
* @pages contains the number of pages.
@@ -1040,6 +1044,7 @@
int (*acct) (struct file * file);
int (*sysctl) (struct ctl_table * table, int op);
int (*capable) (struct task_struct * tsk, int cap);
+ int (*chroot) (struct nameidata * nd);
int (*quotactl) (int cmds, int type, int id, struct super_block * sb);
int (*quota_on) (struct dentry * dentry);
int (*syslog) (int type);
@@ -1304,6 +1309,10 @@
return security_ops->settime(ts, tz);
}
+static inline int security_chroot(struct nameidata *nd)
+{
+ return security_ops->chroot(nd);
+}
static inline int security_vm_enough_memory(long pages)
{
@@ -1986,6 +1995,14 @@
return cap_settime(ts, tz);
}
+static inline int security_chroot(struct nameidata *nd)
+{
+ if (!capable(CAP_SYS_CHROOT))
+ return -EPERM;
+
+ return 0;
+}
+
static inline int security_vm_enough_memory(long pages)
{
return cap_vm_enough_memory(pages);
diff -Nur linux-2.6.11-rc3/security/dummy.c linux-2.6.11-rc3.chroot-lsm/security/dummy.c
--- linux-2.6.11-rc3/security/dummy.c 2005-02-06 21:40:57.000000000 +0100
+++ linux-2.6.11-rc3.chroot-lsm/security/dummy.c 2005-02-08 15:29:55.034409128 +0100
@@ -101,6 +101,14 @@
return 0;
}
+static int dummy_chroot(struct nameidata *nd)
+{
+ if (!capable(CAP_SYS_CHROOT))
+ return -EPERM;
+
+ return 0;
+}
+
static int dummy_settime(struct timespec *ts, struct timezone *tz)
{
if (!capable(CAP_SYS_TIME))
@@ -858,6 +866,7 @@
set_to_dummy_if_null(ops, sysctl);
set_to_dummy_if_null(ops, syslog);
set_to_dummy_if_null(ops, settime);
+ set_to_dummy_if_null(ops, chroot);
set_to_dummy_if_null(ops, vm_enough_memory);
set_to_dummy_if_null(ops, bprm_alloc_security);
set_to_dummy_if_null(ops, bprm_free_security);
[-- Attachment #2: Esta parte del mensaje está firmada digitalmente --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2005-02-08 14:43 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-07 22:16 [PATCH] sys_chroot() hook for additional chroot() jails enforcing Lorenzo Hernández García-Hierro
2005-02-07 22:34 ` Chris Wright
2005-02-08 14:42 ` Lorenzo Hernández García-Hierro [this message]
2005-02-07 22:50 ` Serge E. Hallyn
2005-02-07 23:41 ` Lorenzo Hernández García-Hierro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1107873778.3754.271.camel@localhost.localdomain \
--to=lorenzo@gnu.org \
--cc=chrisw@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@wirex.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.