From: "Lorenzo Hernández García-Hierro" <lorenzo@gnu.org>
To: Chris Wright <chrisw@osdl.org>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-security-module@wirex.com"
<linux-security-module@wirex.com>
Subject: Re: [PATCH] sys_chroot() hook for additional chroot() jails enforcing
Date: Tue, 08 Feb 2005 15:42:58 +0100 [thread overview]
Message-ID: <1107873778.3754.271.camel@localhost.localdomain> (raw)
In-Reply-To: <20050207143427.B469@build.pdx.osdl.net>
[-- Attachment #1.1: Type: text/plain, Size: 1001 bytes --]
El lun, 07-02-2005 a las 14:34 -0800, Chris Wright escribió:
> * Lorenzo Hernández García-Hierro (lorenzo@gnu.org) wrote:
> > Attached you can find a patch which adds a new hook for the sys_chroot()
> > syscall, and makes us able to add additional enforcing and security
> > checks by using the Linux Security Modules framework (ie. chdir
> > enforcing, etc).
>
> If you want to make a change like this, collapse the
> capable(CAP_SYS_CHROOT) check behind this hook, no point having two
> outcalls from same call site.
Right, did it.
New patch attached and also available at:
http://pearls.tuxedo-es.org/patches/sys_chroot_lsm-hook-2.6.11-rc3.patch
> What logic do you expect to put behind
> the chroot() hook?
For example a chdir() handling function as grsec does, and also any
other check that comes up to mind.
Cheers and again thanks for the comments,
--
Lorenzo Hernández García-Hierro <lorenzo@gnu.org>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
[-- Attachment #1.2: sys_chroot_lsm-hook-2.6.11-rc3.patch --]
[-- Type: text/x-patch, Size: 2991 bytes --]
diff -Nur linux-2.6.11-rc3/fs/open.c linux-2.6.11-rc3.chroot-lsm/fs/open.c
--- linux-2.6.11-rc3/fs/open.c 2005-02-06 21:40:40.000000000 +0100
+++ linux-2.6.11-rc3.chroot-lsm/fs/open.c 2005-02-08 15:29:40.544611912 +0100
@@ -578,9 +578,9 @@
error = permission(nd.dentry->d_inode,MAY_EXEC,&nd);
if (error)
goto dput_and_out;
-
- error = -EPERM;
- if (!capable(CAP_SYS_CHROOT))
+
+ error = security_chroot(&nd);
+ if (error)
goto dput_and_out;
set_fs_root(current->fs, nd.mnt, nd.dentry);
diff -Nur linux-2.6.11-rc3/include/linux/security.h linux-2.6.11-rc3.chroot-lsm/include/linux/security.h
--- linux-2.6.11-rc3/include/linux/security.h 2005-02-06 21:40:27.000000000 +0100
+++ linux-2.6.11-rc3.chroot-lsm/include/linux/security.h 2005-02-08 15:30:54.434378960 +0100
@@ -1008,6 +1008,10 @@
* @ts contains new time
* @tz contains new timezone
* Return 0 if permission is granted.
+ * @chroot:
+ * Check permission to change the current root by sys_chroot() syscall.
+ * @nd contains the nameidata struct passed by sys_chroot()
+ * Return 0 if permission is granted.
* @vm_enough_memory:
* Check permissions for allocating a new virtual mapping.
* @pages contains the number of pages.
@@ -1040,6 +1044,7 @@
int (*acct) (struct file * file);
int (*sysctl) (struct ctl_table * table, int op);
int (*capable) (struct task_struct * tsk, int cap);
+ int (*chroot) (struct nameidata * nd);
int (*quotactl) (int cmds, int type, int id, struct super_block * sb);
int (*quota_on) (struct dentry * dentry);
int (*syslog) (int type);
@@ -1304,6 +1309,10 @@
return security_ops->settime(ts, tz);
}
+static inline int security_chroot(struct nameidata *nd)
+{
+ return security_ops->chroot(nd);
+}
static inline int security_vm_enough_memory(long pages)
{
@@ -1986,6 +1995,14 @@
return cap_settime(ts, tz);
}
+static inline int security_chroot(struct nameidata *nd)
+{
+ if (!capable(CAP_SYS_CHROOT))
+ return -EPERM;
+
+ return 0;
+}
+
static inline int security_vm_enough_memory(long pages)
{
return cap_vm_enough_memory(pages);
diff -Nur linux-2.6.11-rc3/security/dummy.c linux-2.6.11-rc3.chroot-lsm/security/dummy.c
--- linux-2.6.11-rc3/security/dummy.c 2005-02-06 21:40:57.000000000 +0100
+++ linux-2.6.11-rc3.chroot-lsm/security/dummy.c 2005-02-08 15:29:55.034409128 +0100
@@ -101,6 +101,14 @@
return 0;
}
+static int dummy_chroot(struct nameidata *nd)
+{
+ if (!capable(CAP_SYS_CHROOT))
+ return -EPERM;
+
+ return 0;
+}
+
static int dummy_settime(struct timespec *ts, struct timezone *tz)
{
if (!capable(CAP_SYS_TIME))
@@ -858,6 +866,7 @@
set_to_dummy_if_null(ops, sysctl);
set_to_dummy_if_null(ops, syslog);
set_to_dummy_if_null(ops, settime);
+ set_to_dummy_if_null(ops, chroot);
set_to_dummy_if_null(ops, vm_enough_memory);
set_to_dummy_if_null(ops, bprm_alloc_security);
set_to_dummy_if_null(ops, bprm_free_security);
[-- Attachment #2: Esta parte del mensaje está firmada digitalmente --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2005-02-08 14:43 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-07 22:16 [PATCH] sys_chroot() hook for additional chroot() jails enforcing Lorenzo Hernández García-Hierro
2005-02-07 22:34 ` Chris Wright
2005-02-08 14:42 ` Lorenzo Hernández García-Hierro [this message]
2005-02-07 22:50 ` Serge E. Hallyn
2005-02-07 23:41 ` Lorenzo Hernández García-Hierro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1107873778.3754.271.camel@localhost.localdomain \
--to=lorenzo@gnu.org \
--cc=chrisw@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@wirex.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox