From: Christoph Hellwig <hch@infradead.org>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Andrew Morton <akpm@osdl.org>,
chrisw@osdl.org, linux-kernel@vger.kernel.org
Subject: Re: [patch 2/3] lsm: add bsdjail module
Date: Sun, 10 Oct 2004 11:41:13 +0100 [thread overview]
Message-ID: <20041010104113.GC28456@infradead.org> (raw)
In-Reply-To: <20041007190157.GA3892@IBM-BWN8ZTBWA01.austin.ibm.com>
Your filesystem handling code is completely superflous (and buggy). Please
remove all the code dealing with chroot-lookalikes. In your userland script
you simpl have to clone(.., CLONE_NEWNS) to detach your namespace from your
parent, then you can lazly unmount all filesystems and setup your new namespace
before starting the jail. The added advantage is that you don't need any
cludges to keep the user from exiting the chroot.
> +#include <linux/ip.h>
> +#include <net/ipv6.h>
> +#include <linux/mount.h>
> +#include <asm/uaccess.h>
Please always include <asm/*.h> headers after <linux/*.h>
> +#include <linux/smp_lock.h>
I don't see you using the BKL anywhere.
>
>
>
>
> +#include <linux/kref.h>
Why that many blank lines?
> +static int jail_debug = 0;
no need to initialize to 0
> +MODULE_PARM(jail_debug, "i");
please user module_param
> +static int secondary = 0;
again no need to itnialize.
> + char *ip4_addr_name; /* char * containing ip4 addr to use for jail */
> + char *ip6_addr_name; /* char * containing ip6 addr to use for jail */
How do you habdle non-ip networking? This really needs to be handled
more generally.
> + /* won't let ourselves be removed until this jail goes away */
> + try_module_get(THIS_MODULE);
must be __module_get
> +/*
> + * LSM /proc/<pid>/attr hooks.
> + * You may write into /proc/<pid>/attr/exec:
> + * root /some/path
> + * ip 2.2.2.2
> + * These values will be used on the next exec() to set up your jail
> + * (assuming you're not already in a jail)
That's a really awkward interface.
> +jail_file_send_sigiotask(struct task_struct *tsk, struct fown_struct *fown,
> + int fd, int reason)
> +{
> + struct file *file;
> + struct jail_struct *tsec, *fsec;
> +
> + if (!in_jail(current))
> + return 0;
> +
> + file = (struct file *) ((long)fown - offsetof(struct file, f_owner));
bah. Please use container_of or better get lsm folks to just pass you
a struct file *
> +jail_proc_inode_permission(struct inode *inode, int mask,
> + struct nameidata *nd)
> +{
> + struct jail_struct *tsec = current->security;
> + struct dentry *dentry = nd->dentry;
> + unsigned pid;
> +
> + pid = name_to_int(dentry);
> + if (pid == ~0U) {
> + struct qstr *dname = &dentry->d_name;
> + if (strcmp(dname->name, "scsi") == 0 ||
> + strcmp(dname->name, "sys") == 0 ||
> + strcmp(dname->name, "ide") == 0)
> + return -EPERM;
> + return 0;
oh, please. Don't submit such a crap.
if you want to disable sysctl access do it on the sysctl, not procfs level.
And disabling access to /proc/ide and /proc/scsi as two very special cases
(what about /proc/md, /proc/cciss or /proc/cpqarray?) is totally bullocks,
if they allow hardware interaction without checking for capabailities
fix them in the driver code.
This half-aided security by obscurity crap _is_ going to bite later on.
next prev parent reply other threads:[~2004-10-10 10:41 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-06 20:21 (patch 1/3) lsm: add control over /proc/<pid> visibility Serge Hallyn
2004-10-06 20:24 ` [patch 1/3] lsm: add bsdjail module Serge Hallyn
2004-10-06 23:26 ` Andrew Morton
2004-10-07 4:08 ` Serge E. Hallyn
2004-10-07 6:18 ` James Morris
2004-10-07 6:22 ` Andrew Morton
2004-10-07 16:06 ` Chris Wright
2004-10-07 18:40 ` Andrew Morton
2004-10-07 18:52 ` Chris Wright
2004-10-07 20:56 ` Serge E. Hallyn
2004-10-10 6:24 ` Herbert Poetzl
2004-10-07 12:06 ` Alan Cox
2004-10-07 19:01 ` [patch 2/3] " Serge E. Hallyn
2004-10-07 19:42 ` Chris Wright
2004-10-07 20:05 ` Andrew Morton
2004-10-08 18:05 ` Serge E. Hallyn
2004-10-10 10:41 ` Christoph Hellwig [this message]
2004-10-10 11:31 ` Serge E. Hallyn
2004-10-10 11:34 ` Christoph Hellwig
2004-10-11 13:47 ` Alan Cox
2004-10-12 7:00 ` Herbert Poetzl
2004-10-12 9:00 ` Christoph Hellwig
2004-10-12 12:27 ` Herbert Poetzl
2004-10-20 15:36 ` Christoph Hellwig
2004-10-20 19:18 ` Herbert Poetzl
2004-10-12 13:11 ` Serge E. Hallyn
2004-10-12 14:15 ` Christoph Hellwig
2004-10-12 22:35 ` Ulrich Drepper
2004-10-13 0:58 ` Serge E. Hallyn
2004-10-13 1:09 ` Ulrich Drepper
2004-10-13 1:22 ` Serge E. Hallyn
2004-10-13 15:26 ` Stephen Smalley
2004-10-13 1:11 ` Chris Wright
2004-10-13 14:25 ` Stephen Smalley
2004-10-06 20:25 ` [patch 3/3] lsm: add bsdjail documentation Serge Hallyn
2004-10-07 22:17 ` Matthias Urlichs
2004-10-08 20:02 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041010104113.GC28456@infradead.org \
--to=hch@infradead.org \
--cc=akpm@osdl.org \
--cc=chrisw@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox