'Re: [PATCH] sys_chroot() hook for additional chroot() jails'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-security-module
Subject:    Re: [PATCH] sys_chroot() hook for additional chroot() jails
From:       Lorenzo =?ISO-8859-1?Q?Hern=E1ndez_?= =?ISO-8859-1?Q?Garc=EDa-Hierro?= <lorenzo
Date:       2005-02-08 14:42:58
Message-ID: 1107873778.3754.271.camel () localhost ! localdomain
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


El lun, 07-02-2005 a las 14:34 -0800, Chris Wright escribió:
> * Lorenzo Hernández García-Hierro (lorenzo@gnu.org) wrote:
> > Attached you can find a patch which adds a new hook for the sys_chroot()
> > syscall, and makes us able to add additional enforcing and security
> > checks by using the Linux Security Modules framework (ie. chdir
> > enforcing, etc).
> 
> If you want to make a change like this, collapse the
> capable(CAP_SYS_CHROOT) check behind this hook, no point having two
> outcalls from same call site.

Right, did it.
New patch attached and also available at:
http://pearls.tuxedo-es.org/patches/sys_chroot_lsm-hook-2.6.11-rc3.patch

>   What logic do you expect to put behind
> the chroot() hook?

For example a chdir() handling function as grsec does, and also any
other check that comes up to mind.

Cheers and again thanks for the comments,
-- 
Lorenzo Hernández García-Hierro <lorenzo@gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

["sys_chroot_lsm-hook-2.6.11-rc3.patch" (sys_chroot_lsm-hook-2.6.11-rc3.patch)]

diff -Nur linux-2.6.11-rc3/fs/open.c linux-2.6.11-rc3.chroot-lsm/fs/open.c
--- linux-2.6.11-rc3/fs/open.c	2005-02-06 21:40:40.000000000 +0100
+++ linux-2.6.11-rc3.chroot-lsm/fs/open.c	2005-02-08 15:29:40.544611912 +0100
@@ -578,9 +578,9 @@
 	error = permission(nd.dentry->d_inode,MAY_EXEC,&nd);
 	if (error)
 		goto dput_and_out;
-
-	error = -EPERM;
-	if (!capable(CAP_SYS_CHROOT))
+		
+	error = security_chroot(&nd);
+	if (error)
 		goto dput_and_out;
 
 	set_fs_root(current->fs, nd.mnt, nd.dentry);
diff -Nur linux-2.6.11-rc3/include/linux/security.h linux-2.6.11-rc3.chroot-lsm/include/linux/security.h
--- linux-2.6.11-rc3/include/linux/security.h	2005-02-06 21:40:27.000000000 +0100
+++ linux-2.6.11-rc3.chroot-lsm/include/linux/security.h	2005-02-08 15:30:54.434378960 +0100
@@ -1008,6 +1008,10 @@
  *	@ts contains new time
  *	@tz contains new timezone
  *	Return 0 if permission is granted.
+ * @chroot:
+ *	Check permission to change the current root by sys_chroot() syscall.
+ *	@nd contains the nameidata struct passed by sys_chroot()
+ *	Return 0 if permission is granted.
  * @vm_enough_memory:
  *	Check permissions for allocating a new virtual mapping.
  *      @pages contains the number of pages.
@@ -1040,6 +1044,7 @@
 	int (*acct) (struct file * file);
 	int (*sysctl) (struct ctl_table * table, int op);
 	int (*capable) (struct task_struct * tsk, int cap);
+	int (*chroot) (struct nameidata * nd);
 	int (*quotactl) (int cmds, int type, int id, struct super_block * sb);
 	int (*quota_on) (struct dentry * dentry);
 	int (*syslog) (int type);
@@ -1304,6 +1309,10 @@
 	return security_ops->settime(ts, tz);
 }
 
+static inline int security_chroot(struct nameidata *nd)
+{
+	return security_ops->chroot(nd);
+}
 
 static inline int security_vm_enough_memory(long pages)
 {
@@ -1986,6 +1995,14 @@
 	return cap_settime(ts, tz);
 }
 
+static inline int security_chroot(struct nameidata *nd)
+{
+	if (!capable(CAP_SYS_CHROOT))
+		return -EPERM;
+	
+	return 0;
+}
+
 static inline int security_vm_enough_memory(long pages)
 {
 	return cap_vm_enough_memory(pages);
diff -Nur linux-2.6.11-rc3/security/dummy.c linux-2.6.11-rc3.chroot-lsm/security/dummy.c
--- linux-2.6.11-rc3/security/dummy.c	2005-02-06 21:40:57.000000000 +0100
+++ linux-2.6.11-rc3.chroot-lsm/security/dummy.c	2005-02-08 15:29:55.034409128 +0100
@@ -101,6 +101,14 @@
 	return 0;
 }
 
+static int dummy_chroot(struct nameidata *nd)
+{
+	if (!capable(CAP_SYS_CHROOT))
+		return -EPERM;
+	
+	return 0;
+}
+
 static int dummy_settime(struct timespec *ts, struct timezone *tz)
 {
 	if (!capable(CAP_SYS_TIME))
@@ -858,6 +866,7 @@
 	set_to_dummy_if_null(ops, sysctl);
 	set_to_dummy_if_null(ops, syslog);
 	set_to_dummy_if_null(ops, settime);
+	set_to_dummy_if_null(ops, chroot);
 	set_to_dummy_if_null(ops, vm_enough_memory);
 	set_to_dummy_if_null(ops, bprm_alloc_security);
 	set_to_dummy_if_null(ops, bprm_free_security);

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic