This patch allows pathname based LSM modules to check chroot() operations.
This hook is used by TOMOYO.
Signed-off-by: Tetsuo Handa <[email protected]>
---
fs/open.c | 3 +++
include/linux/security.h | 11 +++++++++++
security/capability.c | 6 ++++++
security/security.c | 5 +++++
4 files changed, 25 insertions(+)
--- security-testing-2.6.orig/fs/open.c
+++ security-testing-2.6/fs/open.c
@@ -587,6 +587,9 @@ SYSCALL_DEFINE1(chroot, const char __use
error = -EPERM;
if (!capable(CAP_SYS_CHROOT))
goto dput_and_out;
+ error = security_path_chroot(&path);
+ if (error)
+ goto dput_and_out;
set_fs_root(current->fs, &path);
error = 0;
--- security-testing-2.6.orig/include/linux/security.h
+++ security-testing-2.6/include/linux/security.h
@@ -459,6 +459,10 @@ static inline void security_free_mnt_opt
* @uid contains new owner's ID.
* @gid contains new group's ID.
* Return 0 if permission is granted.
+ * @path_chroot:
+ * Check for permission to change root directory.
+ * @path contains the path structure.
+ * Return 0 if permission is granted.
* @inode_readlink:
* Check the permission to read the symbolic link.
* @dentry contains the dentry structure for the file link.
@@ -1503,6 +1507,7 @@ struct security_operations {
int (*path_chmod) (struct dentry *dentry, struct vfsmount *mnt,
mode_t mode);
int (*path_chown) (struct path *path, uid_t uid, gid_t gid);
+ int (*path_chroot) (struct path *path);
#endif
int (*inode_alloc_security) (struct inode *inode);
@@ -2970,6 +2975,7 @@ int security_path_rename(struct path *ol
int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
mode_t mode);
int security_path_chown(struct path *path, uid_t uid, gid_t gid);
+int security_path_chroot(struct path *path);
#else /* CONFIG_SECURITY_PATH */
static inline int security_path_unlink(struct path *dir, struct dentry *dentry)
{
@@ -3031,6 +3037,11 @@ static inline int security_path_chown(st
{
return 0;
}
+
+static inline int security_path_chroot(struct path *path)
+{
+ return 0;
+}
#endif /* CONFIG_SECURITY_PATH */
#ifdef CONFIG_KEYS
--- security-testing-2.6.orig/security/capability.c
+++ security-testing-2.6/security/capability.c
@@ -319,6 +319,11 @@ static int cap_path_chown(struct path *p
{
return 0;
}
+
+static int cap_path_chroot(struct path *root)
+{
+ return 0;
+}
#endif
static int cap_file_permission(struct file *file, int mask)
@@ -990,6 +995,7 @@ void security_fixup_ops(struct security_
set_to_cap_if_null(ops, path_truncate);
set_to_cap_if_null(ops, path_chmod);
set_to_cap_if_null(ops, path_chown);
+ set_to_cap_if_null(ops, path_chroot);
#endif
set_to_cap_if_null(ops, file_permission);
set_to_cap_if_null(ops, file_alloc_security);
--- security-testing-2.6.orig/security/security.c
+++ security-testing-2.6/security/security.c
@@ -449,6 +449,11 @@ int security_path_chown(struct path *pat
return 0;
return security_ops->path_chown(path, uid, gid);
}
+
+int security_path_chroot(struct path *path)
+{
+ return security_ops->path_chroot(path);
+}
#endif
int security_inode_create(struct inode *dir, struct dentry *dentry, int mode)
--
Tetsuo Handa wrote:
> This patch allows pathname based LSM modules to check chroot() operations.
>
> This hook is used by TOMOYO.
Looks good, and AppArmor would use this as well.
Quoting Tetsuo Handa ([email protected]):
> This patch allows pathname based LSM modules to check chroot() operations.
>
> This hook is used by TOMOYO.
>
> Signed-off-by: Tetsuo Handa <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
> ---
> fs/open.c | 3 +++
> include/linux/security.h | 11 +++++++++++
> security/capability.c | 6 ++++++
> security/security.c | 5 +++++
> 4 files changed, 25 insertions(+)
>
> --- security-testing-2.6.orig/fs/open.c
> +++ security-testing-2.6/fs/open.c
> @@ -587,6 +587,9 @@ SYSCALL_DEFINE1(chroot, const char __use
> error = -EPERM;
> if (!capable(CAP_SYS_CHROOT))
> goto dput_and_out;
> + error = security_path_chroot(&path);
> + if (error)
> + goto dput_and_out;
>
> set_fs_root(current->fs, &path);
> error = 0;
> --- security-testing-2.6.orig/include/linux/security.h
> +++ security-testing-2.6/include/linux/security.h
> @@ -459,6 +459,10 @@ static inline void security_free_mnt_opt
> * @uid contains new owner's ID.
> * @gid contains new group's ID.
> * Return 0 if permission is granted.
> + * @path_chroot:
> + * Check for permission to change root directory.
> + * @path contains the path structure.
> + * Return 0 if permission is granted.
> * @inode_readlink:
> * Check the permission to read the symbolic link.
> * @dentry contains the dentry structure for the file link.
> @@ -1503,6 +1507,7 @@ struct security_operations {
> int (*path_chmod) (struct dentry *dentry, struct vfsmount *mnt,
> mode_t mode);
> int (*path_chown) (struct path *path, uid_t uid, gid_t gid);
> + int (*path_chroot) (struct path *path);
> #endif
>
> int (*inode_alloc_security) (struct inode *inode);
> @@ -2970,6 +2975,7 @@ int security_path_rename(struct path *ol
> int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
> mode_t mode);
> int security_path_chown(struct path *path, uid_t uid, gid_t gid);
> +int security_path_chroot(struct path *path);
> #else /* CONFIG_SECURITY_PATH */
> static inline int security_path_unlink(struct path *dir, struct dentry *dentry)
> {
> @@ -3031,6 +3037,11 @@ static inline int security_path_chown(st
> {
> return 0;
> }
> +
> +static inline int security_path_chroot(struct path *path)
> +{
> + return 0;
> +}
> #endif /* CONFIG_SECURITY_PATH */
>
> #ifdef CONFIG_KEYS
> --- security-testing-2.6.orig/security/capability.c
> +++ security-testing-2.6/security/capability.c
> @@ -319,6 +319,11 @@ static int cap_path_chown(struct path *p
> {
> return 0;
> }
> +
> +static int cap_path_chroot(struct path *root)
> +{
> + return 0;
> +}
> #endif
>
> static int cap_file_permission(struct file *file, int mask)
> @@ -990,6 +995,7 @@ void security_fixup_ops(struct security_
> set_to_cap_if_null(ops, path_truncate);
> set_to_cap_if_null(ops, path_chmod);
> set_to_cap_if_null(ops, path_chown);
> + set_to_cap_if_null(ops, path_chroot);
> #endif
> set_to_cap_if_null(ops, file_permission);
> set_to_cap_if_null(ops, file_alloc_security);
> --- security-testing-2.6.orig/security/security.c
> +++ security-testing-2.6/security/security.c
> @@ -449,6 +449,11 @@ int security_path_chown(struct path *pat
> return 0;
> return security_ops->path_chown(path, uid, gid);
> }
> +
> +int security_path_chroot(struct path *path)
> +{
> + return security_ops->path_chroot(path);
> +}
> #endif
>
> int security_inode_create(struct inode *dir, struct dentry *dentry, int mode)
>
> --
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html