Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261227AbVBGWRe (ORCPT ); Mon, 7 Feb 2005 17:17:34 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261223AbVBGWRe (ORCPT ); Mon, 7 Feb 2005 17:17:34 -0500 Received: from vds-320151.amen-pro.com ([62.193.204.86]:23479 "EHLO vds-320151.amen-pro.com") by vger.kernel.org with ESMTP id S261227AbVBGWRQ (ORCPT ); Mon, 7 Feb 2005 17:17:16 -0500 Subject: [PATCH] sys_chroot() hook for additional chroot() jails enforcing From: Lorenzo =?ISO-8859-1?Q?Hern=E1ndez_?= =?ISO-8859-1?Q?Garc=EDa-Hierro?= To: "linux-kernel@vger.kernel.org" , "linux-security-module@wirex.com" Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-adkm2rkVMfVdsy50OTcQ" Date: Mon, 07 Feb 2005 23:16:50 +0100 Message-Id: <1107814610.3754.260.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 6234 Lines: 122 --=-adkm2rkVMfVdsy50OTcQ Content-Type: multipart/mixed; boundary="=-37UDQVEvQZ+UYrf9ShmE" --=-37UDQVEvQZ+UYrf9ShmE Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi, Attached you can find a patch which adds a new hook for the sys_chroot() syscall, and makes us able to add additional enforcing and security checks by using the Linux Security Modules framework (ie. chdir enforcing, etc). Current user of the hook is the forthcoming 0.2 revision of vSecurity. With it, and used within an LSM module, we can achieve the goal of enforcing and apply some hardening to the sys_chroot() syscall. Even if chroot jails are broken by design, in terms of security, with a few changes to their base and some syscalls that it relies with, we can achieve the goal of preventing some of the already known attacks against them. I will make available some patches for other syscalls as well (sys_fchmod(), sys_chmod(), ...), that will add a few more hooks to the LSM framework, in the hope that they will be useful. The patch can be retrieved too from: http://pearls.tuxedo-es.org/patches/sys_chroot_lsm-hook-2.6.11-rc3.patch Thanks in advance, and, again, I will appreciate any suggestions on which hooks are good candidates to be added. Feel free to edit tuxedo-es.org wiki at http://wiki.tuxedo-es.org/LSM and put suggestions & comments there. Cheers, --=20 Lorenzo Hern=E1ndez Garc=EDa-Hierro =20 [1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org] --=-37UDQVEvQZ+UYrf9ShmE Content-Disposition: attachment; filename=sys_chroot_lsm-hook-2.6.11-rc3.patch Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name=sys_chroot_lsm-hook-2.6.11-rc3.patch; charset=ISO-8859-1 ZGlmZiAtTnVyIGxpbnV4LTIuNi4xMS1yYzMvZnMvb3Blbi5jIGxpbnV4LTIuNi4xMS1yYzMuY2hy b290LWxzbS9mcy9vcGVuLmMNCi0tLSBsaW51eC0yLjYuMTEtcmMzL2ZzL29wZW4uYwkyMDA1LTAy LTA2IDIxOjQwOjQwLjAwMDAwMDAwMCArMDEwMA0KKysrIGxpbnV4LTIuNi4xMS1yYzMuY2hyb290 LWxzbS9mcy9vcGVuLmMJMjAwNS0wMi0wNyAyMTo0Mjo0NS4wMDAwMDAwMDAgKzAxMDANCkBAIC01 ODIsNiArNTgyLDEwIEBADQogCWVycm9yID0gLUVQRVJNOw0KIAlpZiAoIWNhcGFibGUoQ0FQX1NZ U19DSFJPT1QpKQ0KIAkJZ290byBkcHV0X2FuZF9vdXQ7DQorCQkNCisJZXJyb3IgPSBzZWN1cml0 eV9jaHJvb3QoJm5kKTsNCisJaWYgKGVycm9yKQ0KKwkJZ290byBkcHV0X2FuZF9vdXQ7DQogDQog CXNldF9mc19yb290KGN1cnJlbnQtPmZzLCBuZC5tbnQsIG5kLmRlbnRyeSk7DQogCXNldF9mc19h bHRyb290KCk7DQpkaWZmIC1OdXIgbGludXgtMi42LjExLXJjMy9pbmNsdWRlL2xpbnV4L3NlY3Vy aXR5LmggbGludXgtMi42LjExLXJjMy5jaHJvb3QtbHNtL2luY2x1ZGUvbGludXgvc2VjdXJpdHku aA0KLS0tIGxpbnV4LTIuNi4xMS1yYzMvaW5jbHVkZS9saW51eC9zZWN1cml0eS5oCTIwMDUtMDIt MDYgMjE6NDA6MjcuMDAwMDAwMDAwICswMTAwDQorKysgbGludXgtMi42LjExLXJjMy5jaHJvb3Qt bHNtL2luY2x1ZGUvbGludXgvc2VjdXJpdHkuaAkyMDA1LTAyLTA3IDIxOjEwOjA1LjAwMDAwMDAw MCArMDEwMA0KQEAgLTEwMDgsNiArMTAwOCwxMCBAQA0KICAqCUB0cyBjb250YWlucyBuZXcgdGlt ZQ0KICAqCUB0eiBjb250YWlucyBuZXcgdGltZXpvbmUNCiAgKglSZXR1cm4gMCBpZiBwZXJtaXNz aW9uIGlzIGdyYW50ZWQuDQorICogQGNocm9vdDoNCisgKglDaGVjayBwZXJtaXNzaW9uIHRvIGNo YW5nZSB0aGUgY3VycmVudCByb290IGJ5IHN5c19jaHJvb3QoKSBzeXNjYWxsLg0KKyAqCUBuZCBj b250YWlucyB0aGUgbmFtZWlkYXRhIHN0cnVjdCBwYXNzZWQgYnkgc3lzX2Nocm9vdCgpDQorICoJ UmV0dXJuIDAgaWYgcGVybWlzc2lvbiBpcyBncmFudGVkLg0KICAqIEB2bV9lbm91Z2hfbWVtb3J5 Og0KICAqCUNoZWNrIHBlcm1pc3Npb25zIGZvciBhbGxvY2F0aW5nIGEgbmV3IHZpcnR1YWwgbWFw cGluZy4NCiAgKiAgICAgIEBwYWdlcyBjb250YWlucyB0aGUgbnVtYmVyIG9mIHBhZ2VzLg0KQEAg LTEwNDAsNiArMTA0NCw3IEBADQogCWludCAoKmFjY3QpIChzdHJ1Y3QgZmlsZSAqIGZpbGUpOw0K IAlpbnQgKCpzeXNjdGwpIChzdHJ1Y3QgY3RsX3RhYmxlICogdGFibGUsIGludCBvcCk7DQogCWlu dCAoKmNhcGFibGUpIChzdHJ1Y3QgdGFza19zdHJ1Y3QgKiB0c2ssIGludCBjYXApOw0KKwlpbnQg KCpjaHJvb3QpIChzdHJ1Y3QgbmFtZWlkYXRhICogbmQpOw0KIAlpbnQgKCpxdW90YWN0bCkgKGlu dCBjbWRzLCBpbnQgdHlwZSwgaW50IGlkLCBzdHJ1Y3Qgc3VwZXJfYmxvY2sgKiBzYik7DQogCWlu dCAoKnF1b3RhX29uKSAoc3RydWN0IGRlbnRyeSAqIGRlbnRyeSk7DQogCWludCAoKnN5c2xvZykg KGludCB0eXBlKTsNCkBAIC0xMzA0LDYgKzEzMDksMTAgQEANCiAJcmV0dXJuIHNlY3VyaXR5X29w cy0+c2V0dGltZSh0cywgdHopOw0KIH0NCiANCitzdGF0aWMgaW5saW5lIGludCBzZWN1cml0eV9j aHJvb3Qoc3RydWN0IG5hbWVpZGF0YSAqbmQpDQorew0KKwlyZXR1cm4gc2VjdXJpdHlfb3BzLT5j aHJvb3QobmQpOw0KK30NCiANCiBzdGF0aWMgaW5saW5lIGludCBzZWN1cml0eV92bV9lbm91Z2hf bWVtb3J5KGxvbmcgcGFnZXMpDQogew0KQEAgLTE5ODYsNiArMTk5NSwxMSBAQA0KIAlyZXR1cm4g Y2FwX3NldHRpbWUodHMsIHR6KTsNCiB9DQogDQorc3RhdGljIGlubGluZSBpbnQgc2VjdXJpdHlf Y2hyb290KHN0cnVjdCBuYW1laWRhdGEgKm5kKQ0KK3sNCisJcmV0dXJuIDA7DQorfQ0KKw0KIHN0 YXRpYyBpbmxpbmUgaW50IHNlY3VyaXR5X3ZtX2Vub3VnaF9tZW1vcnkobG9uZyBwYWdlcykNCiB7 DQogCXJldHVybiBjYXBfdm1fZW5vdWdoX21lbW9yeShwYWdlcyk7DQpkaWZmIC1OdXIgbGludXgt Mi42LjExLXJjMy9zZWN1cml0eS9kdW1teS5jIGxpbnV4LTIuNi4xMS1yYzMuY2hyb290LWxzbS9z ZWN1cml0eS9kdW1teS5jDQotLS0gbGludXgtMi42LjExLXJjMy9zZWN1cml0eS9kdW1teS5jCTIw MDUtMDItMDYgMjE6NDA6NTcuMDAwMDAwMDAwICswMTAwDQorKysgbGludXgtMi42LjExLXJjMy5j aHJvb3QtbHNtL3NlY3VyaXR5L2R1bW15LmMJMjAwNS0wMi0wNyAyMToxMjowMS4wMDAwMDAwMDAg KzAxMDANCkBAIC0xMDEsNiArMTAxLDExIEBADQogCXJldHVybiAwOw0KIH0NCiANCitzdGF0aWMg aW50IGR1bW15X2Nocm9vdChzdHJ1Y3QgbmFtZWlkYXRhICpuZCkNCit7DQorCXJldHVybiAwOw0K K30NCisNCiBzdGF0aWMgaW50IGR1bW15X3NldHRpbWUoc3RydWN0IHRpbWVzcGVjICp0cywgc3Ry dWN0IHRpbWV6b25lICp0eikNCiB7DQogCWlmICghY2FwYWJsZShDQVBfU1lTX1RJTUUpKQ0KQEAg LTg1OCw2ICs4NjMsNyBAQA0KIAlzZXRfdG9fZHVtbXlfaWZfbnVsbChvcHMsIHN5c2N0bCk7DQog CXNldF90b19kdW1teV9pZl9udWxsKG9wcywgc3lzbG9nKTsNCiAJc2V0X3RvX2R1bW15X2lmX251 bGwob3BzLCBzZXR0aW1lKTsNCisJc2V0X3RvX2R1bW15X2lmX251bGwob3BzLCBjaHJvb3QpOw0K IAlzZXRfdG9fZHVtbXlfaWZfbnVsbChvcHMsIHZtX2Vub3VnaF9tZW1vcnkpOw0KIAlzZXRfdG9f ZHVtbXlfaWZfbnVsbChvcHMsIGJwcm1fYWxsb2Nfc2VjdXJpdHkpOw0KIAlzZXRfdG9fZHVtbXlf aWZfbnVsbChvcHMsIGJwcm1fZnJlZV9zZWN1cml0eSk7DQo= --=-37UDQVEvQZ+UYrf9ShmE-- --=-adkm2rkVMfVdsy50OTcQ Content-Type: application/pgp-signature; name=signature.asc Content-Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBCB+jSDcEopW8rLewRAvAfAJ0WemgK9MMEEpIPP3JDftEotQfTvgCeJjLE m07Wf+U/nw4jwf1iMKiPdm0= =gBSw -----END PGP SIGNATURE----- --=-adkm2rkVMfVdsy50OTcQ-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/