Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261541AbVBHOni (ORCPT ); Tue, 8 Feb 2005 09:43:38 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261548AbVBHOni (ORCPT ); Tue, 8 Feb 2005 09:43:38 -0500 Received: from vds-320151.amen-pro.com ([62.193.204.86]:38048 "EHLO vds-320151.amen-pro.com") by vger.kernel.org with ESMTP id S261541AbVBHOn3 (ORCPT ); Tue, 8 Feb 2005 09:43:29 -0500 Subject: Re: [PATCH] sys_chroot() hook for additional chroot() jails enforcing From: Lorenzo =?ISO-8859-1?Q?Hern=E1ndez_?= =?ISO-8859-1?Q?Garc=EDa-Hierro?= To: Chris Wright Cc: "linux-kernel@vger.kernel.org" , "linux-security-module@wirex.com" In-Reply-To: <20050207143427.B469@build.pdx.osdl.net> References: <1107814610.3754.260.camel@localhost.localdomain> <20050207143427.B469@build.pdx.osdl.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-s0auQ+lKUs98ctDdBe0Q" Date: Tue, 08 Feb 2005 15:42:58 +0100 Message-Id: <1107873778.3754.271.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 6142 Lines: 119 --=-s0auQ+lKUs98ctDdBe0Q Content-Type: multipart/mixed; boundary="=-DQhcbBABtNaQr2Gk5r8W" --=-DQhcbBABtNaQr2Gk5r8W Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable El lun, 07-02-2005 a las 14:34 -0800, Chris Wright escribi=F3: > * Lorenzo Hern=E1ndez Garc=EDa-Hierro (lorenzo@gnu.org) wrote: > > Attached you can find a patch which adds a new hook for the sys_chroot(= ) > > syscall, and makes us able to add additional enforcing and security > > checks by using the Linux Security Modules framework (ie. chdir > > enforcing, etc). >=20 > If you want to make a change like this, collapse the > capable(CAP_SYS_CHROOT) check behind this hook, no point having two > outcalls from same call site. Right, did it. New patch attached and also available at: http://pearls.tuxedo-es.org/patches/sys_chroot_lsm-hook-2.6.11-rc3.patch > What logic do you expect to put behind > the chroot() hook? For example a chdir() handling function as grsec does, and also any other check that comes up to mind. Cheers and again thanks for the comments, --=20 Lorenzo Hern=E1ndez Garc=EDa-Hierro =20 [1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org] --=-DQhcbBABtNaQr2Gk5r8W Content-Disposition: attachment; filename=sys_chroot_lsm-hook-2.6.11-rc3.patch Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name=sys_chroot_lsm-hook-2.6.11-rc3.patch; charset=iso-8859-1 ZGlmZiAtTnVyIGxpbnV4LTIuNi4xMS1yYzMvZnMvb3Blbi5jIGxpbnV4LTIuNi4xMS1yYzMuY2hy b290LWxzbS9mcy9vcGVuLmMNCi0tLSBsaW51eC0yLjYuMTEtcmMzL2ZzL29wZW4uYwkyMDA1LTAy LTA2IDIxOjQwOjQwLjAwMDAwMDAwMCArMDEwMA0KKysrIGxpbnV4LTIuNi4xMS1yYzMuY2hyb290 LWxzbS9mcy9vcGVuLmMJMjAwNS0wMi0wOCAxNToyOTo0MC41NDQ2MTE5MTIgKzAxMDANCkBAIC01 NzgsOSArNTc4LDkgQEANCiAJZXJyb3IgPSBwZXJtaXNzaW9uKG5kLmRlbnRyeS0+ZF9pbm9kZSxN QVlfRVhFQywmbmQpOw0KIAlpZiAoZXJyb3IpDQogCQlnb3RvIGRwdXRfYW5kX291dDsNCi0NCi0J ZXJyb3IgPSAtRVBFUk07DQotCWlmICghY2FwYWJsZShDQVBfU1lTX0NIUk9PVCkpDQorCQkNCisJ ZXJyb3IgPSBzZWN1cml0eV9jaHJvb3QoJm5kKTsNCisJaWYgKGVycm9yKQ0KIAkJZ290byBkcHV0 X2FuZF9vdXQ7DQogDQogCXNldF9mc19yb290KGN1cnJlbnQtPmZzLCBuZC5tbnQsIG5kLmRlbnRy eSk7DQpkaWZmIC1OdXIgbGludXgtMi42LjExLXJjMy9pbmNsdWRlL2xpbnV4L3NlY3VyaXR5Lmgg bGludXgtMi42LjExLXJjMy5jaHJvb3QtbHNtL2luY2x1ZGUvbGludXgvc2VjdXJpdHkuaA0KLS0t IGxpbnV4LTIuNi4xMS1yYzMvaW5jbHVkZS9saW51eC9zZWN1cml0eS5oCTIwMDUtMDItMDYgMjE6 NDA6MjcuMDAwMDAwMDAwICswMTAwDQorKysgbGludXgtMi42LjExLXJjMy5jaHJvb3QtbHNtL2lu Y2x1ZGUvbGludXgvc2VjdXJpdHkuaAkyMDA1LTAyLTA4IDE1OjMwOjU0LjQzNDM3ODk2MCArMDEw MA0KQEAgLTEwMDgsNiArMTAwOCwxMCBAQA0KICAqCUB0cyBjb250YWlucyBuZXcgdGltZQ0KICAq CUB0eiBjb250YWlucyBuZXcgdGltZXpvbmUNCiAgKglSZXR1cm4gMCBpZiBwZXJtaXNzaW9uIGlz IGdyYW50ZWQuDQorICogQGNocm9vdDoNCisgKglDaGVjayBwZXJtaXNzaW9uIHRvIGNoYW5nZSB0 aGUgY3VycmVudCByb290IGJ5IHN5c19jaHJvb3QoKSBzeXNjYWxsLg0KKyAqCUBuZCBjb250YWlu cyB0aGUgbmFtZWlkYXRhIHN0cnVjdCBwYXNzZWQgYnkgc3lzX2Nocm9vdCgpDQorICoJUmV0dXJu IDAgaWYgcGVybWlzc2lvbiBpcyBncmFudGVkLg0KICAqIEB2bV9lbm91Z2hfbWVtb3J5Og0KICAq CUNoZWNrIHBlcm1pc3Npb25zIGZvciBhbGxvY2F0aW5nIGEgbmV3IHZpcnR1YWwgbWFwcGluZy4N CiAgKiAgICAgIEBwYWdlcyBjb250YWlucyB0aGUgbnVtYmVyIG9mIHBhZ2VzLg0KQEAgLTEwNDAs NiArMTA0NCw3IEBADQogCWludCAoKmFjY3QpIChzdHJ1Y3QgZmlsZSAqIGZpbGUpOw0KIAlpbnQg KCpzeXNjdGwpIChzdHJ1Y3QgY3RsX3RhYmxlICogdGFibGUsIGludCBvcCk7DQogCWludCAoKmNh cGFibGUpIChzdHJ1Y3QgdGFza19zdHJ1Y3QgKiB0c2ssIGludCBjYXApOw0KKwlpbnQgKCpjaHJv b3QpIChzdHJ1Y3QgbmFtZWlkYXRhICogbmQpOw0KIAlpbnQgKCpxdW90YWN0bCkgKGludCBjbWRz LCBpbnQgdHlwZSwgaW50IGlkLCBzdHJ1Y3Qgc3VwZXJfYmxvY2sgKiBzYik7DQogCWludCAoKnF1 b3RhX29uKSAoc3RydWN0IGRlbnRyeSAqIGRlbnRyeSk7DQogCWludCAoKnN5c2xvZykgKGludCB0 eXBlKTsNCkBAIC0xMzA0LDYgKzEzMDksMTAgQEANCiAJcmV0dXJuIHNlY3VyaXR5X29wcy0+c2V0 dGltZSh0cywgdHopOw0KIH0NCiANCitzdGF0aWMgaW5saW5lIGludCBzZWN1cml0eV9jaHJvb3Qo c3RydWN0IG5hbWVpZGF0YSAqbmQpDQorew0KKwlyZXR1cm4gc2VjdXJpdHlfb3BzLT5jaHJvb3Qo bmQpOw0KK30NCiANCiBzdGF0aWMgaW5saW5lIGludCBzZWN1cml0eV92bV9lbm91Z2hfbWVtb3J5 KGxvbmcgcGFnZXMpDQogew0KQEAgLTE5ODYsNiArMTk5NSwxNCBAQA0KIAlyZXR1cm4gY2FwX3Nl dHRpbWUodHMsIHR6KTsNCiB9DQogDQorc3RhdGljIGlubGluZSBpbnQgc2VjdXJpdHlfY2hyb290 KHN0cnVjdCBuYW1laWRhdGEgKm5kKQ0KK3sNCisJaWYgKCFjYXBhYmxlKENBUF9TWVNfQ0hST09U KSkNCisJCXJldHVybiAtRVBFUk07DQorCQ0KKwlyZXR1cm4gMDsNCit9DQorDQogc3RhdGljIGlu bGluZSBpbnQgc2VjdXJpdHlfdm1fZW5vdWdoX21lbW9yeShsb25nIHBhZ2VzKQ0KIHsNCiAJcmV0 dXJuIGNhcF92bV9lbm91Z2hfbWVtb3J5KHBhZ2VzKTsNCmRpZmYgLU51ciBsaW51eC0yLjYuMTEt cmMzL3NlY3VyaXR5L2R1bW15LmMgbGludXgtMi42LjExLXJjMy5jaHJvb3QtbHNtL3NlY3VyaXR5 L2R1bW15LmMNCi0tLSBsaW51eC0yLjYuMTEtcmMzL3NlY3VyaXR5L2R1bW15LmMJMjAwNS0wMi0w NiAyMTo0MDo1Ny4wMDAwMDAwMDAgKzAxMDANCisrKyBsaW51eC0yLjYuMTEtcmMzLmNocm9vdC1s c20vc2VjdXJpdHkvZHVtbXkuYwkyMDA1LTAyLTA4IDE1OjI5OjU1LjAzNDQwOTEyOCArMDEwMA0K QEAgLTEwMSw2ICsxMDEsMTQgQEANCiAJcmV0dXJuIDA7DQogfQ0KIA0KK3N0YXRpYyBpbnQgZHVt bXlfY2hyb290KHN0cnVjdCBuYW1laWRhdGEgKm5kKQ0KK3sNCisJaWYgKCFjYXBhYmxlKENBUF9T WVNfQ0hST09UKSkNCisJCXJldHVybiAtRVBFUk07DQorCQ0KKwlyZXR1cm4gMDsNCit9DQorDQog c3RhdGljIGludCBkdW1teV9zZXR0aW1lKHN0cnVjdCB0aW1lc3BlYyAqdHMsIHN0cnVjdCB0aW1l em9uZSAqdHopDQogew0KIAlpZiAoIWNhcGFibGUoQ0FQX1NZU19USU1FKSkNCkBAIC04NTgsNiAr ODY2LDcgQEANCiAJc2V0X3RvX2R1bW15X2lmX251bGwob3BzLCBzeXNjdGwpOw0KIAlzZXRfdG9f ZHVtbXlfaWZfbnVsbChvcHMsIHN5c2xvZyk7DQogCXNldF90b19kdW1teV9pZl9udWxsKG9wcywg c2V0dGltZSk7DQorCXNldF90b19kdW1teV9pZl9udWxsKG9wcywgY2hyb290KTsNCiAJc2V0X3Rv X2R1bW15X2lmX251bGwob3BzLCB2bV9lbm91Z2hfbWVtb3J5KTsNCiAJc2V0X3RvX2R1bW15X2lm X251bGwob3BzLCBicHJtX2FsbG9jX3NlY3VyaXR5KTsNCiAJc2V0X3RvX2R1bW15X2lmX251bGwo b3BzLCBicHJtX2ZyZWVfc2VjdXJpdHkpOw0K --=-DQhcbBABtNaQr2Gk5r8W-- --=-s0auQ+lKUs98ctDdBe0Q Content-Type: application/pgp-signature; name=signature.asc Content-Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBCCM/yDcEopW8rLewRAkewAKCDH+gaAhiTb0NwqsGqD8jNwylOCACghYaw n6gZ0J9aG3Q89SEzh2wXOy8= =OZ9c -----END PGP SIGNATURE----- --=-s0auQ+lKUs98ctDdBe0Q-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/