Linux 2.1.115 network capability patch

From: Duncan Simpson (dpsat_private)
Date: Sun Aug 16 1998 - 19:30:00 PDT

Next message: David LeBlanc: "Re: Possible DoS attack to NT boxes running OpenNT 2.1"

Previous message: Jochen Wiedmann: "Re: Mysql DoS (Was: Connecting/Disconnecting 1100 times freezes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Having received encouragement and a message to the effect that some people
have lots of daemons that need exec() so can not turn off CAP_SYS_EXEC. I
thought people might like this patch which should allow one to stop crackers
opening new network connections to ftp tools and set up back doors. It
should limit the activities of standard script kiddies.

Real experts will just transfer their tools over the connection they have
anyway but will not be able to startup evil network services (I assume these
need socket() or socketpair() at a minimum, so no CAP_SYS_SOCKET is lethal).
This patch also nicely stops port 25 email forgers/spammers on the local
the local machine. (Sadly the old setuid root support will allow those with
root to bypass all this, but this will change when the VFS gets capability
support---I assume if you lack a capability giving it to a binary will be
banned).

CAP_NET_SERVER is more liberal and stops bind(), listen() and accept()
so people can not start up their own servers (a widespread policy so
the ability in enforce this is handy). I would have done CAP_NET_CLIENT
restricting connect(), sendto() and stuff like that but there seem to be
rather few bits left for heftier items (how about a programable sandbox?).


Note that you *must* install the CAP_SYS_EXEC patch before applying this one
if you want non-root network clients due to the need for CAP_KEEP_SET support.
If you do not then capabilities are not preserved and everything is
squashed when login drops privs, so CAP_SYS_SOCKET and CAP_NET_SERVER go away
too. (Squashing these capabilities is a job for login, inetd, etc).

The patch passes my test (recompile, reboot, login and check my shell still
has the capabilities). I might do MD4/MD5 sum testing for selected binaries
by writing to some virtual files in /proc (easily frozen shortly after fixing
the database at boot time).


Duncan (-:

P.S. I am aware that this patch will generate a rejection if applied after
the CAP_SYS_EXEC patch. Fixing this is left as a simple exercise for the
reader.

--- linux/include/linux/capability.h.dist       Wed Aug 12 04:23:32 1998
+++ linux/include/linux/capability.h    Mon Aug 17 01:12:25 1998
@@ -254,6 +254,21 @@

 #define CAP_SYS_TTY_CONFIG   26

+/* Allow use of exec(). Anti-shellcode measure */
+
+#define CAP_SYS_EXEC 27
+
+/* Allow use of socket() */
+/* Allow use of socketpair() */
+
+#define CAP_SYS_SOCKET 28
+
+/* Allow use of bind() */
+/* Allow use of listen() */
+/* Allow use of accept() */
+
+#define CAP_NET_SERVER 29
+
 #ifdef __KERNEL__

 /*
@@ -266,6 +281,7 @@
 #define CAP_INIT_INH_SET    { ~0 & ~CAP_TO_MASK(CAP_SETPCAP) }

 #define CAP_TO_MASK(x) (1 << (x))
+#define CAP_KEEP_SET        (CAP_TO_MASK(CAP_SYS_EXEC) | CAP_TO_MASK(CAP_SYS_SOCKET) | CAP_TO_MASK(CAP_NET_SERVER))
 #define cap_raise(c, flag)   ((c).cap |=  CAP_TO_MASK(flag))
 #define cap_lower(c, flag)   ((c).cap &= ~CAP_TO_MASK(flag))
 #define cap_raised(c, flag)  ((c).cap &   CAP_TO_MASK(flag))
--- linux/net/socket.c.dist     Mon Aug 17 00:47:13 1998
+++ linux/net/socket.c  Mon Aug 17 02:47:26 1998
@@ -41,6 +41,9 @@
  *             Kevin Buhr      :       Fixed the dumb errors in the above.
  *             Andi Kleen      :       Some small cleanups, optimizations,
  *                                     and fixed a copy_from_user() bug.
+ *             Duncan          :       Added CAP_SYS_SOCKET and
+ *                                     CAP_NET_SERVER support. These should
+ *                                     limit script kiddies activities.
  *
  *
  *             This program is free software; you can redistribute it and/or
@@ -75,6 +78,8 @@
 #include <linux/wanrouter.h>
 #include <linux/init.h>
 #include <linux/poll.h>
+#include <linux/capability.h>
+#include <linux/errno.h>

 #if defined(CONFIG_KMOD) && defined(CONFIG_NET)
 #include <linux/kmod.h>
@@ -638,6 +643,9 @@
        int retval;
        struct socket *sock;

+       if (!cap_raised(current->cap_effective,CAP_SYS_SOCKET))
+           return -EACCES;
+
        lock_kernel();

        retval = sock_create(family, type, protocol, &sock);
@@ -667,6 +675,9 @@
        struct socket *sock1, *sock2;
        int fd1, fd2, err;

+       if (!cap_raised(current->cap_effective,CAP_SYS_SOCKET))
+           return -EACCES;
+
        lock_kernel();

        /*
@@ -738,6 +749,9 @@
        char address[MAX_SOCK_ADDR];
        int err;

+       if (!cap_raised(current->cap_effective, CAP_NET_SERVER))
+           return -EPERM;
+
        lock_kernel();
        if((sock = sockfd_lookup(fd,&err))!=NULL)
        {
@@ -761,6 +775,9 @@
        struct socket *sock;
        int err;

+       if (!cap_raised(current->cap_effective, CAP_NET_SERVER))
+           return -EPERM;
+
        lock_kernel();
        if((sock = sockfd_lookup(fd, &err))!=NULL)
        {
@@ -790,6 +807,9 @@
        struct socket *sock, *newsock;
        int err, len;
        char address[MAX_SOCK_ADDR];
+
+       if (!cap_raised(current->cap_effective,CAP_NET_SERVER))
+           return -EPERM;

        lock_kernel();
        sock = sockfd_lookup(fd, &err);

Next message: David LeBlanc: "Re: Possible DoS attack to NT boxes running OpenNT 2.1"
Previous message: Jochen Wiedmann: "Re: Mysql DoS (Was: Connecting/Disconnecting 1100 times freezes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:12:50 PDT