Hi, Attached you can find a patch which adds a new hook for the sys_chroot() syscall, and makes us able to add additional enforcing and security checks by using the Linux Security Modules framework (ie. chdir enforcing, etc). Current user of the hook is the forthcoming 0.2 revision of vSecurity. With it, and used within an LSM module, we can achieve the goal of enforcing and apply some hardening to the sys_chroot() syscall. Even if chroot jails are broken by design, in terms of security, with a few changes to their base and some syscalls that it relies with, we can achieve the goal of preventing some of the already known attacks against them. I will make available some patches for other syscalls as well (sys_fchmod(), sys_chmod(), ...), that will add a few more hooks to the LSM framework, in the hope that they will be useful. The patch can be retrieved too from: http://pearls.tuxedo-es.org/patches/sys_chroot_lsm-hook-2.6.11-rc3.patch Thanks in advance, and, again, I will appreciate any suggestions on which hooks are good candidates to be added. Feel free to edit tuxedo-es.org wiki at http://wiki.tuxedo-es.org/LSM and put suggestions & comments there. Cheers, -- Lorenzo Hernández García-Hierro <lorenzo@private> [1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
This archive was generated by hypermail 2.1.3 : Mon Feb 07 2005 - 14:18:10 PST