El lun, 07-02-2005 a las 14:34 -0800, Chris Wright escribió: > * Lorenzo Hernández García-Hierro (lorenzo@private) wrote: > > Attached you can find a patch which adds a new hook for the sys_chroot() > > syscall, and makes us able to add additional enforcing and security > > checks by using the Linux Security Modules framework (ie. chdir > > enforcing, etc). > > If you want to make a change like this, collapse the > capable(CAP_SYS_CHROOT) check behind this hook, no point having two > outcalls from same call site. Right, did it. New patch attached and also available at: http://pearls.tuxedo-es.org/patches/sys_chroot_lsm-hook-2.6.11-rc3.patch > What logic do you expect to put behind > the chroot() hook? For example a chdir() handling function as grsec does, and also any other check that comes up to mind. Cheers and again thanks for the comments, -- Lorenzo Hernández García-Hierro <lorenzo@private> [1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
This archive was generated by hypermail 2.1.3 : Tue Feb 08 2005 - 06:44:08 PST