Re: [PATCH] sys_chroot() hook for additional chroot() jails enforcing

From: Lorenzo Hernández García-Hierro (lorenzo@private)
Date: Tue Feb 08 2005 - 06:42:58 PST


El lun, 07-02-2005 a las 14:34 -0800, Chris Wright escribió:
> * Lorenzo Hernández García-Hierro (lorenzo@private) wrote:
> > Attached you can find a patch which adds a new hook for the sys_chroot()
> > syscall, and makes us able to add additional enforcing and security
> > checks by using the Linux Security Modules framework (ie. chdir
> > enforcing, etc).
> 
> If you want to make a change like this, collapse the
> capable(CAP_SYS_CHROOT) check behind this hook, no point having two
> outcalls from same call site.

Right, did it.
New patch attached and also available at:
http://pearls.tuxedo-es.org/patches/sys_chroot_lsm-hook-2.6.11-rc3.patch

>   What logic do you expect to put behind
> the chroot() hook?

For example a chdir() handling function as grsec does, and also any
other check that comes up to mind.

Cheers and again thanks for the comments,
-- 
Lorenzo Hernández García-Hierro <lorenzo@private> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]






This archive was generated by hypermail 2.1.3 : Tue Feb 08 2005 - 06:44:08 PST