Grsecurity jails

Discuss and suggest new grsecurity features

Grsecurity jails

Postby Grach » Wed Apr 15, 2009 6:07 am

Brad, would you be so kind to review my simple patch? I use it to make more-than-once-chrooted processes, being a special role subjects, to be accessible within the chroot jail for another chrooted processes. The patch looks simple, and I think I can maintain it myself. I just want to use the patch in production environment and really need to know if I'm doing something very wrong with it.

Code: Select all
--- grsec_chroot.c.orig   2009-04-12 01:37:54.000000000 +0800
+++ grsec_chroot.c   2009-04-14 21:01:18.000000000 +0800
@@ -85,6 +85,16 @@
       return 0;
 
    task_lock(p);
+   if (proc_is_chrooted(current) && proc_is_chrooted(p)) {
+      if (gr_acl_is_enabled()) {
+         if (current->role->roletype & p->role->roletype & GR_ROLE_SPECIAL) {
+            if (!strcmp(current->role->rolename, p->role->rolename)) {
+               task_unlock(p);
+               return 0;
+            }
+         }
+      }
+   }
    if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
        !have_same_root(current, p)) {
       task_unlock(p);
--- grsec_sig.c.orig   2009-04-11 14:51:01.000000000 +0800
+++ grsec_sig.c   2009-04-15 16:51:37.000000000 +0800
@@ -1,6 +1,12 @@
 #include <linux/kernel.h>
+#include <linux/module.h>
 #include <linux/sched.h>
 #include <linux/delay.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/mount.h>
+#include <linux/types.h>
+#include <linux/pid_namespace.h>
 #include <linux/grsecurity.h>
 #include <linux/grinternal.h>
 
@@ -24,6 +30,14 @@
 gr_handle_signal(const struct task_struct *p, const int sig)
 {
 #ifdef CONFIG_GRKERNSEC
+   if (proc_is_chrooted(current) && proc_is_chrooted(p)) {
+      if (gr_acl_is_enabled()) {
+         if (current->role->roletype & p->role->roletype & GR_ROLE_SPECIAL) {
+            if (!strcmp(current->role->rolename, p->role->rolename))
+               return 0;
+         }
+      }
+   }
    if (current->pid > 1 && gr_check_protected_task(p)) {
       gr_log_sig(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
       return -EPERM;
Grach
 
Posts: 66
Joined: Thu Feb 05, 2009 11:15 pm

Re: Grsecurity jails

Postby spender » Fri Apr 17, 2009 7:45 pm

Use this instead (not an actual patch, just a modification so you can see what code to use):

Code: Select all
--- grsec_chroot.c.orig   2009-04-12 01:37:54.000000000 +0800
    +++ grsec_chroot.c   2009-04-14 21:01:18.000000000 +0800
    @@ -85,6 +85,16 @@
          return 0;

       task_lock(p);
    +   if (proc_is_chrooted(current) && proc_is_chrooted(p) && gr_acl_is_enabled() &&
    +        (current->role->roletype & GR_ROLE_SPECIAL) && current->role == p->role) {
    +           task_unlock(p);
    +           return 0;
    +   }
       if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
           !have_same_root(current, p)) {
          task_unlock(p);
    --- grsec_sig.c.orig   2009-04-11 14:51:01.000000000 +0800
    +++ grsec_sig.c   2009-04-15 16:51:37.000000000 +0800
    @@ -1,6 +1,12 @@
    #include <linux/kernel.h>
    +#include <linux/module.h>
    #include <linux/sched.h>
    #include <linux/delay.h>
    +#include <linux/file.h>
    +#include <linux/fs.h>
    +#include <linux/mount.h>
    +#include <linux/types.h>
    +#include <linux/pid_namespace.h>
    #include <linux/grsecurity.h>
    #include <linux/grinternal.h>

    @@ -24,6 +30,14 @@
    gr_handle_signal(const struct task_struct *p, const int sig)
    {
    #ifdef CONFIG_GRKERNSEC
    +   if (proc_is_chrooted(current) && proc_is_chrooted(p) && gr_acl_is_enabled() &&
    +        (current->role->roletype & GR_ROLE_SPECIAL) && current->role == p->role) {
    +           task_unlock(p);
    +           return 0;
    +   }
       if (current->pid > 1 && gr_check_protected_task(p)) {
          gr_log_sig(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
          return -EPERM;
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Grsecurity jails

Postby Grach » Mon Apr 20, 2009 5:15 pm

Thank you very much, Brad!

If anyone interested, here is corrected patch (also doesn't break signal restrictions).
Code: Select all
--- grsec_chroot.c.orig   2009-04-12 01:37:54.000000000 +0800
+++ grsec_chroot.c   2009-04-21 02:44:57.000000000 +0800
@@ -85,6 +85,11 @@
       return 0;
 
    task_lock(p);
+   if (proc_is_chrooted(current) && proc_is_chrooted(p) && gr_acl_is_enabled() &&
+       (current->role->roletype & GR_ROLE_SPECIAL) && current->role == p->role) {
+      task_unlock(p);
+      return 0;
+   }
    if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
        !have_same_root(current, p)) {
       task_unlock(p);
--- grsec_sig.c.orig   2009-04-11 14:51:01.000000000 +0800
+++ grsec_sig.c   2009-04-21 04:06:49.000000000 +0800
@@ -1,6 +1,7 @@
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/delay.h>
+#include <linux/pid_namespace.h>
 #include <linux/grsecurity.h>
 #include <linux/grinternal.h>
 
@@ -27,6 +28,9 @@
    if (current->pid > 1 && gr_check_protected_task(p)) {
       gr_log_sig(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
       return -EPERM;
+   } else if (proc_is_chrooted(current) && proc_is_chrooted(p) && gr_acl_is_enabled() &&
+              (current->role->roletype & GR_ROLE_SPECIAL) && current->role == p->role) {
+      return 0;
    } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
       return -EPERM;
    }
Grach
 
Posts: 66
Joined: Thu Feb 05, 2009 11:15 pm


Return to grsecurity development

cron