grsecurity forums

Skip to content

CONFIG_GRKERNSEC_CHROOT_FINDTASK problem

Discuss and suggest new grsecurity features
Topic locked

CONFIG_GRKERNSEC_CHROOT_FINDTASK problem

Postby NowakPL » Mon Jan 19, 2004 7:59 pm

CONFIG_GRKERNSEC_CHROOT_FINDTASK:
If you say Y here, processes inside a chroot will not be able to kill, send signals with fcntl, ptrace, capget, setpgid, getpgid, getsid, or view any process outside of the chroot.

There is a problem with defunct processes outside chroot:
root@mac:~# mount -t proc none /md0/chroot/proc
root@mac:~# chroot /md0/chroot
root@mac:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 20380 13.0 0.4 3872 2352 ? S 00:04 0:00 /bin/bash -i
root 9203 0.0 0.1 2936 924 ? R 00:04 0:00 ps aux
root@mac:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 20380 1.4 0.4 3872 2352 ? S 00:04 0:00 /bin/bash -i
root 28536 0.0 0.0 0 0 ? Z 00:04 0:00 [dovecot-auth] <defunct>
root 17642 0.0 0.1 2964 924 ? R 00:04 0:00 ps aux
root@mac:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 20380 0.8 0.4 3872 2352 ? S 00:04 0:00 /bin/bash -i
root 12043 0.0 0.1 2984 920 ? R 00:04 0:00 ps aux
root@mac:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 20380 0.6 0.4 3872 2352 ? S 00:04 0:00 /bin/bash -i
root 24600 0.0 0.0 0 0 ? Z 00:04 0:00 [watchdog] <defunct>
root 4386 0.0 0.1 2972 924 ? R 00:04 0:00 ps aux
NowakPL
 
Posts: 1
Joined: Mon Jan 19, 2004 7:54 pm
Top

Re: CONFIG_GRKERNSEC_CHROOT_FINDTASK problem

Postby purel » Mon Jan 26, 2004 4:37 am

NowakPL wrote:CONFIG_GRKERNSEC_CHROOT_FINDTASK:
If you say Y here, processes inside a chroot will not be able to kill, send signals with fcntl, ptrace, capget, setpgid, getpgid, getsid, or view any process outside of the chroot.

There is a problem with defunct processes outside chroot:
root@mac:~# mount -t proc none /md0/chroot/proc
root@mac:~# chroot /md0/chroot
root@mac:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 20380 13.0 0.4 3872 2352 ? S 00:04 0:00 /bin/bash -i
root 9203 0.0 0.1 2936 924 ? R 00:04 0:00 ps aux
root@mac:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 20380 1.4 0.4 3872 2352 ? S 00:04 0:00 /bin/bash -i
root 28536 0.0 0.0 0 0 ? Z 00:04 0:00 [dovecot-auth] <defunct>
root 17642 0.0 0.1 2964 924 ? R 00:04 0:00 ps aux
root@mac:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 20380 0.8 0.4 3872 2352 ? S 00:04 0:00 /bin/bash -i
root 12043 0.0 0.1 2984 920 ? R 00:04 0:00 ps aux
root@mac:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 20380 0.6 0.4 3872 2352 ? S 00:04 0:00 /bin/bash -i
root 24600 0.0 0.0 0 0 ? Z 00:04 0:00 [watchdog] <defunct>
root 4386 0.0 0.1 2972 924 ? R 00:04 0:00 ps aux


have you tried with chroot_caps disabled???

i've had a similar problem with chroot_caps. most of the standard
applications didn't work properly inside chroot and after disabling it worked just fine....
purel
 
Posts: 2
Joined: Wed Sep 03, 2003 5:40 am
Top
Topic locked

Return to grsecurity development

Powered by phpBB® Forum Software © phpBB Group