Grsecurity jails
Posted: Wed Apr 15, 2009 6:07 am
Brad, would you be so kind to review my simple patch? I use it to make more-than-once-chrooted processes, being a special role subjects, to be accessible within the chroot jail for another chrooted processes. The patch looks simple, and I think I can maintain it myself. I just want to use the patch in production environment and really need to know if I'm doing something very wrong with it.
- Code: Select all
--- grsec_chroot.c.orig 2009-04-12 01:37:54.000000000 +0800
+++ grsec_chroot.c 2009-04-14 21:01:18.000000000 +0800
@@ -85,6 +85,16 @@
return 0;
task_lock(p);
+ if (proc_is_chrooted(current) && proc_is_chrooted(p)) {
+ if (gr_acl_is_enabled()) {
+ if (current->role->roletype & p->role->roletype & GR_ROLE_SPECIAL) {
+ if (!strcmp(current->role->rolename, p->role->rolename)) {
+ task_unlock(p);
+ return 0;
+ }
+ }
+ }
+ }
if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
!have_same_root(current, p)) {
task_unlock(p);
--- grsec_sig.c.orig 2009-04-11 14:51:01.000000000 +0800
+++ grsec_sig.c 2009-04-15 16:51:37.000000000 +0800
@@ -1,6 +1,12 @@
#include <linux/kernel.h>
+#include <linux/module.h>
#include <linux/sched.h>
#include <linux/delay.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/mount.h>
+#include <linux/types.h>
+#include <linux/pid_namespace.h>
#include <linux/grsecurity.h>
#include <linux/grinternal.h>
@@ -24,6 +30,14 @@
gr_handle_signal(const struct task_struct *p, const int sig)
{
#ifdef CONFIG_GRKERNSEC
+ if (proc_is_chrooted(current) && proc_is_chrooted(p)) {
+ if (gr_acl_is_enabled()) {
+ if (current->role->roletype & p->role->roletype & GR_ROLE_SPECIAL) {
+ if (!strcmp(current->role->rolename, p->role->rolename))
+ return 0;
+ }
+ }
+ }
if (current->pid > 1 && gr_check_protected_task(p)) {
gr_log_sig(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
return -EPERM;