proc in a chroot

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

proc in a chroot

Postby Makc » Sat Dec 23, 2006 11:05 am

Hello,

I have a problem with /proc in chrooted environment:
Code: Select all
# ls -la /disk2/vpn/proc/
total 8
drwxr-xr-x    2 root     root         4096 Dec 15  2004 .
drwxr-xr-x   21 root     root         4096 Dec  1 23:00 ..
# mount -t proc none /disk2/vpn/proc/
# ls -al /disk2/vpn/proc/ | wc -l
    259
# \chroot /disk2/vpn/
# ls -al /proc/ | wc -l
43
# ps auwx
Error, do this: mount -t proc none /proc


mount inside jail does nothing.

inner /proc contains update / cmdline / crypto / devices / etc, but it does not have any PIDs, even self:
Code: Select all
# ls -al /proc/self
ls: /proc/self: No such file or directory

If I set kernel.grsecurity.chroot_findtask to 0 everything works, but users can see all the proccess.

2.6.19.1, grsecurity-2.1.9-2.6.19.1-200612121859
Makc
 
Posts: 1
Joined: Sat Dec 23, 2006 10:55 am

YMMV, but this works for me

Postby Alexei.Sheplyakov » Wed Jan 03, 2007 5:32 pm

Code: Select all
# Enable to mount inside chroots:
sysctl -w kernel/grsecurity/chroot_deny_mount=0
# Mount /proc inside the chroot:
chroot /path/to/chroot mount -n -t proc proc /proc
# Disable to mount inside chroots again:
sysctl -w kernel/grsecurity/chroot_deny_mount=1
Alexei.Sheplyakov
 
Posts: 53
Joined: Sun Feb 19, 2006 11:48 am

Postby spender » Wed Jan 03, 2007 9:25 pm

This problem is fixed in the latest 2.1.10 patch in http://grsecurity.net/~spender/

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support

cron