Re: linux-user-chroot 2012.2

From: Andy Lutomirski
Date: Mon Aug 13 2012 - 14:11:16 EST

Next message: Fengguang Wu: "Re: [userns:userns-always-map-user-v45 80/99] fs/namespace.c:2290:1:error: unknown type name 'atomic64_t'"
Previous message: Konrad Rzeszutek Wilk: "Re: [PATCH V5 09/18] MIPS: Loongson: Add swiotlb to support bigmemory (>4GB)."
In reply to: Colin Walters: "linux-user-chroot 2012.2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Aug 10, 2012 at 1:58 PM, Colin Walters <walters@xxxxxxxxxx> wrote:
> Hi,
>
> This is the release of linux-user-chroot 2012.2. The major change now
> is that it makes use of Andy's new PR_SET_NO_NEW_PRIVS. This doesn't
> close any security hole I'm aware of - our previous use of the MS_NOSUID
> bind mount over / should work - but, belt and suspenders as they say.
>
> The code:
> http://git.gnome.org/browse/linux-user-chroot/commit/?id=515c714471d0b5923f6633ef44a2270b23656ee9
>
> As for how linux-user-chroot and PR_SET_NO_NEW_PRIVS relate, see this
> thread:
> http://thread.gmane.org/gmane.linux.kernel.lsm/15339
>
> Summary
> -------
>
> This tool allows regular (non-root) users to call chroot(2), create
> Linux bind mounts, and use some Linux container features. It's
> primarily intended for use by build systems.

Nifty.

One of these days, I intend to resurrect my unprivileged chroot kernel
patches. My current thought is to add a new syscall weak_chroot,
which should have these properties:

1. Can't be used unless no_new_privs is set or you have CAP_SYS_ADMIN.
2. Can't be used if fs->users > 1 (to avoid a trivial no_new_privs bypass).
3. Can't be used to break out of chroot jail.

The interface might be:

weak_chroot_at(int fd, const char *path, int flags)

Sets fs->weak_root to path, as seen from fd, according to flags.
Works if (no_new_privs && fs->users == 1) || capable(CAP_SYS_ADMIN).

Modify chroot to change fs->weak_root and fs->root. Further modify
the path walking code so that / sees weak_root instead of root and so
that .. will not traverse root or weak_root.

I'm somewhat tempted to add a flag to weak_chroot_at to break out of
weak_root jail to prevent people from thinking that it's a security
feature. I'm not sure about that, though.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Fengguang Wu: "Re: [userns:userns-always-map-user-v45 80/99] fs/namespace.c:2290:1:error: unknown type name 'atomic64_t'"
Previous message: Konrad Rzeszutek Wilk: "Re: [PATCH V5 09/18] MIPS: Loongson: Add swiotlb to support bigmemory (>4GB)."
In reply to: Colin Walters: "linux-user-chroot 2012.2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]