[PATCH 2/3] socket checks for uds fds transfer

[Tal Tchwella]

This patch checks whether another user is trying to send a chrooted application by
a non-root user a fd to a directory, which will allow it to escape.
By preventing this kind of fd transfer to chrooted applications by non-root users,
certain security risks are mitigated.

Signed-off-by: Tal Tchwella <tchwella@xxxxxxx>
---
 net/core/scm.c |    9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/net/core/scm.c b/net/core/scm.c
index ff52ad0..e505528 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -282,6 +282,15 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
 	for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
 	     i++, cmfptr++)
 	{
+		/*
+		 * Restricts passing of fds via unix domain sockets to non-root
+		 * chrooted applications to files and does not allow directories
+		 * to be passed.
+		 */
+		if (current->user_chroot == CHROOT_USER_MODE) {
+			if (S_ISDIR(fp[i]->f_dentry->d_inode->i_mode))
+				continue;
+		}
 		int new_fd;
 		err = security_file_receive(fp[i]);
 		if (err)
-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/