#include <linux/string.h>#include <linux/sched.h>#include <linux/errno.h>#include <linux/version.h>#include <linux/syscalls.h>#include <linux/file.h>#include <rsbac/types.h>#include <rsbac/aci.h>#include <rsbac/error.h>#include <rsbac/rkmem.h>#include <rsbac/debug.h>#include <rsbac/helpers.h>#include <rsbac/getname.h>#include <rsbac/network.h>#include <asm/uaccess.h>Go to the source code of this file.
Functions | |
| int | rsbac_jail_sys_jail (rsbac_version_t version, char *path, rsbac_jail_ip_t ip, rsbac_jail_flags_t flags, rsbac_cap_vector_t max_caps, rsbac_jail_scd_vector_t scd_get, rsbac_jail_scd_vector_t scd_modify) |
Variables | |
| static rsbac_jail_id_t | next_id = 1 |
|
||||||||||||||||||||||||||||||||
|
Definition at line 51 of file jail_syscalls.c. References A_jail_flags, A_jail_id, A_jail_ip, A_jail_max_caps, A_jail_scd_get, A_jail_scd_modify, JAIL, rsbac_attribute_value_t::jail_flags, rsbac_attribute_value_t::jail_id, rsbac_attribute_value_t::jail_ip, rsbac_attribute_value_t::jail_max_caps, rsbac_attribute_value_t::jail_scd_get, rsbac_attribute_value_t::jail_scd_modify, next_id, rsbac_target_id_t::process, RSBAC_EINVALIDVERSION, RSBAC_EREADFAILED, RSBAC_EWRITEFAILED, rsbac_get_attr, rsbac_get_full_path(), RSBAC_JAIL_VERSION, rsbac_kfree(), rsbac_kmalloc(), RSBAC_MAXNAMELEN, rsbac_printk(), rsbac_set_attr, T_PROCESS, and TRUE. Referenced by sys_rsbac(), and sys_rsbac_jail(). 00058 {
00059 union rsbac_target_id_t i_tid;
00060 union rsbac_attribute_value_t i_attr_val1;
00061 int err = 0;
00062 int chk_addr_ret;
00063
00064 if(version != RSBAC_JAIL_VERSION)
00065 return -RSBAC_EINVALIDVERSION;
00066 chk_addr_ret = inet_addr_type(ip);
00067 if (ip != INADDR_ANY &&
00068 chk_addr_ret != RTN_LOCAL &&
00069 chk_addr_ret != RTN_MULTICAST &&
00070 chk_addr_ret != RTN_BROADCAST)
00071 return -EADDRNOTAVAIL;
00072
00073 /* Get jail_id for this process */
00074 i_tid.process = current->pid;
00075 if (rsbac_get_attr(JAIL,
00076 T_PROCESS,
00077 i_tid,
00078 A_jail_id,
00079 &i_attr_val1,
00080 TRUE))
00081 {
00082 rsbac_ds_get_error("rsbac_jail_sys_jail()", A_jail_id);
00083 return(-RSBAC_EREADFAILED);
00084 }
00085 if(i_attr_val1.jail_id)
00086 { /* this process is already in a jail -> limit ip and flags */
00087 if (rsbac_get_attr(JAIL,
00088 T_PROCESS,
00089 i_tid,
00090 A_jail_flags,
00091 &i_attr_val1,
00092 TRUE))
00093 {
00094 rsbac_ds_get_error("rsbac_jail_sys_jail()", A_jail_flags);
00095 return(-RSBAC_EREADFAILED);
00096 }
00097 flags &= i_attr_val1.jail_flags;
00098 if (rsbac_get_attr(JAIL,
00099 T_PROCESS,
00100 i_tid,
00101 A_jail_scd_get,
00102 &i_attr_val1,
00103 TRUE))
00104 {
00105 rsbac_ds_get_error("rsbac_jail_sys_jail()", A_jail_scd_get);
00106 return(-RSBAC_EREADFAILED);
00107 }
00108 scd_get &= i_attr_val1.jail_scd_get;
00109 if (rsbac_get_attr(JAIL,
00110 T_PROCESS,
00111 i_tid,
00112 A_jail_scd_modify,
00113 &i_attr_val1,
00114 TRUE))
00115 {
00116 rsbac_ds_get_error("rsbac_jail_sys_jail()", A_jail_scd_modify);
00117 return(-RSBAC_EREADFAILED);
00118 }
00119 scd_modify &= i_attr_val1.jail_scd_modify;
00120 if (rsbac_get_attr(JAIL,
00121 T_PROCESS,
00122 i_tid,
00123 A_jail_ip,
00124 &i_attr_val1,
00125 TRUE))
00126 {
00127 rsbac_ds_get_error("rsbac_jail_sys_jail()", A_jail_ip);
00128 return(-RSBAC_EREADFAILED);
00129 }
00130 if(i_attr_val1.jail_ip)
00131 ip = i_attr_val1.jail_ip;
00132 if (rsbac_get_attr(JAIL,
00133 T_PROCESS,
00134 i_tid,
00135 A_jail_max_caps,
00136 &i_attr_val1,
00137 TRUE))
00138 {
00139 rsbac_ds_get_error("rsbac_jail_sys_jail()", A_jail_max_caps);
00140 return(-RSBAC_EREADFAILED);
00141 }
00142 max_caps &= i_attr_val1.jail_max_caps;
00143 }
00144
00145 if(path)
00146 {
00147 mm_segment_t oldfs;
00148 struct file * file;
00149 struct files_struct *files = current->files;
00150 int fd;
00151
00152 err = sys_chroot(path);
00153 if(err)
00154 return err;
00155 /* Set current user space to kernel space, because sys_chdir() takes name */
00156 /* from user space */
00157 oldfs = get_fs();
00158 set_fs(KERNEL_DS);
00159 err = sys_chdir("/");
00160 /* Set current user space back to user space */
00161 set_fs(oldfs);
00162
00163 restart:
00164 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00165 spin_lock(&files->file_lock);
00166 #else
00167 read_lock(&files->file_lock);
00168 #endif
00169 for(fd=0; fd < files->max_fds; fd++)
00170 {
00171 file = files->fd[fd];
00172 if( file
00173 && file->f_dentry
00174 && file->f_dentry->d_inode
00175 && S_ISDIR(file->f_dentry->d_inode->i_mode)
00176 )
00177 {
00178 char * filename;
00179
00180 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
00181 filename = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + 4);
00182 if(filename)
00183 rsbac_get_full_path(file->f_dentry, filename, CONFIG_RSBAC_MAX_PATH_LEN);
00184 #else
00185 filename = rsbac_kmalloc(RSBAC_MAXNAMELEN + 4);
00186 if(filename)
00187 rsbac_get_full_path(file->f_dentry, filename, RSBAC_MAXNAMELEN);
00188 #endif
00189
00190 rsbac_printk(KERN_INFO
00191 "rsbac_jail_sys_jail(): avoid possible chroot breakout by closing open dir fd %u, inode %u, device %02u:%02u, path %s\n",
00192 fd,
00193 file->f_dentry->d_inode->i_ino,
00194 MAJOR(file->f_dentry->d_sb->s_dev),
00195 MINOR(file->f_dentry->d_sb->s_dev),
00196 filename);
00197 if(filename)
00198 rsbac_kfree(filename);
00199
00200 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00201 spin_unlock(&files->file_lock);
00202 #else
00203 read_unlock(&files->file_lock);
00204 #endif
00205 sys_close(fd);
00206 goto restart;
00207 }
00208 }
00209 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00210 spin_unlock(&files->file_lock);
00211 #else
00212 read_unlock(&files->file_lock);
00213 #endif
00214 }
00215
00216 /* Set jail_id for this process */
00217 i_attr_val1.jail_id = next_id++;
00218 if (rsbac_set_attr(JAIL,
00219 T_PROCESS,
00220 i_tid,
00221 A_jail_id,
00222 i_attr_val1))
00223 {
00224 rsbac_ds_set_error("rsbac_jail_sys_jail()", A_jail_id);
00225 return(-RSBAC_EWRITEFAILED);
00226 }
00227 /* Set jail_ip for this process */
00228 i_attr_val1.jail_ip = ip;
00229 if (rsbac_set_attr(JAIL,
00230 T_PROCESS,
00231 i_tid,
00232 A_jail_ip,
00233 i_attr_val1))
00234 {
00235 rsbac_ds_set_error("rsbac_jail_sys_jail()", A_jail_ip);
00236 return(-RSBAC_EWRITEFAILED);
00237 }
00238 /* Set jail_flags for this process */
00239 i_attr_val1.jail_flags = flags;
00240 if (rsbac_set_attr(JAIL,
00241 T_PROCESS,
00242 i_tid,
00243 A_jail_flags,
00244 i_attr_val1))
00245 {
00246 rsbac_ds_set_error("rsbac_jail_sys_jail()", A_jail_flags);
00247 return(-RSBAC_EWRITEFAILED);
00248 }
00249 /* Set jail_max_caps for this process */
00250 i_attr_val1.jail_max_caps = max_caps;
00251 if (rsbac_set_attr(JAIL,
00252 T_PROCESS,
00253 i_tid,
00254 A_jail_max_caps,
00255 i_attr_val1))
00256 {
00257 rsbac_ds_set_error("rsbac_jail_sys_jail()", A_jail_max_caps);
00258 return(-RSBAC_EWRITEFAILED);
00259 }
00260 /* Set jail_scd_get for this process */
00261 i_attr_val1.jail_scd_get = scd_get;
00262 if (rsbac_set_attr(JAIL,
00263 T_PROCESS,
00264 i_tid,
00265 A_jail_scd_get,
00266 i_attr_val1))
00267 {
00268 rsbac_ds_set_error("rsbac_jail_sys_jail()", A_jail_scd_get);
00269 return(-RSBAC_EWRITEFAILED);
00270 }
00271 /* Set jail_scd_modify for this process */
00272 i_attr_val1.jail_scd_modify = scd_modify;
00273 if (rsbac_set_attr(JAIL,
00274 T_PROCESS,
00275 i_tid,
00276 A_jail_scd_modify,
00277 i_attr_val1))
00278 {
00279 rsbac_ds_set_error("rsbac_jail_sys_jail()", A_jail_scd_modify);
00280 return(-RSBAC_EWRITEFAILED);
00281 }
00282 return err;
00283 }
|
|
|
Definition at line 34 of file jail_syscalls.c. Referenced by rsbac_jail_sys_jail(). |
1.4.2