Re: [RFC] relinquish_fs() syscall

[Alan Cox]

On Maw, 2004-11-30 at 14:12, Mitchell Blank Jr wrote:
> > iirc there are anonymous unix sockets...
> 
> Ah, I see now -- the sun_path[0]=='\0' code.  I'll have to take a look
> at that; probably just need to add a check to prevent jailed processes
> from using those sockets (since they're supposed to be in a "null"
> namespace)  Will investigate later this week.

You would probably want a "private" AF_UNIX namespace too. The fact its
a single namespace for "anonymous" AF_UNIX and the \0 trick is used is
really legacy unix compatibility. Having multiple such namespaces is
certainly
doable. It's the same problem as the shared memory, semaphore and
message
queue objects have because they fall out of the filesystem namespace.
Posix
has fixed these but very few apps use the new forms.

> 
> It looks like this is also a weakness in code that currently uses
> chroot("/var/empty")  It's not the end of the world since it still
> requires a cooperating unjailed process on the same host as the jailed
> one to pass in a fd which is quite an obstacle in most scenarios.  Still,
> it's something that should be protected against.

Also you need to look at fchdir(). If I accidentally pass you a file
handle to a directory (or maybe to a file in reiser4 world ?) you can
fchdir() out of the chroot.

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/