[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]
[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
Archivio: mlangel@sikurezza.org Soggetto: [PATCH] angel_jail [AngeL-0.9.3] Mittente: Daniele Bellucci Data: 2 Feb 2004 07:22:05 -0000
Hi,
here follows my FreeBSD like jail implementation for AngeL.
First of all let me quickly describe any changes:
- include/angel_sysctl.h:
in the original AngeL CTL_ANGEL value is 9, i replaced with 255
to avoid conflicts with CTL_ABI (in 2.4.24: CTL_ABI=9)
- added the following angel_sys_XXX:
1) angel_sys_chroot (to avoid double chroot)
2) angel_sys_mount (to deny sys_mount to chrooted processes)
3) angel_sys_mknod (to deny sys_mknod to ,, ,, )
4) angel_sys_create_module (to deny module loading to ,, ,, )
5) angel_sys_ptrace (to deny traceing of processes running
on different root directories)
6) angel_sys__sysctl (to deny sys_ctl to chrooted processes)
7) angel_sys_fchdir (to deny fchdir on file descriptors pointing
out the jail where the chrooted process
lives)
- angel_sys_kill has been extended:
a chrooted process cannot send signal to a process outside its "jail"
- angel_jail can be tuned using the following sysctl entries:
chroot: if set to 0 a chrooted process cannot double chroot
mount: if set to 0 a chrooted process cannot mount
mknod: if set to 0 a chrooted process cannout create any special files
insmod: if set to 0 a chrooted process cannot load any kernel module
ptrace_outside: if set to 0 a chrooted process cannot trace a process
living outside its jail
kill_outside: if set to 0 a chrooted process cannot send a signal to a
process living outside its jail
fchdir_outside: if set to 0 a chrooted process cannot fchdir to a
file descriptors pointing out from its jail.
sysctl: if set to 0 a chrooted process cannot issue a sys_sysctl
Paolo, if you like the following patch a can send you a LSM version
for a2.
BTW commets/feedback/suggestion/"insultation" ( :)) ) are really wellcome!
Here follows my patch:
diff -urNp -X angel-dontdiff AngeL-0.9.3.orig/include/angel_host.h AngeL-0.9.3/include/angel_host.h
--- AngeL-0.9.3.orig/include/angel_host.h 2004-01-30 22:38:01.000000000 +0100
+++ AngeL-0.9.3/include/angel_host.h 2004-01-31 17:02:42.000000000 +0100
@@ -10,6 +10,7 @@
#include "angel_sniffing.h"
#include "angel_buffer_overrun.h"
#include "angel_syscall.h"
+#include "angel_jail.h"
/*
* Questo deve essere raggruppato in una struct prima o poi
diff -urNp -X angel-dontdiff AngeL-0.9.3.orig/include/angel_jail.h AngeL-0.9.3/include/angel_jail.h
--- AngeL-0.9.3.orig/include/angel_jail.h 1970-01-01 01:00:00.000000000 +0100
+++ AngeL-0.9.3/include/angel_jail.h 2004-01-31 17:02:42.000000000 +0100
@@ -0,0 +1,25 @@
+#ifndef _ANGEL_JAIL_
+#define _ANGEL_JAIL_
+
+#include <linux/fs.h>
+#include <linux/sched.h>
+#include <linux/sysctl.h>
+
+
+extern int angel_jail_kill(pid_t);
+extern int root_inode_differ(struct task_struct *, struct task_struct *);
+extern int is_task_chrooted(struct task_struct *);
+extern int attempt_to_escape(int, struct task_struct *);
+#define is_current_chrooted is_task_chrooted(current)
+
+
+extern int angel_sys_chroot(const char * );
+extern int angel_sys_mount(const char *, const char*, const char *,
+ unsigned long, const void *);
+extern int angel_sys_mknod(const char*, int, dev_t);
+extern unsigned long angel_sys_create_module(const char *, size_t);
+extern int angel_sys_ptrace(long, long, long, long);
+extern long angel_sys_fchdir(unsigned int);
+extern long angel_sys_delete_module(const char *);
+extern long angel_sys__sysctl(struct __sysctl_args *args);
+#endif /*_ANGEL_JAIL_ */
diff -urNp -X angel-dontdiff AngeL-0.9.3.orig/include/angel_syscall.h AngeL-0.9.3/include/angel_syscall.h
--- AngeL-0.9.3.orig/include/angel_syscall.h 2004-01-30 22:38:01.000000000 +0100
+++ AngeL-0.9.3/include/angel_syscall.h 2004-01-31 17:05:46.000000000 +0100
@@ -26,6 +26,7 @@
#include <linux/timer.h>
#include <linux/smp_lock.h>
#include <asm/desc.h>
+#include <linux/sysctl.h>
#ifndef LINUX_VERSION_CODE
# include <linux/version.h>
@@ -88,6 +89,27 @@ typedef unsigned long Fnv32_t;
#ifdef __NR_brk
# define HAVE_SYS_BRK
#endif
+#ifdef __NR_chroot
+# define HAVE_SYS_CHROOT
+#endif
+#ifdef __NR_mount
+# define HAVE_SYS_MOUNT
+#endif
+#ifdef __NR_mknod
+# define HAVE_SYS_MKNOD
+#endif
+#ifdef __NR_create_module
+# define HAVE_SYS_CREATE_MODULE
+#endif
+#ifdef __NR_ptrace
+# define HAVE_SYS_PTRACE
+#endif
+#ifdef __NR_fchdir
+# define HAVE_SYS_FCHDIR
+#endif
+#ifdef __NR__sysctl
+# define HAVE_SYS_SYSCTL
+#endif
#ifdef __NR_execve
//# define HAVE_SYS_EXECVE
#endif
@@ -139,15 +161,23 @@ void *angel_syscall_tab
struct hijacked_struct {
- long (*orig_sys_exit) (int);
- int (*orig_sys_fork) (struct pt_regs);
- int (*orig_sys_vfork) (struct pt_regs);
- int (*orig_sys_clone) (struct pt_regs);
- int (*orig_sys_kill) (int, int);
- int (*orig_sys_socketcall)(int call, unsigned long *args);
- int (*orig_sys_ioctl) (int sd, int cmd, unsigned long arg);
- int (*orig_sys_brk) (unsigned long brk);
- int (*orig_sys_execve) (struct pt_regs regs);
+ long (*orig_sys_exit) (int);
+ int (*orig_sys_fork) (struct pt_regs);
+ int (*orig_sys_vfork) (struct pt_regs);
+ int (*orig_sys_clone) (struct pt_regs);
+ int (*orig_sys_kill) (int, int);
+ int (*orig_sys_socketcall) (int call, unsigned long *args);
+ int (*orig_sys_ioctl) (int sd, int cmd, unsigned long arg);
+ int (*orig_sys_brk) (unsigned long brk);
+ int (*orig_sys_chroot) (const char *);
+ int (*orig_sys_execve) (struct pt_regs regs);
+ int (*orig_sys_mount) (const char*, const char*, const char*,
+ unsigned long, const void*);
+ int (*orig_sys_mknod) (const char*, int, dev_t);
+ long (*orig_sys_create_module) (const char *, size_t size);
+ int (*orig_sys_ptrace) (long, long, long, long);
+ long (*orig_sys_fchdir) (unsigned int);
+ long (*orig_sys__sysctl) (struct __sysctl_args *);
};
@@ -301,6 +331,97 @@ do {
#endif /* HAVE_SYS_CLONE */
+#ifdef HAVE_SYS_CHROOT
+# define __ANGEL_SYS_CHROOT
+# define __ANGEL_SYS_CHROOT_BYTES 120
+# define INIT_CHROOT_ENTRY INIT_FN_TABLE_ENTRY(chroot, __ANGEL_SYS_CHROOT_BYTES)
+# define HIJACK_CHROOT HIJACK(chroot)
+# define RESUME_CHROOT RESUME(chroot)
+#else
+# define INIT_CHROOT_ENTRY do {} while(0)
+# define HIJACK_CHROOT do {} while(0)
+# define RESUME_CHROOT do {} while(0)
+#endif /* HAVE_SYS_CHROOT */
+
+
+#ifdef HAVE_SYS_MOUNT
+# define __ANGEL_SYS_MOUNT
+# define __ANGEL_SYS_MOUNT_BYTES 132
+# define INIT_MOUNT_ENTRY INIT_FN_TABLE_ENTRY(mount, __ANGEL_SYS_MOUNT_BYTES)
+# define HIJACK_MOUNT HIJACK(mount)
+# define RESUME_MOUNT RESUME(mount)
+#else
+# define INIT_MOUNT_ENTRY do {} while(0)
+# define HIJACK_MOUNT do {} while(0)
+# define RESUME_MOUNT do {} while(0)
+#endif /* HAVE_SYS_MOUNT */
+
+
+#ifdef HAVE_SYS_MKNOD
+# define __ANGEL_SYS_MKNOD
+# define __ANGEL_SYS_MKNOD_BYTES 132
+# define INIT_MKNOD_ENTRY INIT_FN_TABLE_ENTRY(mknod, __ANGEL_SYS_MKNOD_BYTES)
+# define HIJACK_MKNOD HIJACK(mknod)
+# define RESUME_MKNOD RESUME(mknod)
+#else
+# define INIT_MKNOD_ENTRY do {} while(0)
+# define HIJACK_MKNOD do {} while(0)
+# define RESUME_MKNOD do {} while(0)
+#endif /* HAVE_SYS_MKNOD */
+
+
+#ifdef HAVE_SYS_CREATE_MODULE
+# define __ANGEL_SYS_CREATE_MODULE
+# define __ANGEL_SYS_CREATE_MODULE_BYTES 124
+# define INIT_CREATE_MODULE_ENTRY INIT_FN_TABLE_ENTRY(create_module, __ANGEL_SYS_CREATE_MODULE_BYTES)
+# define HIJACK_CREATE_MODULE HIJACK(create_module)
+# define RESUME_CREATE_MODULE RESUME(create_module)
+#else
+# define INIT_CREATE_MODULE_ENTRY do {} while(0)
+# define HIJACK_CREATE_MODULE do {} while(0)
+# define RESUME_CREATE_MODULE do {} while(0)
+#endif /* HAVE_SYS_CREATE_MODULE */
+
+
+#ifdef HAVE_SYS_PTRACE
+# define __ANGEL_SYS_PTRACE
+# define __ANGEL_SYS_PTRACE_BYTES 236
+# define INIT_PTRACE_ENTRY INIT_FN_TABLE_ENTRY(ptrace, __ANGEL_SYS_PTRACE_BYTES)
+# define HIJACK_PTRACE HIJACK(ptrace)
+# define RESUME_PTRACE RESUME(ptrace)
+#else
+# define INIT_PTRACE_ENTRY do {} while(0)
+# define HIJACK_PTRACE do {} while(0)
+# define RESUME_PTRACE do {} while(0)
+#endif /* HAVE_SYS_PTRACE */
+
+
+#ifdef HAVE_SYS_FCHDIR
+# define __ANGEL_SYS_FCHDIR
+# define __ANGEL_SYS_FCHDIR_BYTES 96
+# define INIT_FCHDIR_ENTRY INIT_FN_TABLE_ENTRY(fchdir, __ANGEL_SYS_FCHDIR_BYTES)
+# define HIJACK_FCHDIR HIJACK(fchdir)
+# define RESUME_FCHDIR RESUME(fchdir)
+#else
+# define INIT_FCHDIR_ENTRY do {} while(0)
+# define HIJACK_FCHDIR do {} while(0)
+# define RESUME_FCHDIR do {} while(0)
+#endif /* HAVE_SYS_FCHDIR */
+
+
+#ifdef HAVE_SYS_SYSCTL
+# define __ANGEL_SYS_SYSCTL
+# define __ANGEL_SYS_SYSCTL_BYTES 118
+# define INIT_SYSCTL_ENTRY INIT_FN_TABLE_ENTRY(_sysctl, __ANGEL_SYS_SYSCTL_BYTES)
+# define HIJACK_SYSCTL HIJACK(_sysctl)
+# define RESUME_SYSCTL RESUME(_sysctl)
+#else
+# define INIT_SYSCTL_ENTRY do {} while(0)
+# define HIJACK_SYSCTL do {} while(0)
+# define RESUME_SYSCTL do {} while(0)
+#endif /* HAVE_SYS_SYSCTL */
+
+
#ifdef HAVE_SYS_VFORK
# define __ANGEL_SYS_VFORK
# define __ANGEL_SYS_VFORK_BYTES 36
@@ -317,45 +438,66 @@ do {
unsigned long address;
extern void *sys_call_table[];
-#define INIT_FN_TABLE \
-do { \
- INIT_EXIT_ENTRY; \
- INIT_FORK_ENTRY; \
- INIT_EXECVE_ENTRY; \
- INIT_KILL_ENTRY; \
- INIT_BRK_ENTRY; \
- INIT_IOCTL_ENTRY; \
- INIT_SOCKETCALL_ENTRY; \
- INIT_CLONE_ENTRY; \
- INIT_VFORK_ENTRY; \
+#define INIT_FN_TABLE \
+do { \
+ INIT_EXIT_ENTRY; \
+ INIT_FORK_ENTRY; \
+ INIT_EXECVE_ENTRY; \
+ INIT_KILL_ENTRY; \
+ INIT_BRK_ENTRY; \
+ INIT_IOCTL_ENTRY; \
+ INIT_SOCKETCALL_ENTRY; \
+ INIT_CLONE_ENTRY; \
+ INIT_VFORK_ENTRY; \
+ INIT_CHROOT_ENTRY; \
+ INIT_MOUNT_ENTRY; \
+ INIT_MKNOD_ENTRY; \
+ INIT_CREATE_MODULE_ENTRY; \
+ INIT_PTRACE_ENTRY; \
+ INIT_FCHDIR_ENTRY; \
+ INIT_SYSCTL_ENTRY; \
} while(0)
-#define SAVE_ORIG_SYS_CALLS \
-do { \
- HIJACK_EXIT; \
- HIJACK_FORK; \
- HIJACK_EXECVE; \
- HIJACK_KILL; \
- HIJACK_BRK; \
- HIJACK_IOCTL; \
- HIJACK_SOCKETCALL; \
- HIJACK_CLONE; \
- HIJACK_VFORK; \
+#define SAVE_ORIG_SYS_CALLS \
+do { \
+ HIJACK_EXIT; \
+ HIJACK_FORK; \
+ HIJACK_EXECVE; \
+ HIJACK_KILL; \
+ HIJACK_BRK; \
+ HIJACK_IOCTL; \
+ HIJACK_SOCKETCALL; \
+ HIJACK_CLONE; \
+ HIJACK_VFORK; \
+ HIJACK_CHROOT; \
+ HIJACK_MOUNT; \
+ HIJACK_MKNOD; \
+ HIJACK_CREATE_MODULE; \
+ HIJACK_PTRACE; \
+ HIJACK_FCHDIR; \
+ HIJACK_SYSCTL; \
} while(0)
-#define RESUME_ORIG_SYS_CALLS \
-do { \
- RESUME_EXIT; \
- RESUME_FORK; \
- RESUME_EXECVE; \
- RESUME_KILL; \
- RESUME_BRK; \
- RESUME_IOCTL; \
- RESUME_SOCKETCALL; \
- RESUME_CLONE; \
- RESUME_VFORK; \
+#define RESUME_ORIG_SYS_CALLS \
+do { \
+ RESUME_EXIT; \
+ RESUME_FORK; \
+ RESUME_EXECVE; \
+ RESUME_KILL; \
+ RESUME_BRK; \
+ RESUME_IOCTL; \
+ RESUME_SOCKETCALL; \
+ RESUME_CLONE; \
+ RESUME_VFORK; \
+ RESUME_CHROOT; \
+ RESUME_MOUNT; \
+ RESUME_MKNOD; \
+ RESUME_CREATE_MODULE; \
+ RESUME_PTRACE; \
+ RESUME_FCHDIR; \
+ RESUME_SYSCTL; \
} while(0)
diff -urNp -X angel-dontdiff AngeL-0.9.3.orig/include/angel_sysctl.h AngeL-0.9.3/include/angel_sysctl.h
--- AngeL-0.9.3.orig/include/angel_sysctl.h 2004-01-30 22:38:01.000000000 +0100
+++ AngeL-0.9.3/include/angel_sysctl.h 2004-01-31 17:02:42.000000000 +0100
@@ -1,9 +1,15 @@
#define __NO_VERSION__
#include "angel.h"
+#include "angel_jail.h"
#include "angel_version.h"
// #include "angel_stats.h"
-#define CTL_ANGEL 9
+#define CTL_ANGEL 255
+
+enum {
+ ANGEL_JAIL = 1,
+};
+
enum {
ANGEL_VERSION_INFO = 1,
@@ -15,9 +21,9 @@ enum {
ANGEL_HOST_UPTIME = 7,
ANGEL_NET_STATS = 8,
ANGEL_NET_UPTIME = 9,
- ANGEL_SECURE_LEVEL = 10
-
+ ANGEL_SECURE_LEVEL = 10,
+
/*
ANGEL_DL = 2,
ANGEL_LOG = 3,
@@ -25,6 +31,30 @@ enum {
*/
};
+
+enum {
+ ANGEL_JAIL_DOUBLECHROOT = 1,
+ ANGEL_JAIL_MOUNT = 2,
+ ANGEL_JAIL_MKNOD = 3,
+ ANGEL_JAIL_INSMOD = 4,
+ ANGEL_JAIL_PTRACE_OUTSIDE = 5,
+ ANGEL_JAIL_KILL_OUTSIDE = 6,
+ ANGEL_JAIL_FCHDIR_OUTSIDE = 7,
+ ANGEL_JAIL_SYSCTL = 8
+};
+
+
+/* from modules/host/angel_jail.c */
+extern int angel_jail_doublechroot;
+extern int angel_jail_mount;
+extern int angel_jail_mknod;
+extern int angel_jail_insmod;
+extern int angel_jail_ptrace_outside;
+extern int angel_jail_kill_outside;
+extern int angel_jail_fchdir_outside;
+extern int angel_jail_sysctl;
+
+
char angel_version[] = ANGEL_VERSION;
char angel_build[] = BUILD;
char angel_codename[] = CODENAME;
@@ -85,6 +115,27 @@ ctl_table net_entry[] = {
{ 0 },
};
+
+ctl_table jail_entry[] = {
+ { ANGEL_JAIL_DOUBLECHROOT, "double_chroot",
+ &angel_jail_doublechroot, sizeof(int), 0644, NULL, &proc_dointvec },
+ { ANGEL_JAIL_MOUNT, "mount",
+ &angel_jail_mount, sizeof(int), 0644, NULL, &proc_dointvec },
+ { ANGEL_JAIL_MKNOD, "mknod",
+ &angel_jail_mknod, sizeof(int), 0644, NULL, &proc_dointvec },
+ { ANGEL_JAIL_INSMOD, "insmod",
+ &angel_jail_insmod, sizeof(int), 0644, NULL, &proc_dointvec },
+ { ANGEL_JAIL_PTRACE_OUTSIDE, "ptrace_outside",
+ &angel_jail_ptrace_outside, sizeof(int), 0644, NULL, &proc_dointvec },
+ { ANGEL_JAIL_KILL_OUTSIDE, "kill_outside",
+ &angel_jail_kill_outside, sizeof(int), 0644, NULL, &proc_dointvec },
+ { ANGEL_JAIL_FCHDIR_OUTSIDE, "fchdir_outside",
+ &angel_jail_fchdir_outside, sizeof(int), 0644, NULL, &proc_dointvec},
+ { ANGEL_JAIL_SYSCTL, "sysctl" ,
+ &angel_jail_sysctl, sizeof(int), 0644, NULL, &proc_dointvec},
+ { 0 },
+};
+
ctl_table angel_sysctl_entry[] = {
{ ANGEL_VERSION_INFO, "version",
angel_version, 20*sizeof(char), 0444, NULL,
@@ -110,6 +161,7 @@ ctl_table angel_sysctl_entry[] = {
{ ANGEL_NET_STATS, "net_stats",
angel_net_stats.NetStats, NET_STATS * sizeof(unsigned long), 0444, NULL,
&proc_dointvec },
+ { ANGEL_JAIL, "jail", NULL, 0, 0555, jail_entry, NULL},
{ 0 },
};
diff -urNp -X angel-dontdiff AngeL-0.9.3.orig/src/modules/host/angel_execve.c AngeL-0.9.3/src/modules/host/angel_execve.c
--- AngeL-0.9.3.orig/src/modules/host/angel_execve.c 2004-01-30 22:38:01.000000000 +0100
+++ AngeL-0.9.3/src/modules/host/angel_execve.c 2004-01-31 17:02:42.000000000 +0100
@@ -24,6 +24,7 @@
#define HOST_MODULE
#define SHOW_FAULT_REG
#include "angel.h"
+#include "angel_jail.h"
#include <linux/smp_lock.h>
#include <linux/slab.h>
@@ -219,6 +220,17 @@ int angel_sys_execve (struct pt_regs reg
*/
int __angel_sys_kill(pid_t pid, int sig)
{
+ /* Forbid to send a signal out from the jail */
+ if (angel_jail_kill(pid)) {
+ PLOG_INFO_VERBOSE("[angel] %s [uid:%d pid:%d] %s.\n",
+ current->comm,
+ current->uid,
+ current->pid,
+ "attempt to send signal outside the jail");
+ return -EPERM;
+ }
+
+
/* we trap only the SIGSEGV and SIGILL */
if ((do_siglog == NO) && ((sig != SIGSEGV) && (sig != SIGILL)))
diff -urNp -X angel-dontdiff AngeL-0.9.3.orig/src/modules/host/angel_jail.c AngeL-0.9.3/src/modules/host/angel_jail.c
--- AngeL-0.9.3.orig/src/modules/host/angel_jail.c 1970-01-01 01:00:00.000000000 +0100
+++ AngeL-0.9.3/src/modules/host/angel_jail.c 2004-01-31 17:02:42.000000000 +0100
@@ -0,0 +1,286 @@
+/*
+ * angel_jail - A safe place for chrooted processes.
+ *
+ * Copyright (C) 2004 - BelcH <belch@xxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA 02111-1307 USA
+ */
+
+
+#define __NO_VERSION__
+#define HOST_MODULE
+#define NOATTACK -12
+
+#include "angel.h"
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/sched.h>
+#include <linux/sysctl.h>
+
+
+/* angel_jail sysctl entries */
+static int angel_jail_doublechroot; /* enable double chroot */
+static int angel_jail_mount; /* enable mount from a jail */
+static int angel_jail_mknod; /* enable mknod from a jail */
+static int angel_jail_insmod; /* enable insmod from a jail */
+static int angel_jail_ptrace_outside; /* enable to trace outside a jail */
+static int angel_jail_kill_outside; /* enable to signal outside a jail */
+static int angel_jail_fchdir_outside; /* enable fchdir outside the jail */
+static int angel_jail_sysctl; /* enable sys_sysctl from the jail */
+
+
+/* root_inode_differ - compare the root inode of two task(t,p)
+ * This function return a positive number if they
+ * differ, zero otherwise.
+ */
+int root_inode_differ(struct task_struct *t, struct task_struct *p)
+{
+ int retval;
+ struct dentry *t_root, *p_root;
+
+ if (t == NULL || p == NULL)
+ return 0;
+
+ read_lock(t->fs->lock);
+ read_lock(p->fs->lock);
+ t_root = dget(t->fs->root);
+ p_root = dget(p->fs->root);
+ retval = ((t_root->d_inode->i_dev != p_root->d_inode->i_dev) ||
+ (t_root->d_inode->i_ino != p_root->d_inode->i_ino));
+ dput(t->fs->root);
+ dput(p->fs->root);
+ read_unlock(t->fs->lock);
+ read_unlock(p->fs->lock);
+ return retval;
+}
+
+
+/* is_task_chroot - checks if the given process is chrooted, by comparing
+ * its root inode with the init one.
+ */
+int is_task_chrooted(struct task_struct *t)
+{
+ struct task_struct *init;
+ int retval;
+
+ read_lock(&tasklist_lock);
+ init = find_task_by_pid(1);
+ retval = root_inode_differ(init, t);
+ read_unlock(&tasklist_lock);
+ return retval;
+}
+
+
+/* angel_jail_kill - check if current process is attempting to send
+ * a signal to a process with different root inode.
+ */
+int angel_jail_kill(pid_t pid)
+{
+ int retval;
+ struct task_struct *task_dest;
+
+ retval = 0;
+ if (angel_jail_kill_outside)
+ return retval;
+
+ read_lock(&tasklist_lock);
+ task_dest = find_task_by_pid(pid);
+ if (root_inode_differ(current, task_dest)) {
+ retval = -EPERM;
+ }
+ read_unlock(&tasklist_lock);
+ return retval;
+}
+
+
+/* attempt_to_escape - check if current process is attempting to
+ * escape by using a file descriptor pointint
+ * out to the jail.
+ */
+int attempt_to_escape(int fd, struct task_struct *task)
+{
+ int retval;
+ struct file *file;
+ struct dentry *init_root, *task_root, *dentry;
+ struct vfsmount *mnt;
+ struct task_struct *init;
+
+ if (likely(!is_task_chrooted(current))) {
+ return 0;
+ }
+
+ if (unlikely(angel_jail_fchdir_outside)) {
+ return 0;
+ }
+
+ file = fget(fd);
+ if (!file) {
+ return -EINVAL;
+ }
+
+ read_lock(&tasklist_lock);
+ init = find_task_by_pid(1);
+ read_unlock(&tasklist_lock);
+
+ read_lock(&init->fs->lock);
+ init_root = dget(init->fs->root);
+ read_unlock(&init->fs->lock);
+
+ read_lock(&task->fs->lock);
+ task_root = dget(task->fs->root);
+ read_unlock(&task->fs->lock);
+
+ spin_lock(&dcache_lock);
+ dentry = file->f_dentry;
+ mnt = file->f_vfsmnt;
+ retval = 0;
+ while (dentry != init_root && dentry != task_root) {
+ if (dentry == mnt->mnt_root) {
+ mnt = mnt->mnt_parent;
+ dentry = mnt->mnt_mountpoint;
+ } else {
+ dentry = dentry->d_parent;
+ }
+ }
+ if (unlikely(dentry == init_root)) {
+ retval = 1;
+ }
+ spin_unlock(&dcache_lock);
+
+ dput(init->fs->root);
+ dput(task->fs->root);
+ fput(file);
+ return retval;
+}
+
+
+int angel_sys_chroot(const char *filename)
+{
+ if (unlikely(!angel_jail_doublechroot && is_current_chrooted)) {
+ PLOG_INFO_VERBOSE("[angel] %s [uid:%d pid:%d] %s.\n",
+ current->comm,
+ current->uid,
+ current->pid,
+ "attempt to double chroot");
+ return -EPERM;
+ }
+
+ return(ORIG_SYS_CALL(chroot)(filename));
+}
+
+
+
+
+int angel_sys_mount(const char *source, const char *target, const char *type,
+ unsigned long mountflags, const void *data)
+{
+ if (unlikely(!angel_jail_mount && is_current_chrooted)) {
+ PLOG_INFO_VERBOSE("[angel] %s [uid:%d pid:%d] %s.\n",
+ current->comm,
+ current->uid,
+ current->pid,
+ "attempt to mount from jail");
+ return -EPERM;
+ }
+ return(ORIG_SYS_CALL(mount)(source, target, type, mountflags, data));
+}
+
+
+
+
+int angel_sys_mknod(const char *filename, int mode, dev_t dev)
+{
+ if (unlikely(!angel_jail_mknod && is_current_chrooted)) {
+ PLOG_INFO_VERBOSE("[angel] %s [uid:%d pid:%d] %s.\n",
+ current->comm,
+ current->uid,
+ current->pid,
+ "attempt to create a special file");
+ return -EPERM;
+ }
+ return(ORIG_SYS_CALL(mknod)(filename, mode, dev));
+}
+
+
+
+
+unsigned long angel_sys_create_module(const char *name_user, size_t size)
+{
+ if (unlikely(!angel_jail_insmod && is_current_chrooted)) {
+ PLOG_INFO_VERBOSE("[angel] %s [uid:%d pid:%d] %s.\n",
+ current->comm, current->uid, current->pid,
+ "attempt to load a kernel module");
+ return -EPERM;
+ }
+ return(ORIG_SYS_CALL(create_module)(name_user, size));
+}
+
+
+
+
+int angel_sys_ptrace(long request, long pid, long addr, long data)
+{
+ struct task_struct *t;
+ if (unlikely(!angel_jail_ptrace_outside && is_current_chrooted)) {
+ read_lock(&tasklist_lock);
+ t = find_task_by_pid(pid);
+ if (!t) {
+ read_unlock(&tasklist_lock);
+ return -ESRCH;
+ }
+
+ if (unlikely(root_inode_differ(t, current))) {
+ PLOG_INFO_VERBOSE("[angel] %s [uid:%d pid:%d] %s%s.\n",
+ current->comm,
+ current->uid,
+ current->pid,
+ "attempt to ptrace process: ",
+ t->comm);
+ read_unlock(&tasklist_lock);
+ return -EPERM;
+ }
+ read_unlock(&tasklist_lock);
+ }
+ return(ORIG_SYS_CALL(ptrace)(request, pid, addr, data));
+}
+
+
+long angel_sys_fchdir(unsigned int fd)
+{
+ if (unlikely(attempt_to_escape(fd, current))) {
+ PLOG_INFO_VERBOSE("[angel] %s [uid:%d pid:%d] %s.\n",
+ current->comm,
+ current->uid,
+ current->pid,
+ "attempt fchdir outside the jail");
+ return -EPERM;
+ }
+ return(ORIG_SYS_CALL(fchdir)(fd));
+}
+
+
+long angel_sys__sysctl(struct __sysctl_args *args)
+{
+ if (unlikely(!angel_jail_sysctl && is_current_chrooted)) {
+ PLOG_INFO_VERBOSE("[angel] %s [uid:%d pid:%d] %s.\n",
+ current->comm,
+ current->uid,
+ current->pid,
+ "attempt to call sys_sysctl");
+ return -EPERM;
+ }
+ return(ORIG_SYS_CALL(_sysctl)(args));
+}
diff -urNp -X angel-dontdiff AngeL-0.9.3.orig/src/modules/host/Makefile AngeL-0.9.3/src/modules/host/Makefile
--- AngeL-0.9.3.orig/src/modules/host/Makefile 2004-01-30 22:38:01.000000000 +0100
+++ AngeL-0.9.3/src/modules/host/Makefile 2004-01-31 17:02:42.000000000 +0100
@@ -37,7 +37,7 @@ CC = gcc
OBJS = engine.o angel_fork_bomb.o angel_sniffing.o \
angel_malloc_bomb.o \
-angel_execve.o angel_syscall.o angel_memory.o
+angel_execve.o angel_syscall.o angel_memory.o angel_jail.o
#angel_host_info.o \
--
Daniele.
"I could have made money this way, and perhaps amused myself writing code.
But I knew that at the end of my career, I would look back on years of
building walls to divide people, and feel I had spent my life making the
world a worse place."
Richard Stallman
________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List
[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005