This patch checks for open fds to directories when a non-root user tries to
chroot,
and does not allow that user to chroot if the application has an open fd to a
directory
because the appilcation has an escape path with that fd.
Signed-off-by: Tal Tchwella <tchwe...@mit.edu>
---
fs/open.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/fs/open.c b/fs/open.c
index 82832d8..6dc6443 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -426,6 +426,30 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename)
{
struct path path;
int error;
+ struct files_struct *current_files;
+ struct fdtable *files_table;
+ int i = 0;
+
+ error = -EPERM;
+ /*
+ * Checks to see if there are open file descriptors to directories
+ * when a user that does not have the chroot capability
+ * tries to chroot. Since chroot is availble to all users,
+ * want to eliminate ways to break out. The second part
+ * of the if statement, is true by default,
+ * since during the initilization of the kernel, it
+ * goes into chroot mode.
+ */
+ if (!capable(CAP_SYS_CHROOT) && current->user_chroot != CHROOT_INIT) {
+ current_files = current->files;
+ files_table = files_fdtable(current_files);
+ while (files_table->fd[i] != NULL) {
+ if (S_ISDIR(files_table->fd[i]->
+ f_dentry->d_inode->i_mode))
+ goto out;
+ i++;
+ }
+ }
error = user_path_dir(filename, &path);
if (error)
--
1.7.9.5
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
