Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 27 Mar 2011 19:05:46 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: sysfs facility

Solar, all - 

I've wrote a draft version of sysfs facility for owl-control to restrict
access to contents of sysfs mount point.  It has only 2 modes - public
(currently implemented in every distro) and restricted.  It lacks
a group restriction.

The same works for procfs (e.g. to fix numerous ASLR infoleaks,
prevent exploitation of CVE-2011-1020, or just to restrict ps(1)).

root@...nshilla:~# control sysfs
public
root@...nshilla:~# control sysfs list
public restricted
root@...nshilla:~# ls -ld /sys
drwxr-xr-x 12 root root 0 2011-03-27 13:18 /sys
root@...nshilla:~# control sysfs restricted
root@...nshilla:~# ls -ld /sys
lrwxrwxrwx 1 root root 22 2011-03-27 18:57 /sys -> /var/run/mnt-sysfs/sys
root@...nshilla:~# ls -ld /var/run/mnt-sysfs/sys
drwxr-xr-x 12 root root 0 2011-03-27 13:18 /var/run/mnt-sysfs/sys
root@...nshilla:~# ls -ld /var/run/mnt-sysfs/
drwx------ 3 root root 60 2011-03-27 18:57 /var/run/mnt-sysfs/
root@...nshilla:~# su - vasya
vasya@...nshilla:~$ ls /sys
ls: cannot access /sys: Permission denied

root@...nshilla:~# control sysfs public
root@...nshilla:~# ls -ld /sys
drwxr-xr-x 12 root root 0 2011-03-27 13:18 /sys
root@...nshilla:~# su - vasya
vasya@...nshilla:~$ ls -ld /sys
drwxr-xr-x 12 root root 0 2011-03-27 13:18 /sys


#!/bin/bash

. /etc/control.d/functions

MNT_ORIG=/sys
MNT_RESTRIC=/var/run/mnt-sysfs/sys
MNT_TYPE=sysfs
NAME_LIST="public restricted"

#TODO: maybe create group u_sysfs?

MNT_CUR=`mount | grep "type $MNT_TYPE" | cut -d' ' -f3`

case "$*" in
list)
    echo "$NAME_LIST"
    ;;  
status|'')
    STATUS="`test -h `" || exit 1
    if [ -h "$MNT_ORIG" ]; then
        echo restricted
    else
        echo public
    fi  
    ;;  
public)
    if [ "$MNT_CUR" = "$MNT_ORIG" ]; then
        exit 0
    else
        [ -h "$MNT_ORIG" ] || [ ! -e "$MNT_ORIG" ] || exit 1
        rm -f "$MNT_ORIG"
        mkdir -p -m755 "$MNT_ORIG" || exit 1
        if [ -n "$MNT_CUR" ]; then
            mount --move "$MNT_CUR" "$MNT_ORIG" || exit 1
        fi  
    fi  
    ;;
restricted)
    if [ "$MNT_CUR" = "$MNT_RESTRIC" ]; then
        exit 0
    else
        umask 0077
        mkdir -p -m700 "$MNT_RESTRIC" || exit 1
        if [ -n "$MNT_CUR" ]; then
            mount --move "$MNT_ORIG" "$MNT_RESTRIC" || exit 1
        fi
        if [ -z "`ls $MNT_ORIG`" ]; then
            rmdir "$MNT_ORIG" || exit 1
            ln -s "$MNT_RESTRIC" "$MNT_ORIG" || exit 1
        else
            exit 1
        fi
    fi
    ;;
esac


-- 
Vasiliy

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ