Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 31 Jul 2016 10:55:04 +0000
From: "Reshetova, Elena" <>
To: Jann Horn <>, ""
CC: ""
	<>, ""
	<>, "" <>,
	"" <>, "Schaufler, Casey"
	<>, "Leibowitz, Michael"
	<>, "Roberts, William C"
Subject: RE: [RFC] [PATCH 1/5] path_fchdir and
 path_fhandle LSM hooks

On Fri, Jul 29, 2016 at 10:34:36AM +0300, Elena Reshetova wrote:
> This introduces two new LSM hooks operating on paths.
>   - security_path_fchdir() checks for permission on
>     changing working directory. It can be used by
>     LSMs concerned on fchdir system call

>I don't think security_path_fchdir() is a good abstraction level. It
neither covers the whole case of "cwd is changed" nor does it cover the
whole case of "someone uses a file descriptor to a directory to look up
stuff outside that directory".
Do you have a suggestion on what can be a good place? 

>For example, security_path_fchdir() seems to be intended to prevent the use
of a leaked file descriptor to the outside world for accessing other files
in the outside world. 
Yes, this was exactly the use case.

>But this is trivially bypassed by first using openat() directly instead of
fchdir()+open() (something that used to work against grsecurity, but was
fixed quite a while ago).
The way it has been addressed in grsecurity is having a check inside
filename_lookup() , but it doesn't look a very great place for putting a
hook. I was thinking about it , but so far didn't find any other good

Download attachment "smime.p7s" of type "application/pkcs7-signature" (7586 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.