Re: Relax the prohibition of usage fchdir(2) to quit a chroot

[Marc Balmer <marc%msys.ch@localhost>]

Am 21.09.2014 um 11:37 schrieb Kamil Rytarowski <n54%gmx.com@localhost>:

> Hello Matt,
> 
> Thank you for your reply.
> 
> I do agree that the rule looks perfectly sane and in inviolate.... however 
> there is the second side of it. The fchdir(2) used i.a. in the venerable RPM 
> is very ugly, I do agree with it.
> 
> The second side of this ugly hack is that it opens the possibilities to 
> flawlessly interfere between the native and a chroot environment and make the 
> job done immediately -- just enter_chroot() and quit_chroot() and you are 
> done, with zero modification to the code-base, zero additional-logic. 
> Replacing flawlessly the broken design with something sane produced many and 
> different difficult use-cases of RPM features to get implemented - and in the 
> end I was enforced to abandon it at that time.
> 
> I was trying to raise this issue a year ago at the RPM main mailing-list 
> [1]...
> 
> Well let's please don't shift this discussion from kernel-security to this or 
> that piece of 3rd party software, neither this particular use-case.
> 
> My proposition is to add:
> 
> security.chroot.allow_fchdir_out_of_chroot = 0
> security.chroot.allow_sysctl_inside_chroot = 1
> 
> It's not broken by a 'the right design', but stops the job from being done.
> 
> It passed a year after coming to conclusion how to walk-around it... fix the 
> kernel.

There is nothing to fix in the kernel in this regard.

that said, I think you can stop insisting,  it will not happen, imo...