Re: RFC: New security model secmodel_securechroot(9)

[Jukka Ruohonen <jruohonen%iki.fi@localhost>]

On Thu, Jul 14, 2011 at 12:07:56AM +0300, Aleksey Cheusov wrote:
> > So what is the security policy you mean to enforce by blocking paths
> > into the kernel with kauth?  For every `destructive modification' that
> > can be done to the system, what is every path into the kernel that
> > leads to that modification?
> >  Have you blocked all such paths in your kauth secmodel?
>
> I'm open for concrete ideas and references.

I haven't followed the discussion that closely, but the following list appears
in the chroot(2) restrictions of the PaX/Grsecurity (Linux) project:

    * No attaching shared memory outside of chroot
    * No kill outside of chroot
    * No ptrace outside of chroot (architecture independent)
    * No capget outside of chroot
    * No setpgid outside of chroot
    * No getpgid outside of chroot
    * No getsid outside of chroot
    * No sending of signals by fcntl outside of chroot
    * No viewing of any process outside of chroot, even if /proc is mounted
    * No mounting or remounting
    * No pivot_root
    * No double chroot
    * No fchdir out of chroot
    * Enforced chdir("/") upon chroot
    * No (f)chmod +s
    * No mknod
    * No sysctl writes
    * No raising of scheduler priority
    * No connecting to abstract unix domain sockets outside of chroot
    * Removal of harmful privileges via capabilities
    * Exec logging within chroot

- Jukka.