Re: [vserver] [Grsec] audit denies pivot_root ?

From: Rik Bobbaers <rik_at_enzoverder.be>
Date: Tue 23 Nov 2010 - 09:52:52 GMT
Message-ID: <11643.193.178.209.214.1290505972.squirrel@www.enzoverder.be>

> Hello,
>
> Le 22 nov. 2010 à 12:28, Rik Bobbaers a écrit :
>
>> don't really know what you mean by this but: is your problem solved now?
>> or are there still problems?
> There are still problems.
>
>> the audit parameters shouldn't normally stop the pivot_root call... they
>> might LOG things, but not block.
> And yet they do, along with logging.
>
>> the chroot_deny_pivot does effectively
>> block the pivot_root call.
> Oddly enough it does not, meaning I can perfectly start my guest with
> chroot_deny_pivot=1 ...
>
>> BTW. this is why i wouldn't really use chroot restrictions in
>> combination
>> with vserver. Bertl has done a lot of work to secure his vserver
>> implementation. This makes grsecurity extras useless/abundant in
>> combination with vserver... (just my 2 cents)
>
> True. I am usually more interested in the PaX features, but during
> testing, this behaviour striked me as odd ... as you said, *audit* should
> not block anything, yet it does, and this is quite unnerving.
> Anything I can do to help investigate ?
>
> Cheers,
>
> Romain

hehe... aside from looking at the grsec code that does the auditting
etc... no ;)

I'll try to schedule some time in to investigate this further, but i'm
rather short on time lately :(

Greetings,

Rik Bobbaers

-- http://harry.enzoverder.be
linux/unix/system/network/security/hardware admin
infrastructure architect
Received on Tue Nov 23 09:52:44 2010

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 23 Nov 2010 - 09:52:44 GMT by hypermail 2.1.8