Real experts will just transfer their tools over the connection they have
anyway but will not be able to startup evil network services (I assume these
need socket() or socketpair() at a minimum, so no CAP_SYS_SOCKET is lethal).
This patch also nicely stops port 25 email forgers/spammers on the local
the local machine. (Sadly the old setuid root support will allow those with
root to bypass all this, but this will change when the VFS gets capability
support---I assume if you lack a capability giving it to a binary will be
banned).
CAP_NET_SERVER is more liberal and stops bind(), listen() and accept()
so people can not start up their own servers (a widespread policy so
the ability in enforce this is handy). I would have done CAP_NET_CLIENT
restricting connect(), sendto() and stuff like that but there seem to be
rather few bits left for heftier items (how about a programable sandbox?).
Note that you *must* install the CAP_SYS_EXEC patch before applying this one
if you want non-root network clients due to the need for CAP_KEEP_SET support.
If you do not then capabilities are not preserved and everything is
squashed when login drops privs, so CAP_SYS_SOCKET and CAP_NET_SERVER go away
too. (Squashing these capabilities is a job for login, inetd, etc).
The patch passes my test (recompile, reboot, login and check my shell still
has the capabilities). I might do MD4/MD5 sum testing for selected binaries
by writing to some virtual files in /proc (easily frozen shortly after fixing
the database at boot time).
Duncan (-:
P.S. I am aware that this patch will generate a rejection if applied after
the CAP_SYS_EXEC patch. Fixing this is left as a simple exercise for the
reader.
--- linux/include/linux/capability.h.dist Wed Aug 12 04:23:32 1998
+++ linux/include/linux/capability.h Mon Aug 17 01:12:25 1998
@@ -254,6 +254,21 @@
#define CAP_SYS_TTY_CONFIG 26
+/* Allow use of exec(). Anti-shellcode measure */
+
+#define CAP_SYS_EXEC 27
+
+/* Allow use of socket() */
+/* Allow use of socketpair() */
+
+#define CAP_SYS_SOCKET 28
+
+/* Allow use of bind() */
+/* Allow use of listen() */
+/* Allow use of accept() */
+
+#define CAP_NET_SERVER 29
+
#ifdef __KERNEL__
/*
@@ -266,6 +281,7 @@
#define CAP_INIT_INH_SET { ~0 & ~CAP_TO_MASK(CAP_SETPCAP) }
#define CAP_TO_MASK(x) (1 << (x))
+#define CAP_KEEP_SET (CAP_TO_MASK(CAP_SYS_EXEC) | CAP_TO_MASK(CAP_SYS_SOCKET) | CAP_TO_MASK(CAP_NET_SERVER))
#define cap_raise(c, flag) ((c).cap |= CAP_TO_MASK(flag))
#define cap_lower(c, flag) ((c).cap &= ~CAP_TO_MASK(flag))
#define cap_raised(c, flag) ((c).cap & CAP_TO_MASK(flag))
--- linux/net/socket.c.dist Mon Aug 17 00:47:13 1998
+++ linux/net/socket.c Mon Aug 17 02:47:26 1998
@@ -41,6 +41,9 @@
* Kevin Buhr : Fixed the dumb errors in the above.
* Andi Kleen : Some small cleanups, optimizations,
* and fixed a copy_from_user() bug.
+ * Duncan : Added CAP_SYS_SOCKET and
+ * CAP_NET_SERVER support. These should
+ * limit script kiddies activities.
*
*
* This program is free software; you can redistribute it and/or
@@ -75,6 +78,8 @@
#include <linux/wanrouter.h>
#include <linux/init.h>
#include <linux/poll.h>
+#include <linux/capability.h>
+#include <linux/errno.h>
#if defined(CONFIG_KMOD) && defined(CONFIG_NET)
#include <linux/kmod.h>
@@ -638,6 +643,9 @@
int retval;
struct socket *sock;
+ if (!cap_raised(current->cap_effective,CAP_SYS_SOCKET))
+ return -EACCES;
+
lock_kernel();
retval = sock_create(family, type, protocol, &sock);
@@ -667,6 +675,9 @@
struct socket *sock1, *sock2;
int fd1, fd2, err;
+ if (!cap_raised(current->cap_effective,CAP_SYS_SOCKET))
+ return -EACCES;
+
lock_kernel();
/*
@@ -738,6 +749,9 @@
char address[MAX_SOCK_ADDR];
int err;
+ if (!cap_raised(current->cap_effective, CAP_NET_SERVER))
+ return -EPERM;
+
lock_kernel();
if((sock = sockfd_lookup(fd,&err))!=NULL)
{
@@ -761,6 +775,9 @@
struct socket *sock;
int err;
+ if (!cap_raised(current->cap_effective, CAP_NET_SERVER))
+ return -EPERM;
+
lock_kernel();
if((sock = sockfd_lookup(fd, &err))!=NULL)
{
@@ -790,6 +807,9 @@
struct socket *sock, *newsock;
int err, len;
char address[MAX_SOCK_ADDR];
+
+ if (!cap_raised(current->cap_effective,CAP_NET_SERVER))
+ return -EPERM;
lock_kernel();
sock = sockfd_lookup(fd, &err);
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html