Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new LSM_HOOK to restrict root user #158

Merged
merged 1 commit into from
Jan 31, 2022
Merged

Add new LSM_HOOK to restrict root user #158

merged 1 commit into from
Jan 31, 2022

Conversation

mjura
Copy link
Collaborator

@mjura mjura commented Jan 26, 2022
edited
Loading

We have decided to implement new LSH hook which disable root user in container.

Fix #85

Expected output with this feature enabled:

opensuse@mjura-dev:~> sudo -i
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: error initializing audit plugin sudoers_audit


opensuse@mjura-dev:~> su - root
Password: 
su: cannot set user id: Operation not permitted

@mjura mjura requested a review from vadorovsky January 26, 2022 12:21
vadorovsky
vadorovsky approved these changes Jan 26, 2022
View reviewed changes
Copy link
Member

@vadorovsky vadorovsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good to me. Thanks!

I would just remove all those bpf_printk("DEBUG..."); messages before merging. But I guess you are still testing it?

vadorovsky
vadorovsky requested changes Jan 27, 2022
View reviewed changes
lockc/src/lib.rs Outdated Show resolved Hide resolved
vadorovsky
vadorovsky requested changes Jan 27, 2022
View reviewed changes
lockc/src/bpf/lockc.bpf.c Outdated Show resolved Hide resolved
lockc/src/bpf/lockc.bpf.c Outdated Show resolved Hide resolved
@mjura
Add new LSM_HOOK to restrict root user
e9e3feb 
We have decided to implement new LSH hook which disable root user in container.

Fix lockc-project#85

Signed-off-by: Michal Jura <mjura@suse.com>
@mjura mjura changed the title [WIP] Add new LSM_HOOK to restrict root user Add new LSM_HOOK to restrict root user Jan 31, 2022
@mjura mjura requested a review from vadorovsky January 31, 2022 08:28
@vadorovsky vadorovsky merged commit 7cb45b8 into lockc-project:main Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vadorovsky vadorovsky vadorovsky approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

LSM hooks: restrict root user
2 participants
@mjura @vadorovsky