Chroot Restrictions
GRSecurity restricts chroot in a variety of ways to prevent a variety of vulnerabilities and privilege escalation attacks, as well as to add additional checks and balances.
Chroot Modifications:
- No attaching shared memory outside of chroot
- No kill outside of chroot
- No ptrace outside of chroot (architecture independent)
- No capget outside of chroot
- No setpgid outside of chroot
- No getpgid outside of chroot
- No getsid outside of chroot
- No sending of signals by fcntl outside of chroot
- No viewing of any process outside of chroot, even if /proc is mounted
- No mounting or remounting
- No pivot_root
- No double chroot
- No fchdir out of chroot
- Enforced chdir("/") upon chroot
- No (f)chmod +s
- No mknod
- No sysctl writes
- No raising of scheduler priority
- No connecting to abstract unix domain sockets outside of chroot
- Removal of harmful privileges via cap
Read more about this topic: Grsecurity