From: Jamie Lokier <jamie@shareable.org>
To: Mike Waychison <mikew@google.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
linuxram@us.ibm.com, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, akpm@osdl.org,
viro@parcelfarce.linux.theplanet.co.uk
Subject: Re: [RFC][PATCH] rbind across namespaces
Date: Tue, 24 May 2005 22:51:01 +0100 [thread overview]
Message-ID: <20050524215101.GA15902@mail.shareable.org> (raw)
In-Reply-To: <42937360.8090007@google.com>
Mike Waychison wrote:
> > 1. Deny access to /proc/NNN/fd/, /proc/NNN/cwd, /proc/NNN/root
> > if task NNN cannot be ptraced.
> >
> > 3. Allow entry to /proc/NNN/fd/, /proc/NNN/cwd, /proc/NNN/root
> > if ptrace is allowed; the namespace being irrelevant.
> >
> > 3. Use _exactly_ the same condition as for ptracing,
> > i.e. MAY_PTRACE in fs/proc/base.c. Ensure that condition is
> > consistent with the tests in kernel/ptrace.c, possibly putting
> > the condition in a common header file to keep it consistent in
> > future.
> >
> > 4. If further restrictions are desired, to make namespaces more
> > strict, those should be implemented by further restrictions on
> > which tasks are allowed to ptrace other tasks.
> >
>
> Indeed. A combination of MAY_PTRACE ||ed with a check against current
> sounds reasonable to me.
Note that MAY_PTRACE already includes a check against current.
-- Jamie
next prev parent reply other threads:[~2005-05-24 21:51 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-20 22:11 [RFC][PATCH] rbind across namespaces Ram
2005-05-21 6:27 ` Miklos Szeredi
2005-05-21 7:26 ` Ram
2005-05-21 8:09 ` Miklos Szeredi
2005-05-21 8:45 ` Ram
2005-05-21 9:09 ` Miklos Szeredi
2005-05-21 10:07 ` Ram
2005-05-21 13:12 ` Miklos Szeredi
2005-05-22 20:25 ` Ram
2005-05-22 20:51 ` Ram
2005-05-23 5:08 ` Miklos Szeredi
2005-05-23 7:24 ` Ram
2005-05-23 8:24 ` Miklos Szeredi
2005-05-21 9:48 ` Miklos Szeredi
2005-05-21 13:46 ` Jamie Lokier
2005-05-22 8:08 ` Miklos Szeredi
2005-05-22 17:04 ` [RFC][PATCH] /proc/dead_mounts support (Was: [RFC][PATCH] rbind across ...) Miklos Szeredi
2005-05-22 21:10 ` [RFC][PATCH] rbind across namespaces Ram
2005-05-23 5:07 ` Miklos Szeredi
2005-05-24 0:39 ` Mike Waychison
2005-05-24 5:43 ` Miklos Szeredi
2005-05-24 7:13 ` Mike Waychison
2005-05-24 8:25 ` Miklos Szeredi
2005-05-24 17:09 ` Mike Waychison
2005-05-24 17:31 ` Miklos Szeredi
2005-05-24 17:44 ` Mike Waychison
2005-05-24 17:56 ` Miklos Szeredi
2005-05-24 18:04 ` Mike Waychison
2005-05-30 19:06 ` Ram
2005-05-24 9:18 ` Miklos Szeredi
2005-05-24 17:15 ` Mike Waychison
2005-05-24 17:46 ` Miklos Szeredi
2005-05-24 18:15 ` Jamie Lokier
2005-05-24 18:33 ` Mike Waychison
2005-05-24 21:51 ` Jamie Lokier [this message]
2005-05-21 13:43 ` Jamie Lokier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050524215101.GA15902@mail.shareable.org \
--to=jamie@shareable.org \
--cc=akpm@osdl.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxram@us.ibm.com \
--cc=mikew@google.com \
--cc=miklos@szeredi.hu \
--cc=viro@parcelfarce.linux.theplanet.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.