From: "Serge E. Hallyn" <serge.hallyn@canonical.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>, Tejun Heo <tj@kernel.org>,
Pavel Emelyanov <xemul@parallels.com>,
Vasiliy Kulikov <segoon@openwall.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] Introduce CAP_CHECKPOINT capability and filter map_files/ access
Date: Thu, 17 Nov 2011 15:07:13 -0600 [thread overview]
Message-ID: <20111117210713.GA8045@sergelap> (raw)
In-Reply-To: <20111117125414.0b134897.akpm@linux-foundation.org>
Quoting Andrew Morton (akpm@linux-foundation.org):
> On Thu, 17 Nov 2011 09:41:05 -0600
> "Serge E. Hallyn" <serge.hallyn@canonical.com> wrote:
>
> > > - (not yet merged) clone-with-specified-pid, might be changed to last_pid+clone setup
> > > - (not yet published/stabilized) prctls calls to tune up vDSO and elements
> > > of mm_struct such as mm->start_code, mm->end_code, mm->start_data and etc
> > >
> > > I would like to gather people opinions on such approach as a general.
> > > _ANY_ comments are highly appreciated. Would it worth it or not (since
> > > CAPs space is pretty limited one).
> >
> > It's hard to have a specific dialogue without the full c/r patchset and
> > idea of the architecture of the exploiters (ie c/r and maybe
> > debuggers)
> >
> > Sorry, the security implications of the in-kernel c/r syscalls were
> > pretty simple and clear to me, but those of the new approach are not.
>
> yup.
>
> From a development-order perspective perhaps it is better to get
> everything working and stabilized for root first. Then as a separate
> activity start working on making it available to less-privileged users.
>
> We would need to be confident that such a second development effort
> doesn't cause back-compatibility issues (ie: interface changes) for
> existing root users.
>
>
>
> Is it possible that once everything is working for root, we realise
> that we can get it all working for non-root users via suitable setuid
> userspace tools?
Not only that, I think it's possible that by the time all the needed c/r
pieces are in, user namespaces will be as well, as will unprivileged
namespace cloning (at least when done along with CLONE_NEWUSER). In that
case, it should be possible to do c/r of a container with no privileges
on the host (but full privileges to the user namespace of the container).
-serge
next prev parent reply other threads:[~2011-11-17 21:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-17 10:04 [RFC] Introduce CAP_CHECKPOINT capability and filter map_files/ access Cyrill Gorcunov
2011-11-17 15:41 ` Serge E. Hallyn
2011-11-17 16:24 ` Cyrill Gorcunov
2011-11-17 20:54 ` Andrew Morton
2011-11-17 21:07 ` Serge E. Hallyn [this message]
2011-11-17 21:31 ` Cyrill Gorcunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111117210713.GA8045@sergelap \
--to=serge.hallyn@canonical.com \
--cc=akpm@linux-foundation.org \
--cc=gorcunov@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=segoon@openwall.com \
--cc=tj@kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.