From: ebiederm@xmission.com (Eric W. Biederman)
To: Michael Tokarev <mjt@tls.msk.ru>
Cc: Kay Sievers <kay.sievers@vrfy.org>,
Lennart Poettering <mzxreary@0pointer.de>,
greg@kroah.com, Paul Menage <paul@paulmenage.org>,
linux-kernel@vger.kernel.org, david@fubar.dk,
Linux Containers <lxc-devel@lists.sourceforge.net>,
Linux Containers <containers@lists.osdl.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
harald@redhat.com
Subject: Re: [lxc-devel] Detecting if you are running in a container
Date: Tue, 01 Nov 2011 16:51:22 -0700 [thread overview]
Message-ID: <m17h3js8p1.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <4EB06D27.4020507@msgid.tls.msk.ru> (Michael Tokarev's message of "Wed, 02 Nov 2011 02:05:27 +0400")
Michael Tokarev <mjt@tls.msk.ru> writes:
> [Replying to an oldish email...]
>
> On 12.10.2011 20:59, Kay Sievers wrote:
>> On Mon, Oct 10, 2011 at 23:41, Lennart Poettering <mzxreary@0pointer.de> wrote:
>>> On Mon, 10.10.11 13:59, Eric W. Biederman (ebiederm@xmission.com) wrote:
>>
>>>> - udev. All of the kernel interfaces for udev should be supported in
>>>> current kernels. However I believe udev is useless because container
>>>> start drops CAP_MKNOD so we can't do evil things. So I would
>>>> recommend basing the startup of udev on presence of CAP_MKNOD.
>>>
>>> Using CAP_MKNOD as test here is indeed a good idea. I'll make sure udev
>>> in a systemd world makes use of that.
>>
>> Done.
>>
>> http://git.kernel.org/?p=linux/hotplug/udev.git;a=commitdiff;h=9371e6f3e04b03692c23e392fdf005a08ccf1edb
>
> Maybe CAP_MKNOD isn't actually a good idea, having in mind devtmpfs?
>
> Without CAP_MKNOD, is devtmpfs still being populated internally by
> the kernel, so that udev only needs to change ownership/permissions
> and maintain symlinks in response to device changes, and perform
> other duties (reacting to other types of events) normally?
>
> In other words, provided devtmpfs works even without CAP_MKNOD,
> I can easily imagine a whole system running without this capability
> from the very early boot, with all functionality in place, including
> udev and what not...
Agreed devtmpfs does pretty much make dropping CAP_MKNOD useless. I
expect we should verify that whoever mounts devtmpfs has CAP_MKNOD.
> And having CAP_MKNOD in container may not be that bad either, while
> cgroup device.permission is set correctly - some nodes may need to
> be created still, even in an unprivileged containers. Who filters
> out CAP_MKNOD during container startup (I don't see it in the code,
> which only removes CAP_SYS_BOOT, and even that due to current
> limitation), and which evil things can be done if it is not filtered?
If you don't filter which device nodes you a process can read/write then
that process can access any device on the system. Steal the keyboard,
the X display, access any filesystem, directly access memory. Basically
the process can escalate that permission to full control of the system
without needing any kernel bugs to help it.
Eric
next prev parent reply other threads:[~2011-11-01 23:51 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-06 23:17 A Plumber’s Wish List for Linux Kay Sievers
2011-10-06 23:46 ` Andi Kleen
2011-10-07 0:13 ` Lennart Poettering
2011-10-07 1:57 ` Andi Kleen
2011-10-07 15:58 ` Lennart Poettering
2011-10-19 23:16 ` H. Peter Anvin
2011-10-07 7:49 ` Matt Helsley
2011-10-07 16:01 ` Lennart Poettering
2011-10-08 4:24 ` Eric W. Biederman
2011-10-10 16:31 ` Lennart Poettering
2011-10-10 20:59 ` Detecting if you are running in a container Eric W. Biederman
2011-10-10 21:41 ` Lennart Poettering
2011-10-11 5:40 ` Eric W. Biederman
2011-10-11 6:54 ` Eric W. Biederman
2011-10-12 16:59 ` Kay Sievers
2011-11-01 22:05 ` [lxc-devel] " Michael Tokarev
2011-11-01 23:51 ` Eric W. Biederman [this message]
2011-11-02 8:08 ` Michael Tokarev
2011-10-11 1:32 ` Ted Ts'o
2011-10-11 2:05 ` Matt Helsley
2011-10-11 3:25 ` Ted Ts'o
2011-10-11 6:42 ` Eric W. Biederman
2011-10-11 12:53 ` Theodore Tso
2011-10-11 21:16 ` Eric W. Biederman
2011-10-11 22:30 ` david
2011-10-12 4:26 ` Eric W. Biederman
2011-10-12 5:10 ` david
2011-10-12 15:08 ` Serge E. Hallyn
2011-10-12 17:57 ` J. Bruce Fields
2011-10-12 18:25 ` Kyle Moffett
2011-10-12 19:04 ` J. Bruce Fields
2011-10-12 19:12 ` Kyle Moffett
2011-10-14 15:54 ` Ted Ts'o
2011-10-14 18:04 ` Eric W. Biederman
2011-10-14 21:58 ` H. Peter Anvin
2011-10-16 9:42 ` Eric W. Biederman
2011-10-30 20:11 ` H. Peter Anvin
2011-11-01 13:38 ` Eric W. Biederman
2011-10-11 22:25 ` david
2011-10-07 10:12 ` A Plumber’s Wish List for Linux Alan Cox
2011-10-07 10:28 ` Kay Sievers
2011-10-07 10:38 ` Alan Cox
2011-10-07 12:46 ` Kay Sievers
2011-10-07 13:39 ` Theodore Tso
2011-10-07 15:21 ` Hugo Mills
2011-10-10 11:18 ` A Plumber???s " David Sterba
2011-10-10 11:18 ` David Sterba
2011-10-10 13:09 ` Theodore Tso
2011-10-13 0:28 ` Dave Chinner
2011-10-14 15:47 ` Ted Ts'o
2011-10-11 13:14 ` Serge E. Hallyn
2011-10-11 15:49 ` Andrew G. Morgan
2011-10-12 2:31 ` Serge E. Hallyn
2011-10-12 20:51 ` Lennart Poettering
2011-10-08 9:53 ` A Plumber’s " Bastien ROUCARIES
2011-10-09 3:15 ` Alex Elsayed
2011-10-07 16:07 ` Valdis.Kletnieks
2011-10-07 12:35 ` Vivek Goyal
2011-10-07 18:59 ` Greg KH
2011-10-09 12:20 ` Kay Sievers
2011-10-09 8:45 ` Rusty Russell
2011-10-11 23:16 ` Andrew Morton
2011-10-12 0:53 ` Frederic Weisbecker
2011-10-12 0:59 ` Frederic Weisbecker
[not found] ` <20111012174014.GE6281@google.com>
2011-10-12 18:16 ` Cyrill Gorcunov
2011-10-14 15:38 ` Frederic Weisbecker
2011-10-14 16:01 ` Cyrill Gorcunov
2011-10-14 16:08 ` Cyrill Gorcunov
2011-10-14 16:19 ` Frederic Weisbecker
2011-10-19 21:19 ` Paul Menage
2011-10-19 21:12 ` Paul Menage
2011-10-19 23:03 ` Lennart Poettering
2011-10-19 23:09 ` Paul Menage
2011-10-19 23:31 ` Lennart Poettering
2011-10-22 10:21 ` Frederic Weisbecker
2011-10-22 15:28 ` Lennart Poettering
2011-10-25 5:40 ` Li Zefan
2011-10-30 17:18 ` Lennart Poettering
2011-11-01 1:27 ` Li Zefan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m17h3js8p1.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=containers@lists.osdl.org \
--cc=david@fubar.dk \
--cc=greg@kroah.com \
--cc=harald@redhat.com \
--cc=kay.sievers@vrfy.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lxc-devel@lists.sourceforge.net \
--cc=mjt@tls.msk.ru \
--cc=mzxreary@0pointer.de \
--cc=paul@paulmenage.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.