From: Aristeu Rozanski <aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
amorgan-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH 0/4] Rebase device_cgroup v2 patchset
Date: Tue, 14 May 2013 11:51:11 -0400 [thread overview]
Message-ID: <20130514155111.GJ680@redhat.com> (raw)
In-Reply-To: <20130514150539.GA26090@sergelap>
On Tue, May 14, 2013 at 10:05:39AM -0500, Serge Hallyn wrote:
> so now that the device cgroup properly respects hierarchy, not allowing
> a cgroup to be given greater permission than its parent, should we consider
> relaxing the capability checks?
>
> There are two capable(CAP_SYS_ADMIN) checks in deice_cgroup.c: one in
> devcgroup_can_attach() to protect changing another task's cgroup, and
> one in devcgroup_update_access() to protect writes to the devices.allow
> and devices.deny files.
>
> I think the first should be changed to a check for ns_capable() to
> the victim's user_ns. Something like
>
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -70,10 +70,16 @@ static int devcgroup_can_attach(struct cgroup *new_cgrp,
> struct cgroup_taskset *set)
> {
> struct task_struct *task = cgroup_taskset_first(set);
> + struct user_namespace *ns;
> + int ret = -EPERM;
>
> - if (current != task && !capable(CAP_SYS_ADMIN))
> - return -EPERM;
> - return 0;
> + if (current == task)
> + return 0;
> +
> + ns = userns_get(task);;
> + ret = ns_capable(ns, CAP_SYS_ADMIN) ? 0 : -EPERM;
> + put_user_ns(ns);
> + return ret;
> }
wouldn't this allow a userns root to move a task in the same userns into
a parent cgroup? I believe than anything but moving down the hierarchy
would be very complicated to verify (how far up can you go).
> For the second, the hierarchy support should let us ignore concerns
> about unprivileged users escalating privilege, but I'm trying to decide
> whether we need to worry about the sendmail capability class of bugs.
You have a pointer for more information on those?
> My sense is actually the answer is no, and we can drop the capable()
> check altogether. The reason is that while userspace frequently doesn't
> properly handle a failing system call due to unexpected lack of partial
> privilege, I wouldn't expect any setuid root program to ignore failure
> to open or mknod a device file (and proceed into a bad failure mode).
> Does this sound rasonable, or a recipe for disaster?
The second case sounds ok to me
--
Aristeu
next prev parent reply other threads:[~2013-05-14 15:51 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-22 13:45 [PATCH 0/4] Rebase device_cgroup v2 patchset Aristeu Rozanski
2012-10-22 13:45 ` [PATCH 1/4] cgroup: fix invalid rcu dereference Aristeu Rozanski
[not found] ` <20121022134536.543579196-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-10-22 16:11 ` Serge Hallyn
2012-10-23 12:50 ` Jiri Slaby
[not found] ` <508692A8.6090706-AlSwsSmVLrQ@public.gmane.org>
2012-10-23 13:17 ` Aristeu Rozanski
[not found] ` <20121023131746.GB14085-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-10-23 13:53 ` Jiri Slaby
2012-10-22 13:45 ` [PATCH 2/4] device_cgroup: rename deny_all to behavior Aristeu Rozanski
2012-10-22 16:12 ` Serge Hallyn
2012-10-22 13:45 ` [PATCH 3/4] device_cgroup: stop using simple_strtoul() Aristeu Rozanski
[not found] ` <20121022134537.125748392-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-10-22 16:14 ` Serge Hallyn
2012-10-22 13:45 ` [PATCH 4/4] device_cgroup: add proper checking when changing default behavior Aristeu Rozanski
[not found] ` <20121022134537.447117744-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-10-22 16:16 ` Serge Hallyn
[not found] ` <20121022134536.172969567-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-10-22 19:58 ` [PATCH 0/4] Rebase device_cgroup v2 patchset Andrew Morton
[not found] ` <20121022125838.20cdc240.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2012-10-22 20:14 ` Aristeu Rozanski
2013-05-14 15:05 ` Serge Hallyn
2013-05-14 15:51 ` Aristeu Rozanski [this message]
[not found] ` <20130514155111.GJ680-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-05-14 16:22 ` Serge Hallyn
2013-05-14 21:02 ` Eric W. Biederman
[not found] ` <87y5bhwa0h.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-05-16 1:14 ` Serge E. Hallyn
[not found] ` <20130516011401.GA17462-anj0Drq5vpzx6HRWoRZK3AC/G2K4zDHf@public.gmane.org>
2013-05-16 1:23 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130514155111.GJ680@redhat.com \
--to=aris-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=amorgan-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).