From: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
To: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>,
"Stéphane Graber"
<stgraber-/Ni+VN9Krahg9hUCZPvPmw@public.gmane.org>,
"Tim Hockin" <thockin-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
"Victor Marmol" <vmarmol-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
"Rohit Jnagal" <jnagal-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org
Subject: Re: [lxc-devel] cgroup management daemon
Date: Tue, 3 Dec 2013 20:31:51 -0600 [thread overview]
Message-ID: <20131204023151.GA12376@sergelap> (raw)
In-Reply-To: <20131204012416.GY8277-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
Quoting Tejun Heo (tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org):
> Hello, Serge.
>
> On Tue, Dec 03, 2013 at 06:03:44PM -0600, Serge Hallyn wrote:
> > > As I communicated multiple times before, delegating write access to
> > > control knobs to untrusted domain has always been a security risk and
> > > is likely to continue to remain so. Also, organizationally, a
> >
> > Then that will need to be address with per-key blacklisting and/or
> > per-value filtering in the manager.
> >
> > Which is my way of saying: can we please have a list of the security
> > issues so we can handle them? :) (I've asked several times before
> > but haven't seen a list or anyone offering to make one)
>
> Unfortunately, for now, please consider everything blacklisted. Yes,
> it is true that some knobs should be mostly safe but given the level
> of changes we're going through and the difficulty of properly auditing
> anything for delegation to untrusted environment, I don't feel
> comfortable at all about delegating through chown. It is an
> accidental feature which happened just because it uses filesystem as
> its interface and it is no where near the top of the todo list. It
> has never worked properly and won't in any foreseeable future.
>
> > > cgroup's control knobs belong to the parent not the cgroup itself.
> >
> > After thinking awhile I think this makes perfect sense. I haven't
> > implemented set_value yet, and when I do I think I'll implement this
> > guideline.
>
> I'm kinda confused here. You say *everything* is gonna go through the
> manager and then talks about chowning directories. Don't the two
> conflict?
No. I expect the user - except in the google case - to either have
access to no cgroupfs mounts, or readonly mounts.
-serge
next prev parent reply other threads:[~2013-12-04 2:31 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-25 22:43 cgroup management daemon Serge E. Hallyn
[not found] ` <20131125224335.GA15481-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-26 0:03 ` [lxc-devel] " Marian Marinov
[not found] ` <5293E544.10805-NV7Lj0SOnH0@public.gmane.org>
2013-11-26 0:11 ` Stéphane Graber
2013-11-26 1:35 ` [lxc-devel] " Marian Marinov
[not found] ` <5293FADA.8070901-NV7Lj0SOnH0@public.gmane.org>
2013-11-26 1:46 ` Stéphane Graber
2013-11-26 2:18 ` Michael H. Warfield
[not found] ` <1385432284.8590.52.camel-s3/A7Nnwjkf10ug9Blv0m0EOCMrvLtNR@public.gmane.org>
2013-11-26 2:43 ` Stéphane Graber
2013-11-26 2:55 ` [lxc-devel] " Michael H. Warfield
2013-11-26 4:52 ` Tim Hockin
[not found] ` <CAO_RewYmS0fH819BFCr9ozis1132dACgCPwbyb59gM1PafpUkw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-26 16:37 ` Serge E. Hallyn
[not found] ` <20131126163737.GB23834-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-26 20:49 ` Tim Hockin
2013-11-26 4:58 ` Tim Hockin
[not found] ` <CAO_RewZGWARUafKzDc_t3G5OedGtEPTZgB2VYeHHiKSSrja8fA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-26 5:47 ` Serge E. Hallyn
[not found] ` <20131126054718.GA19134-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-26 20:38 ` Tim Hockin
[not found] ` <CAO_RewZ8cUn-PdXfQF0yH=V=9UqE7Yo1JX2pt2c71WYDrpYE0Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-26 20:58 ` Serge E. Hallyn
[not found] ` <20131126205819.GA27266-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-26 21:24 ` Tim Hockin
[not found] ` <CAO_RewZh+dNkUdZdu-R3CKTvYzbPL50v-BsBHvek75ti3V6kZQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-26 21:28 ` Serge E. Hallyn
[not found] ` <20131126212814.GA27602-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-26 21:31 ` Victor Marmol
[not found] ` <CAD=mX8uuAeN7s8ZA6Gc-wsBd6-PHevBRyBL6hMAS9VW15T5eYA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-27 1:49 ` Tim Hockin
[not found] ` <CAO_RewY0eFTgkVqbRJwdW9bgR3nz9h5t6c823wFH5cg1CD0sEA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-27 1:53 ` Serge E. Hallyn
2013-11-26 16:12 ` Serge E. Hallyn
[not found] ` <20131126161246.GA23834-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-26 16:22 ` Victor Marmol
[not found] ` <CAD=mX8tCOEO4wP-XGs9YdRufTAay6zPaOxo_wZF=-KoqepH0wg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-26 16:41 ` Serge E. Hallyn
[not found] ` <20131126164125.GC23834-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-26 17:19 ` Victor Marmol
[not found] ` <CAD=mX8v-jfA8F5DueK60Oo4Zfcjj86idKYKnDVc9LxQVs9W_rQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-12-03 14:00 ` Tejun Heo
2013-11-26 20:45 ` Tim Hockin
2013-12-03 13:54 ` Tejun Heo
2013-12-03 13:45 ` Tejun Heo
[not found] ` <20131203134506.GG8277-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
2013-12-03 13:45 ` Tejun Heo
2013-12-04 0:03 ` [lxc-devel] " Serge Hallyn
2013-12-04 1:24 ` Tejun Heo
[not found] ` <20131204012416.GY8277-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
2013-12-04 1:26 ` Tejun Heo
2013-12-04 2:31 ` Serge Hallyn [this message]
2013-12-04 4:53 ` Tim Hockin
[not found] ` <CAO_RewbZiLCJcO9G7pgxN8ZxkkVdEW1B84nkQ5wX3a9DPq4zfg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-12-04 5:09 ` Victor Marmol
[not found] ` <CAD=mX8seoMfM63hOwbmJ_0GdS-fa8H6fB40k8uyqBNbSVqfXrA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-12-04 15:56 ` [lxc-devel] " Serge Hallyn
2013-12-04 11:37 ` Tejun Heo
2013-12-04 15:54 ` Serge Hallyn
2013-12-04 23:06 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131204023151.GA12376@sergelap \
--to=serge.hallyn-gewih/nmzzlqt0dzr+alfa@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=jnagal-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org \
--cc=lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
--cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
--cc=stgraber-/Ni+VN9Krahg9hUCZPvPmw@public.gmane.org \
--cc=thockin-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=vmarmol-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).