From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: nguyen thai <thai.bkset-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: Cgroups maillist <cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: Ask about cgroups security
Date: Fri, 28 Feb 2014 03:39:47 -0800 [thread overview]
Message-ID: <87eh2nwjng.fsf@xmission.com> (raw)
In-Reply-To: <CACBeRbYh58m+MuCefJP0SzT5AQADDJh==KyeDFG8UdRb=NQvQg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> (nguyen thai's message of "Thu, 27 Feb 2014 10:59:31 +0700")
nguyen thai <thai.bkset-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
> Hi everyone,
>
> I'm working with SELinux and cgroups to implement SELinux on cgroups
> file. This is expected to improve cgroups security. But i'm having na
> confusion identifying the possible vulnerabilities of current cgroups
> DAC check and what need to be improved.
> I know the cgroup interface is the filesystem. But how this can be the
> drawback of current implementation. I mean how hackers may use this to
> attack the system. Tejun Heo said that the biggest issue with cgroup
> is the ability for non-root users to gain access to the raw kernel
> control knobs. anyone you explain more about this?
The problem is poor design of the basic mechanisms. The result is that
in some that in several instances a poor/unmaintainable choice of
abstractions were exposed. That is there are values exposed for
tweaking that if a non-root user is allowed to change them can lead to
subversion of the policy framework that it is the intetion of cgroups to
implement.
The only sane fix is to go through the exported control knobs and
catalogue them as safe or not safe. And then work towards removing the
unsafe knobs.
Eric
prev parent reply other threads:[~2014-02-28 11:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-27 3:59 Ask about cgroups security nguyen thai
[not found] ` <CACBeRbYh58m+MuCefJP0SzT5AQADDJh==KyeDFG8UdRb=NQvQg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-02-28 11:39 ` Eric W. Biederman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87eh2nwjng.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=thai.bkset-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).