Ask about cgroups security

Ask about cgroups security

[nguyen thai]

Hi everyone,

I'm working with SELinux and cgroups to implement SELinux on cgroups
file. This is expected to improve cgroups security. But i'm having a
confusion identifying the possible vulnerabilities of current cgroups
DAC check and what need to be improved.
I know the cgroup interface is the filesystem. But how this can be the
drawback of current implementation. I mean how hackers may use this to
attack the system. Tejun Heo said that  the biggest issue with cgroup
is the ability for non-root users to gain access to the raw kernel
control knobs. anyone you explain more about this?

Thank you very much.

Re: Ask about cgroups security

[Eric W. Biederman]

nguyen thai <thai.bkset-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:

> Hi everyone,
>
> I'm working with SELinux and cgroups to implement SELinux on cgroups
> file. This is expected to improve cgroups security. But i'm having na
> confusion identifying the possible vulnerabilities of current cgroups
> DAC check and what need to be improved.
> I know the cgroup interface is the filesystem. But how this can be the
> drawback of current implementation. I mean how hackers may use this to
> attack the system. Tejun Heo said that  the biggest issue with cgroup
> is the ability for non-root users to gain access to the raw kernel
> control knobs. anyone you explain more about this?

The problem is poor design of the basic mechanisms. The result is that
in some that in several instances a poor/unmaintainable choice of
abstractions were exposed.  That is there are values exposed for
tweaking that if a non-root user is allowed to change them can lead to
subversion of the policy framework that it is the intetion of cgroups to
implement.

The only sane fix is to go through the exported control knobs and
catalogue them as safe or not safe.  And then work towards removing the
unsafe knobs.

Eric