From: "Serge E. Hallyn" <serue@us.ibm.com>
To: "Andrew G. Morgan" <morgan@kernel.org>
Cc: Oren Laadan <orenl@cs.columbia.edu>,
Linux Containers <containers@lists.osdl.org>,
Alexey Dobriyan <adobriyan@gmail.com>,
David Howells <dhowells@redhat.com>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 5/9] cr: capabilities: define checkpoint and restore fns
Date: Mon, 1 Jun 2009 08:35:08 -0500 [thread overview]
Message-ID: <20090601133508.GA18889@us.ibm.com> (raw)
In-Reply-To: <551280e50905311918j28cd2482g5918bf9b0bcb297a@mail.gmail.com>
Quoting Andrew G. Morgan (morgan@kernel.org):
> On Sun, May 31, 2009 at 6:38 PM, Serge E. Hallyn <serge@hallyn.com> wrote:
> >
> > Quoting Andrew G. Morgan (morgan@kernel.org):
> > > Serge,
> > >
> > > I'm not sure I'm too happy with hard coding the 64-bitness of
> > > capability sets. It may well be a very long time before we increase
> > > their size, but couldn't you prepare for that with some reference to
> > > the prevailing magic numbers for the current ABI representation?
> >
> > Hmm, ok. I figured since the c/r code was in capability.h it would
> > be obvious that going past 64-bit would mean a new checkpoint image
> > format. I can see where that's silly...
> >
> > I'll put in a commented BUILD_BUG_ON like Alexey suggests - does that
> > suffice?
>
> I guess I'm not really well up on what the plans are for checkpoint
> images. Is there some sort of version control/signature/checksum to
> protect a kernel from loading an image that has been hacked to modify
> the privilege it was running with when the checkpoint was created?
No. One day we expect there will be TPM-signing of checkpoint images,
but that will be up to userspace to properly exploit. So if userspace
wants to enforce a certain flow control to prevent an unprivileged user
from modifying a checkpoint image (which of course it does), then it
should set up DAC and/or MAC to enforce that.
> > > Also, the use of 'error' as both a variable and a goto destination
> > > looks a little confusing.
> >
> > Ok will change.
> >
> > Did you see any problems with the way I authorize a task's resetting
> > of capabilities at sys_restart()?
>
> [See above.] Is there a mailing list or something I can lurk on to get
> up to speed on what is being intended?
It mainly gets discussed on the containers list
(https://lists.linux-foundation.org/mailman/listinfo/containers) and
on freenode/#lxcontainers.
thanks,
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2009-06-01 13:35 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-29 22:32 [PATCH 0/9] credentials c/r: Introduction Serge E. Hallyn
2009-05-29 22:32 ` [PATCH 1/9] cred: #include init.h in cred.h Serge E. Hallyn
2009-05-29 22:32 ` [PATCH 2/9] groups: move code to kernel/groups.c Serge E. Hallyn
2009-05-29 22:33 ` [PATCH 3/9] cr: break out new_user_ns() Serge E. Hallyn
2009-05-29 22:33 ` [PATCH 4/9] cr: split core function out of some set*{u,g}id functions Serge E. Hallyn
2009-05-29 22:33 ` [PATCH 5/9] cr: capabilities: define checkpoint and restore fns Serge E. Hallyn
2009-05-31 20:26 ` Andrew G. Morgan
2009-05-31 20:56 ` Alexey Dobriyan
2009-06-01 1:38 ` Serge E. Hallyn
2009-06-01 2:18 ` Andrew G. Morgan
2009-06-01 13:35 ` Serge E. Hallyn [this message]
2009-06-01 15:46 ` Andrew G. Morgan
2009-06-01 22:18 ` Serge E. Hallyn
2009-06-02 13:49 ` Andrew G. Morgan
2009-06-02 14:23 ` Serge E. Hallyn
2009-06-02 15:26 ` Oren Laadan
2009-06-02 15:49 ` Andrew G. Morgan
2009-06-02 17:15 ` Serge E. Hallyn
2009-06-03 0:05 ` Oren Laadan
[not found] ` <4A25BE4F.6000603-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2009-06-03 15:03 ` Andrew G. Morgan
2009-06-03 16:45 ` Serge E. Hallyn
2009-06-04 14:13 ` Andrew G. Morgan
2009-06-05 19:41 ` Serge E. Hallyn
2009-06-06 15:02 ` Andrew G. Morgan
2009-06-15 9:58 ` Alexey Dobriyan
2009-06-01 15:49 ` Serge E. Hallyn
2009-06-01 16:34 ` Oren Laadan
2009-05-29 22:33 ` [PATCH 6/9] cr: checkpoint and restore task credentials Serge E. Hallyn
[not found] ` <20090529223229.GA14536-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-05-29 22:33 ` [PATCH 7/9] cr: restore file->f_cred Serge E. Hallyn
2009-05-29 22:33 ` [PATCH 8/9] user namespaces: debug refcounts Serge E. Hallyn
2009-05-31 18:51 ` Alexey Dobriyan
2009-06-01 19:02 ` Serge E. Hallyn
2009-05-29 22:34 ` [PATCH 9/9] cr: ipc: reset kern_ipc_perms Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090601133508.GA18889@us.ibm.com \
--to=serue@us.ibm.com \
--cc=adobriyan@gmail.com \
--cc=containers@lists.osdl.org \
--cc=dhowells@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=morgan@kernel.org \
--cc=orenl@cs.columbia.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox