From: ebiederm@xmission.com (Eric W. Biederman)
To: Michael Tokarev <mjt@tls.msk.ru>
Cc: Kay Sievers <kay.sievers@vrfy.org>,
Lennart Poettering <mzxreary@0pointer.de>,
greg@kroah.com, Paul Menage <paul@paulmenage.org>,
linux-kernel@vger.kernel.org, david@fubar.dk,
Linux Containers <lxc-devel@lists.sourceforge.net>,
Linux Containers <containers@lists.osdl.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
harald@redhat.com
Subject: Re: [lxc-devel] Detecting if you are running in a container
Date: Tue, 01 Nov 2011 16:51:22 -0700 [thread overview]
Message-ID: <m17h3js8p1.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <4EB06D27.4020507@msgid.tls.msk.ru> (Michael Tokarev's message of "Wed, 02 Nov 2011 02:05:27 +0400")
Michael Tokarev <mjt@tls.msk.ru> writes:
> [Replying to an oldish email...]
>
> On 12.10.2011 20:59, Kay Sievers wrote:
>> On Mon, Oct 10, 2011 at 23:41, Lennart Poettering <mzxreary@0pointer.de> wrote:
>>> On Mon, 10.10.11 13:59, Eric W. Biederman (ebiederm@xmission.com) wrote:
>>
>>>> - udev. All of the kernel interfaces for udev should be supported in
>>>> current kernels. However I believe udev is useless because container
>>>> start drops CAP_MKNOD so we can't do evil things. So I would
>>>> recommend basing the startup of udev on presence of CAP_MKNOD.
>>>
>>> Using CAP_MKNOD as test here is indeed a good idea. I'll make sure udev
>>> in a systemd world makes use of that.
>>
>> Done.
>>
>> http://git.kernel.org/?p=linux/hotplug/udev.git;a=commitdiff;h=9371e6f3e04b03692c23e392fdf005a08ccf1edb
>
> Maybe CAP_MKNOD isn't actually a good idea, having in mind devtmpfs?
>
> Without CAP_MKNOD, is devtmpfs still being populated internally by
> the kernel, so that udev only needs to change ownership/permissions
> and maintain symlinks in response to device changes, and perform
> other duties (reacting to other types of events) normally?
>
> In other words, provided devtmpfs works even without CAP_MKNOD,
> I can easily imagine a whole system running without this capability
> from the very early boot, with all functionality in place, including
> udev and what not...
Agreed devtmpfs does pretty much make dropping CAP_MKNOD useless. I
expect we should verify that whoever mounts devtmpfs has CAP_MKNOD.
> And having CAP_MKNOD in container may not be that bad either, while
> cgroup device.permission is set correctly - some nodes may need to
> be created still, even in an unprivileged containers. Who filters
> out CAP_MKNOD during container startup (I don't see it in the code,
> which only removes CAP_SYS_BOOT, and even that due to current
> limitation), and which evil things can be done if it is not filtered?
If you don't filter which device nodes you a process can read/write then
that process can access any device on the system. Steal the keyboard,
the X display, access any filesystem, directly access memory. Basically
the process can escalate that permission to full control of the system
without needing any kernel bugs to help it.
Eric
next prev parent reply other threads:[~2011-11-01 23:51 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1317943022.1095.25.camel@mop>
[not found] ` <20111007074904.GC16723@count0.beaverton.ibm.com>
[not found] ` <20111007160113.GB14201@tango.0pointer.de>
[not found] ` <m17h4g2jqy.fsf@fess.ebiederm.org>
[not found] ` <20111010163140.GA22191@tango.0pointer.de>
2011-10-10 20:59 ` Detecting if you are running in a container Eric W. Biederman
2011-10-10 21:41 ` Lennart Poettering
2011-10-11 5:40 ` Eric W. Biederman
2011-10-11 6:54 ` Eric W. Biederman
2011-10-12 16:59 ` Kay Sievers
2011-11-01 22:05 ` [lxc-devel] " Michael Tokarev
2011-11-01 23:51 ` Eric W. Biederman [this message]
2011-11-02 8:08 ` Michael Tokarev
2011-10-11 1:32 ` Ted Ts'o
[not found] ` <20111011020530.GG16723@count0.beaverton.ibm.com>
2011-10-11 3:25 ` Ted Ts'o
2011-10-11 6:42 ` Eric W. Biederman
2011-10-11 12:53 ` Theodore Tso
2011-10-11 21:16 ` Eric W. Biederman
2011-10-11 22:30 ` david
2011-10-12 4:26 ` Eric W. Biederman
2011-10-12 5:10 ` david
2011-10-12 15:08 ` Serge E. Hallyn
2011-10-12 17:57 ` J. Bruce Fields
2011-10-12 18:25 ` Kyle Moffett
2011-10-12 19:04 ` J. Bruce Fields
2011-10-12 19:12 ` Kyle Moffett
2011-10-14 15:54 ` Ted Ts'o
2011-10-14 18:04 ` Eric W. Biederman
2011-10-14 21:58 ` H. Peter Anvin
2011-10-16 9:42 ` Eric W. Biederman
2011-10-30 20:11 ` H. Peter Anvin
2011-11-01 13:38 ` Eric W. Biederman
2011-10-11 22:25 ` david
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m17h3js8p1.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=containers@lists.osdl.org \
--cc=david@fubar.dk \
--cc=greg@kroah.com \
--cc=harald@redhat.com \
--cc=kay.sievers@vrfy.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lxc-devel@lists.sourceforge.net \
--cc=mjt@tls.msk.ru \
--cc=mzxreary@0pointer.de \
--cc=paul@paulmenage.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox