From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jamie Lokier <jamie@shareable.org>
Subject: Re: Hiding secrets from root (Was: Re: [RFC][2.6 patch] Allow creation of new namespaces during mount system call)
Date: Thu, 21 Apr 2005 21:35:34 +0100
Message-ID: <20050421203534.GA8793@mail.shareable.org>
References: <a4e6962a05041915132f57de3f@mail.gmail.com> <20050419222324.GM13052@parcelfarce.linux.theplanet.co.uk> <a4e6962a0504191653f6848a6@mail.gmail.com> <20050420033304.GO13052@parcelfarce.linux.theplanet.co.uk> <20050420094558.GB10167@mail.shareable.org> <20050420124829.GB23518@vagabond> <20050420221358.GC21150@mail.shareable.org> <20050421100901.GB6197@vagabond> <20050421184455.GA7301@mail.shareable.org> <20050421185216.GA23555@vagabond>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>,
	Eric Van Hensbergen <ericvh@gmail.com>,
	linux-fsdevel@vger.kernel.org
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from mail.shareable.org ([81.29.64.88]:42917 "EHLO
	mail.shareable.org") by vger.kernel.org with ESMTP id S261863AbVDUUfq
	(ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
	Thu, 21 Apr 2005 16:35:46 -0400
To: Jan Hudec <bulb@ucw.cz>
Content-Disposition: inline
In-Reply-To: <20050421185216.GA23555@vagabond>
Sender: linux-fsdevel-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

Jan Hudec wrote:
> On Thu, Apr 21, 2005 at 19:44:56 +0100, Jamie Lokier wrote:
> > Jan Hudec wrote:
> > > By the way, IIRC so far the root can access all kernel memory too via
> > > /dev/kmem. So the limiting of root's rights would have to be limited
> > > a bit more yet.
> > 
> > On some hardened systems, root is not allowed access to /dev/kmem.
> 
> That sure makes sense. Still the secret keys must either never leave
> kernel (which would need all the encryption, decryption and checking
> code in kernel), or they must be protected in userland too. Which means
> the process has to be protected against being ptraced or inspected
> through /dev/mem.

That's right.  Protecting users' private data from access by the
administrators on a multi-user system is, not surprisingly, hard....

-- Jamie