From: Jamie Lokier <jamie@shareable.org>
To: Mike Waychison <mikew@google.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
linuxram@us.ibm.com, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, akpm@osdl.org,
viro@parcelfarce.linux.theplanet.co.uk
Subject: Re: [RFC][PATCH] rbind across namespaces
Date: Tue, 24 May 2005 19:15:54 +0100 [thread overview]
Message-ID: <20050524181554.GA13760@mail.shareable.org> (raw)
In-Reply-To: <4293612F.3000708@google.com>
Mike Waychison wrote:
> >No need to hijack, it's already done. Removing calls to
> >proc_check_root() will allow access to different namespaces detached
> >mounts, etc. It's been tried and actually works.
>
> See previous message as why we don't want to allow this.
If you can ptrace any process which is in another namespace, then you
_effectively_ have full access to that namespace. It's quite easy to
do, and negates the supposed security of namespaces.
Because of that, there's _no_ real security benefit from denying
access to /proc/NNN/fd/ if you are able to ptrace task NNN.
What I think makes sense is this:
1. Deny access to /proc/NNN/fd/, /proc/NNN/cwd, /proc/NNN/root
if task NNN cannot be ptraced.
3. Allow entry to /proc/NNN/fd/, /proc/NNN/cwd, /proc/NNN/root
if ptrace is allowed; the namespace being irrelevant.
3. Use _exactly_ the same condition as for ptracing,
i.e. MAY_PTRACE in fs/proc/base.c. Ensure that condition is
consistent with the tests in kernel/ptrace.c, possibly putting
the condition in a common header file to keep it consistent in
future.
4. If further restrictions are desired, to make namespaces more
strict, those should be implemented by further restrictions on
which tasks are allowed to ptrace other tasks.
-- Jamie
next prev parent reply other threads:[~2005-05-24 18:16 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-20 22:11 [RFC][PATCH] rbind across namespaces Ram
2005-05-21 6:27 ` Miklos Szeredi
2005-05-21 7:26 ` Ram
2005-05-21 8:09 ` Miklos Szeredi
2005-05-21 8:45 ` Ram
2005-05-21 9:09 ` Miklos Szeredi
2005-05-21 10:07 ` Ram
2005-05-21 13:12 ` Miklos Szeredi
2005-05-22 20:25 ` Ram
2005-05-22 20:51 ` Ram
2005-05-23 5:08 ` Miklos Szeredi
2005-05-23 7:24 ` Ram
2005-05-23 8:24 ` Miklos Szeredi
2005-05-21 9:48 ` Miklos Szeredi
2005-05-21 13:46 ` Jamie Lokier
2005-05-22 8:08 ` Miklos Szeredi
2005-05-22 17:04 ` [RFC][PATCH] /proc/dead_mounts support (Was: [RFC][PATCH] rbind across ...) Miklos Szeredi
2005-05-22 21:10 ` [RFC][PATCH] rbind across namespaces Ram
2005-05-23 5:07 ` Miklos Szeredi
2005-05-24 0:39 ` Mike Waychison
2005-05-24 5:43 ` Miklos Szeredi
2005-05-24 7:13 ` Mike Waychison
2005-05-24 8:25 ` Miklos Szeredi
2005-05-24 17:09 ` Mike Waychison
2005-05-24 17:31 ` Miklos Szeredi
2005-05-24 17:44 ` Mike Waychison
2005-05-24 17:56 ` Miklos Szeredi
2005-05-24 18:04 ` Mike Waychison
2005-05-30 19:06 ` Ram
2005-05-24 9:18 ` Miklos Szeredi
2005-05-24 17:15 ` Mike Waychison
2005-05-24 17:46 ` Miklos Szeredi
2005-05-24 18:15 ` Jamie Lokier [this message]
2005-05-24 18:33 ` Mike Waychison
2005-05-24 21:51 ` Jamie Lokier
2005-05-21 13:43 ` Jamie Lokier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050524181554.GA13760@mail.shareable.org \
--to=jamie@shareable.org \
--cc=akpm@osdl.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxram@us.ibm.com \
--cc=mikew@google.com \
--cc=miklos@szeredi.hu \
--cc=viro@parcelfarce.linux.theplanet.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).