From: "Serge E. Hallyn" <serge.hallyn@canonical.com>
To: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Tejun Heo <tj@kernel.org>, Pavel Emelyanov <xemul@parallels.com>,
Vasiliy Kulikov <segoon@openwall.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] Introduce CAP_CHECKPOINT capability and filter map_files/ access
Date: Thu, 17 Nov 2011 09:41:05 -0600 [thread overview]
Message-ID: <20111117154105.GA4522@sergelap> (raw)
In-Reply-To: <20111117100439.GK20508@moon>
Quoting Cyrill Gorcunov (gorcunov@gmail.com):
> The goal idea of checkpoint/restore is to provide this feature not
> for admins only but regular users as well. Still some operations
> are privileged -- such as accessing /proc/$pid/map_files.
>
> So instead of requiring anyone who has a will to checkpoint/restore
> processes CAP_SYS_ADMIN privileges, it might (?) be worth to bring a way
> less powerful CAP_CHECKPOINT capability.
>
> The following permissions for CAP_CHECKPOINT should be granted
> - read/write /proc/$pid/map_files/
read/write to all map files, or only pids he owns?
I think a CAP_CHECKPOINT may make sense, but not if includes read/write
to all map files. That's too much power, and you may as well just hand
him everything. But, CAP_CHECKPOINT shouldn't need to include that. You
should be able to get that for instance by being the creator of the user
namespace being checkpointed. If you really want to checkpoint/restart
anything on the system, then you should be required to be root. Trying
to easily hand that power to an unprivileged user is more dangerous imo.
> - (not yet merged) clone-with-specified-pid, might be changed to last_pid+clone setup
> - (not yet published/stabilized) prctls calls to tune up vDSO and elements
> of mm_struct such as mm->start_code, mm->end_code, mm->start_data and etc
>
> I would like to gather people opinions on such approach as a general.
> _ANY_ comments are highly appreciated. Would it worth it or not (since
> CAPs space is pretty limited one).
It's hard to have a specific dialogue without the full c/r patchset and
idea of the architecture of the exploiters (ie c/r and maybe
debuggers)
Sorry, the security implications of the in-kernel c/r syscalls were
pretty simple and clear to me, but those of the new approach are not.
-serge
next prev parent reply other threads:[~2011-11-17 15:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-17 10:04 [RFC] Introduce CAP_CHECKPOINT capability and filter map_files/ access Cyrill Gorcunov
2011-11-17 15:41 ` Serge E. Hallyn [this message]
2011-11-17 16:24 ` Cyrill Gorcunov
2011-11-17 20:54 ` Andrew Morton
2011-11-17 21:07 ` Serge E. Hallyn
2011-11-17 21:31 ` Cyrill Gorcunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111117154105.GA4522@sergelap \
--to=serge.hallyn@canonical.com \
--cc=akpm@linux-foundation.org \
--cc=gorcunov@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=segoon@openwall.com \
--cc=tj@kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).