From: "Serge E. Hallyn" <serge.hallyn@canonical.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>, Tejun Heo <tj@kernel.org>,
Pavel Emelyanov <xemul@parallels.com>,
Vasiliy Kulikov <segoon@openwall.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] Introduce CAP_CHECKPOINT capability and filter map_files/ access
Date: Thu, 17 Nov 2011 15:07:13 -0600 [thread overview]
Message-ID: <20111117210713.GA8045@sergelap> (raw)
In-Reply-To: <20111117125414.0b134897.akpm@linux-foundation.org>
Quoting Andrew Morton (akpm@linux-foundation.org):
> On Thu, 17 Nov 2011 09:41:05 -0600
> "Serge E. Hallyn" <serge.hallyn@canonical.com> wrote:
>
> > > - (not yet merged) clone-with-specified-pid, might be changed to last_pid+clone setup
> > > - (not yet published/stabilized) prctls calls to tune up vDSO and elements
> > > of mm_struct such as mm->start_code, mm->end_code, mm->start_data and etc
> > >
> > > I would like to gather people opinions on such approach as a general.
> > > _ANY_ comments are highly appreciated. Would it worth it or not (since
> > > CAPs space is pretty limited one).
> >
> > It's hard to have a specific dialogue without the full c/r patchset and
> > idea of the architecture of the exploiters (ie c/r and maybe
> > debuggers)
> >
> > Sorry, the security implications of the in-kernel c/r syscalls were
> > pretty simple and clear to me, but those of the new approach are not.
>
> yup.
>
> From a development-order perspective perhaps it is better to get
> everything working and stabilized for root first. Then as a separate
> activity start working on making it available to less-privileged users.
>
> We would need to be confident that such a second development effort
> doesn't cause back-compatibility issues (ie: interface changes) for
> existing root users.
>
>
>
> Is it possible that once everything is working for root, we realise
> that we can get it all working for non-root users via suitable setuid
> userspace tools?
Not only that, I think it's possible that by the time all the needed c/r
pieces are in, user namespaces will be as well, as will unprivileged
namespace cloning (at least when done along with CLONE_NEWUSER). In that
case, it should be possible to do c/r of a container with no privileges
on the host (but full privileges to the user namespace of the container).
-serge
next prev parent reply other threads:[~2011-11-17 21:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-17 10:04 [RFC] Introduce CAP_CHECKPOINT capability and filter map_files/ access Cyrill Gorcunov
2011-11-17 15:41 ` Serge E. Hallyn
2011-11-17 16:24 ` Cyrill Gorcunov
2011-11-17 20:54 ` Andrew Morton
2011-11-17 21:07 ` Serge E. Hallyn [this message]
2011-11-17 21:31 ` Cyrill Gorcunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111117210713.GA8045@sergelap \
--to=serge.hallyn@canonical.com \
--cc=akpm@linux-foundation.org \
--cc=gorcunov@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=segoon@openwall.com \
--cc=tj@kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).