From: Vasiliy Kulikov <segoon@openwall.com>
To: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Kees Cook <keescook@chromium.org>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
kernel-hardening@lists.openwall.com,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [RFC] Make Yama pid_ns aware
Date: Wed, 23 Nov 2011 11:45:10 +0400 [thread overview]
Message-ID: <20111123074510.GA2356@albatros> (raw)
In-Reply-To: <20111122201007.GA21722@sergelap>
On Tue, Nov 22, 2011 at 14:10 -0600, Serge Hallyn wrote:
> Quoting Vasiliy Kulikov (segoon@openwall.com):
> > Hi Serge,
> >
> > On Tue, Nov 22, 2011 at 12:13 -0600, Serge Hallyn wrote:
> > > Quoting Vasiliy Kulikov (segoon@openwall.com):
> > > > As Yama's sysctls are about defining a security policy for the system,
> > > > it is reasonable to define it per container in case of LXC containers
> > > > (or out-of-tree alternatives like OpenVZ). In my opinion they belong
> > > > to pid namespace. With per-pid_ns sysctls it is possible to create
> > > > multiple containers with different ptrace, /tmp, etc. policies.
> > >
> > > tying the ptrace policy to pidns makes some sense, but is it definately
> > > what we want?
> > >
> > > Is the idea that the container should never be able to bypass the
> > > restrictions, or should root in the container eventually be able to
> > > bypass it as he can on the host?
> >
> > In-container root already has CAP_SYS_PTRACE, so he can avoid the check
> > even if Yama's ptrace policy is enabled.
>
> Well, not necessarily :) But in general.
This is the question is what in-container root is :-) Until LXC root is
restricted up to the case where he is unable to get out of the container
in the mainline kernel, I assume we're talking about an abstract entity
which has full control over the container. It includes stuff like
CAP_CHOWN, CAP_KILL, CAP_SYS_PTRACE, CAP_NET_ADMIN, etc. etc. The
debatable thing is what parts of CAP_SYS_ADMIN belong to in-container
root, like ability to mount/umount. But CAP_SYS_PTRACE is surely
belongs to the in-container root.
> But still, is turning this on and off per-container, and leaving it off
> on the host, something people will reasonably want to do?
Probably we need strict rules like ptrace is relaxed iff in both source
ns and dest ns ptrace is relaxed.
> I'm just
> wondering whether adding the extra data on the pidns is worth it. It's
> fine if it is, but I'm having a hard time imagining someone using it
> like that.
We have already very big net_namespace with all kind of per-ns stuff.
Yama's variables don't significantly increase the size of container.
Actually, what concerns me is not ptrace, but symlink/hardling
protection. There is no interaction between namespaces in case of
containers via symlinks in the basic case. In case of ptrace I don't
think the child ns may weaken the parent ns - child ns may not access
processes of the parent namespace and everything it may ptrace is
already inside of this ns.
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
next prev parent reply other threads:[~2011-11-23 7:47 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-26 23:49 [PATCH v6 0/3] security: Yama LSM Kees Cook
2011-10-26 23:49 ` [PATCH 1/3] " Kees Cook
2011-10-26 23:49 ` [PATCH 2/3] security: create task_free security callback Kees Cook
2011-10-26 23:49 ` [PATCH 3/3] security: Yama: add ptrace relationship tracking interface Kees Cook
2011-11-19 16:30 ` Vasiliy Kulikov
2011-11-19 16:59 ` Solar Designer
2011-11-21 18:40 ` Kees Cook
2011-11-01 20:45 ` [PATCH v6 0/3] security: Yama LSM James Morris
2011-11-01 21:05 ` Kees Cook
2011-11-01 21:37 ` James Morris
2011-11-01 23:23 ` Kees Cook
2011-11-18 4:17 ` James Morris
2011-11-18 21:39 ` Kees Cook
2011-11-18 21:45 ` Roland McGrath
2011-11-18 22:44 ` Kees Cook
2011-11-18 23:18 ` Kees Cook
2011-11-21 19:18 ` [RFC] Make Yama pid_ns aware Vasiliy Kulikov
2011-11-21 19:42 ` Kees Cook
2011-11-22 18:13 ` Serge Hallyn
2011-11-22 19:20 ` Vasiliy Kulikov
2011-11-22 20:10 ` Serge Hallyn
2011-11-23 7:45 ` Vasiliy Kulikov [this message]
2011-11-23 14:41 ` Serge Hallyn
2011-11-23 14:49 ` Serge E. Hallyn
2011-11-23 16:55 ` Vasiliy Kulikov
2011-11-23 17:00 ` Serge Hallyn
2011-11-28 18:12 ` Kees Cook
2011-11-28 18:14 ` Vasiliy Kulikov
2011-11-28 19:16 ` [RFC -resend] " Vasiliy Kulikov
2011-11-28 19:35 ` Kees Cook
2011-11-28 20:15 ` Kees Cook
2011-11-28 20:00 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111123074510.GA2356@albatros \
--to=segoon@openwall.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge.hallyn@canonical.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox