From: Florian Weimer <fweimer@redhat.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: Aleksa Sarai <cyphar@cyphar.com>, "Enrico Weigelt\,
metux IT consult" <lkml@metux.net>,
Christian Brauner <christian@brauner.io>,
Linus Torvalds <torvalds@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>, Jann Horn <jannh@google.com>,
David Howells <dhowells@redhat.com>,
Linux API <linux-api@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Arnd Bergmann <arnd@arndb.de>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Kees Cook <keescook@chromium.org>,
Thomas Gleixner <tglx@linutronix.de>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>,
Joel Fernandes <joel@joelfernandes.org>,
Daniel Colascione <dancol@google.com>
Subject: Re: RFC: on adding new CLONE_* flags [WAS Re: [PATCH 0/4] clone: add CLONE_PIDFD]
Date: Wed, 17 Apr 2019 14:19:29 +0200 [thread overview]
Message-ID: <87v9zc6cz2.fsf@oldenburg2.str.redhat.com> (raw)
In-Reply-To: <CALCETrWxMnaPvwicqkMLswMynWvJVteazD-bFv3ZnBKWp-1joQ@mail.gmail.com> (Andy Lutomirski's message of "Mon, 15 Apr 2019 13:29:23 -0700")
* Andy Lutomirski:
> I would personally *love* it if distros started setting no_new_privs
> for basically all processes.
Wouldn't no_new_privs inhibit all security transitions, including those
that reduce privileges? And therefore effectively reduce security?
> Anyway, clone(2) is an enormous mess. Surely the right solution here
> is to have a whole new process creation API that takes a big,
> extensible struct as an argument, and supports *at least* the full
> abilities of posix_spawn() and ideally covers all the use cases for
> fork() + do stuff + exec(). It would be nifty if this API also had a
> way to say "add no_new_privs and therefore enable extra functionality
> that doesn't work without no_new_privs". This functionality would
> include things like returning a future extra-privileged pidfd that
> gives ptrace-like access.
I agree that consistent replacement for the clone system call makes
sense. I'm not sure if covering everything that posix_spawn could do
would make sense. There seems to be some demand to be able to do large
parts of container setup using posix_spawn, so we'll probably add
support for things like writing to arbitrary files eventually. And of
course, proper error reporting, so that you can figure out which file
creation action failed.
Thanks,
Florian
next prev parent reply other threads:[~2019-04-17 12:19 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-14 20:14 [PATCH 0/4] clone: add CLONE_PIDFD Christian Brauner
2019-04-14 20:14 ` [PATCH 1/4] Make anon_inodes unconditional Christian Brauner
2019-04-14 20:14 ` [PATCH 2/4] clone: add CLONE_PIDFD Christian Brauner
2019-04-15 10:52 ` Oleg Nesterov
2019-04-15 11:42 ` Christian Brauner
2019-04-15 13:24 ` Oleg Nesterov
2019-04-15 13:52 ` Christian Brauner
2019-04-15 16:25 ` Joel Fernandes
2019-04-15 17:15 ` Jonathan Kowalski
2019-04-15 19:39 ` Daniel Colascione
2019-04-14 20:14 ` [PATCH 3/4] signal: support CLONE_PIDFD with pidfd_send_signal Christian Brauner
2019-04-14 20:14 ` [PATCH 4/4] samples: show race-free pidfd metadata access Christian Brauner
2019-04-15 10:08 ` RFC: on adding new CLONE_* flags [WAS Re: [PATCH 0/4] clone: add CLONE_PIDFD] Enrico Weigelt, metux IT consult
2019-04-15 15:50 ` Serge E. Hallyn
2019-04-16 18:32 ` Enrico Weigelt, metux IT consult
2019-04-29 15:49 ` Serge E. Hallyn
2019-04-29 17:31 ` Enrico Weigelt, metux IT consult
2019-05-05 2:32 ` Serge E. Hallyn
2019-04-15 19:59 ` Aleksa Sarai
2019-04-15 20:29 ` Andy Lutomirski
2019-04-15 21:27 ` Jonathan Kowalski
2019-04-15 23:58 ` Andy Lutomirski
2019-04-16 18:45 ` Enrico Weigelt, metux IT consult
2019-04-16 21:31 ` Andy Lutomirski
2019-04-17 12:03 ` Enrico Weigelt, metux IT consult
2019-04-17 12:54 ` Christian Brauner
2019-04-18 15:46 ` Enrico Weigelt, metux IT consult
2019-04-17 12:19 ` Florian Weimer [this message]
2019-04-17 16:46 ` Andy Lutomirski
2019-04-20 7:14 ` Kevin Easton
2019-04-20 11:15 ` Christian Brauner
2019-04-20 15:06 ` Daniel Colascione
2019-04-29 19:30 ` Jann Horn
2019-04-29 19:55 ` Jann Horn
2019-04-29 20:21 ` Linus Torvalds
2019-04-29 20:38 ` Florian Weimer
2019-04-29 20:51 ` Christian Brauner
2019-04-29 21:31 ` Linus Torvalds
2019-04-30 7:01 ` Florian Weimer
2019-04-30 0:38 ` Jann Horn
2019-04-30 2:16 ` Linus Torvalds
2019-04-30 8:21 ` Florian Weimer
2019-04-30 16:19 ` Linus Torvalds
2019-04-30 16:26 ` Linus Torvalds
2019-04-30 17:07 ` Florian Weimer
2019-04-30 12:39 ` Oleg Nesterov
2019-04-30 16:24 ` Linus Torvalds
2019-04-29 20:49 ` Florian Weimer
2019-04-29 20:52 ` Christian Brauner
2019-04-20 15:28 ` Al Viro
2019-04-16 18:37 ` Enrico Weigelt, metux IT consult
2019-04-15 10:16 ` [PATCH 0/4] clone: add CLONE_PIDFD Enrico Weigelt, metux IT consult
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87v9zc6cz2.fsf@oldenburg2.str.redhat.com \
--to=fweimer@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=christian@brauner.io \
--cc=cyphar@cyphar.com \
--cc=dancol@google.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=joel@joelfernandes.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lkml@metux.net \
--cc=luto@kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=oleg@redhat.com \
--cc=serge@hallyn.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).