From: Evgeniy Polyakov <zbr@ioremap.net>
To: "Rémi Denis-Courmont" <rdenis@simphalempin.com>
Cc: Michael Stone <michael@laptop.org>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH] Security: Implement and document RLIMIT_NETWORK.
Date: Thu, 8 Jan 2009 00:42:28 +0300 [thread overview]
Message-ID: <20090107214228.GA4610@ioremap.net> (raw)
In-Reply-To: <200901072254.14017.rdenis@simphalempin.com>
On Wed, Jan 07, 2009 at 10:54:13PM +0200, Rémi Denis-Courmont (rdenis@simphalempin.com) wrote:
> No no no.
>
> There is a huge fundamental difference between setrlimit, prctl(SECCOMP),
> set*uid and chroot on the one side, and iptables on the other side: The first
> ones are APIs for a process to control its own permission. iptables is an
> interface to control the _whole_ system.
>
> In other words, the first ones are usable programmatically. iptables is not,
> unless you're willing to assume the kernel only operates one single
> userland "software".
iptables 'owner' match module exactly 'operates one signel userland software'.
> From the perspective of distros and system admins, perhaps SELinux and
> iptables are sufficient to address this. But from that of a third-party,
> upstream, distro-independent or whatever-you-want-to-call-it software vendor,
> they don't quite work due to their centralized nature.
Actually selinux is even better example although this does depend on the
distro. System which wants to secure network connections already knows
what is the netfilter. This dependency equals to the recent-enough
kernel with the new rlimit.
To be clear: I do _not_ object against this patch. This is likely a good
idea and while it potentially can be implemented via different way, it
has its right for the existance :)
> > > As I understand it, Michael is trying to build something similar to
> > > SECCOMP, only way less restrictive and way more usable by real-life
> > > userland programs.
>
> > Security and unpriveledged setup are mutually impossible cases.
>
> On a high-level, sure. You need a trusted privileged entity somewhere.
>
> But when it comes _specifically_ to "unprivileged" as in "non-root", I believe
> there is a use case for something less restrictive than SECCOMP, yet more
> restrictive than just being a normal non-root process. Something along the
> lines of: cannot debug other processes, cannot send signal to them, cannot
> create file descriptors, cannot bind sockets, yet can allocate memory, can
> read timers, can read/write from any type of (already opened) file. Or
> whatever brighter and more knowledgeable mind than mine could define.
>
> Or can someone prove that there is no set of permissions bigger than those of
> SECCOMP that would effectively equate to those of a normal non-privileged
> process?
We have a good capabilities subsystem and it has proper layered design.
But still rlimit has to be assigned by something higher in this
hierarchy.
--
Evgeniy Polyakov
next prev parent reply other threads:[~2009-01-07 21:42 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-07 5:48 RFC: Network privilege separation Michael Stone
2009-01-07 5:48 ` [PATCH] Security: Implement and document RLIMIT_NETWORK Michael Stone
2009-01-07 11:47 ` Evgeniy Polyakov
2009-01-07 16:52 ` Rémi Denis-Courmont
2009-01-07 17:48 ` Evgeniy Polyakov
2009-01-07 20:54 ` Rémi Denis-Courmont
2009-01-07 21:42 ` Evgeniy Polyakov [this message]
2009-01-07 18:35 ` C. Scott Ananian
2009-01-07 19:02 ` Evgeniy Polyakov
2009-01-07 19:39 ` Evgeniy Polyakov
2009-01-07 21:07 ` Michael Stone
2009-01-07 21:59 ` Evgeniy Polyakov
2009-01-08 0:56 ` Michael Stone
2009-01-08 4:27 ` Evgeniy Polyakov
2009-01-08 1:22 ` James Morris
2009-01-08 3:34 ` Michael Stone
2009-01-07 21:10 ` RFC: Network privilege separation Andi Kleen
2009-01-08 2:31 ` Michael Stone
2009-01-08 3:10 ` Andi Kleen
2009-01-08 4:51 ` Michael Stone
2009-01-08 5:41 ` Andi Kleen
2009-01-08 7:05 ` Oliver Hartkopp
2009-01-08 7:52 ` david
2009-01-08 10:43 ` Alan Cox
2009-01-12 18:44 ` Valdis.Kletnieks
2009-01-12 19:09 ` Bryan Donlan
2009-01-12 19:43 ` Andi Kleen
2009-01-12 19:47 ` Rémi Denis-Courmont
2009-01-12 20:14 ` Andi Kleen
2009-01-12 20:15 ` Rémi Denis-Courmont
2009-01-12 20:27 ` Evgeniy Polyakov
2009-01-12 20:39 ` Andi Kleen
2009-01-12 20:30 ` Rémi Denis-Courmont
2009-01-12 20:55 ` Andi Kleen
2009-01-12 20:47 ` Rémi Denis-Courmont
2009-01-12 21:50 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090107214228.GA4610@ioremap.net \
--to=zbr@ioremap.net \
--cc=linux-kernel@vger.kernel.org \
--cc=michael@laptop.org \
--cc=netdev@vger.kernel.org \
--cc=rdenis@simphalempin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).