From: Vivek Goyal <vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: David Miller <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org,
ssorce-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
lpoetter-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
kay-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org,
dwalsh-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Subject: Re: [PATCH 0/2] net: Implement SO_PEERCGROUP and SO_PASSCGROUP socket options
Date: Wed, 23 Apr 2014 12:16:21 -0400 [thread overview]
Message-ID: <20140423161621.GC24651@redhat.com> (raw)
In-Reply-To: <20140423155512.GA24651-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
On Wed, Apr 23, 2014 at 11:55:12AM -0400, Vivek Goyal wrote:
> On Tue, Apr 22, 2014 at 04:05:58PM -0400, David Miller wrote:
> > From: Vivek Goyal <vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> > Date: Tue, 15 Apr 2014 17:15:44 -0400
> >
> > > This is another version of patchset to add support passing cgroup
> > > information of client over unix socket API.
> >
> > I'm marking this patch series as "changes requested" in patchwork
> > because if we still end up adding this feature SO_PASSCGROUP needs to
> > be changed to behave like SO_PASSCRED.
>
> Does this concern of passing of real uid apply to cgroups also. Even
> if somebody tricks suid program to write to fd setup by under priviliged
> program how would that pgram force setuid program to change cgroup.
>
> To me passing cgroup information looks more like "pid" information where
> we pass the actual pid of setuid program and not the pid of parent who
> setup fd.
>
> How would one trick setuid program change cgroup? If not, then this class
> of attack does not seem to apply to SO_PASSCGROUP.
>
> So I think real discussion here should be how "cgroup" information should
> be used and not necessarily whether we should be passing cgroup
> information of sender. This information is already available. One can
> do SO_PASSCRED, get pid, get /proc/pid/cgroup and use cgroup in whatever
> way they want.
Kernel uses cgroup information to provide service differentiation. So lets
say hypothetically I write a logging program which gets the cgroup of
clinent and uses that information to limit the log file size. Is that
a problem?
First of all I am not aware how would I force setuid program to change
cgroup. So even if one tricks setuid program to effectively convert it
into "suid cat", cgroup information remains the same and there is no
privilige escalation here.
And one example Andy had mentioned that what if I pass fd to a service
which accepts fd and it is running in a cgroup. Then we have a problem
at kernel level also. What if that fd is a regular file and that service
it outputting tons of data. Kernel will apply all resource management
rules based one cgroup of *priviliged service* and not based on
caller's cgroup who passed the fd to priviliged service.
So to me passing cgroup information around at run time and use that
information for resource management in user space will very much
be in line with what kernel is doing and will be no different.
Thanks
Vivek
next prev parent reply other threads:[~2014-04-23 16:16 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-15 21:15 [PATCH 0/2] net: Implement SO_PEERCGROUP and SO_PASSCGROUP socket options Vivek Goyal
2014-04-15 21:15 ` [PATCH 1/2] net: Implement SO_PEERCGROUP Vivek Goyal
[not found] ` <1397596546-10153-2-git-send-email-vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-15 21:54 ` Andy Lutomirski
2014-04-16 0:22 ` Vivek Goyal
2014-04-15 21:15 ` [PATCH 2/2] net: Implement SO_PASSCGROUP to enable passing cgroup path Vivek Goyal
[not found] ` <1397596546-10153-3-git-send-email-vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-15 21:53 ` Andy Lutomirski
2014-04-15 23:09 ` Simo Sorce
2014-04-16 0:20 ` Vivek Goyal
[not found] ` <20140416002010.GA5035-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-16 1:05 ` David Miller
2014-04-16 3:47 ` Andy Lutomirski
[not found] ` <CALCETrWzHYN3kKcmDTFDfGhZqE4u9+6XDtiOu5nncbK_7KKH0g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-16 10:17 ` Vivek Goyal
[not found] ` <20140416101709.GA14131-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-16 14:34 ` Andy Lutomirski
[not found] ` <CALCETrUTMSpd=NYn9QuO5Y3WY0uBhjNEHO0jCwZu0L59CpeDew-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-16 15:10 ` Vivek Goyal
2014-04-16 12:57 ` David Miller
2014-04-16 14:37 ` Andy Lutomirski
[not found] ` <CALCETrVv8SPM5xjOVGy7qO2aq3FKtG2uG57J49nO7Wy0-gg0Ew-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-16 16:13 ` Simo Sorce
2014-04-16 16:21 ` Tejun Heo
[not found] ` <20140416162149.GI1257-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
2014-04-16 16:54 ` Simo Sorce
[not found] ` <1397664837.19767.410.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-16 16:31 ` Andy Lutomirski
[not found] ` <CALCETrXn7b6UuALpGUVoyQYfR2uzk5tj2ABV=dkvtFNgqM5sxQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-16 17:02 ` Simo Sorce
2014-04-16 17:29 ` Andy Lutomirski
[not found] ` <CALCETrU_yKQVZyVug25cxwQFjWJ7Zf20FY-6ht+RJifXtDdDWg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-16 17:34 ` Simo Sorce
[not found] ` <1397669685.19767.450.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-16 17:53 ` Andy Lutomirski
2014-04-16 18:36 ` Vivek Goyal
[not found] ` <20140416183614.GH31074-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-16 18:40 ` Andy Lutomirski
2014-04-16 18:51 ` Vivek Goyal
2014-04-16 18:59 ` Andy Lutomirski
2014-04-16 18:06 ` Vivek Goyal
[not found] ` <20140416180642.GG31074-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-16 18:13 ` Andy Lutomirski
2014-04-16 18:25 ` Vivek Goyal
[not found] ` <20140416182530.GB550-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-16 18:35 ` Andy Lutomirski
[not found] ` <CALCETrUs1js3Br81ZkiQnsuWduzOiqDe3aV0K_z_zw0znSuiag-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-16 19:06 ` Vivek Goyal
2014-04-16 19:13 ` Andy Lutomirski
[not found] ` <CALCETrUv56awd+UoO_f8LLL2FVq-Hc6Bd6iBGMqWjVGpgxgTSg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-16 19:39 ` Vivek Goyal
2014-04-16 20:24 ` Andy Lutomirski
2014-04-17 13:41 ` Vivek Goyal
[not found] ` <CALCETrVUw5+vCCONy1VTXpskbY_eZFo2CtbehwV5Mhj4d4+icw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-16 18:59 ` Vivek Goyal
2014-04-17 15:41 ` Daniel J Walsh
[not found] ` <534FF61B.4010901-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-17 16:04 ` Simo Sorce
[not found] ` <1397750674.2628.44.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-17 16:11 ` Andy Lutomirski
[not found] ` <CALCETrUrj2LtAoXp600BD2ANgE2UUEbTYQrK8hHqDR=qpeFPcg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-17 16:24 ` Simo Sorce
[not found] ` <1397751853.2628.50.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-17 16:37 ` Andy Lutomirski
[not found] ` <CALCETrWNWvumFg9Qba0GEOjYop4WYe530tCPtakrhnoCrHqhUQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-17 16:48 ` Simo Sorce
[not found] ` <1397753323.2628.60.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-17 16:55 ` Andy Lutomirski
[not found] ` <CALCETrXj6kD3E+vsaWmkrSbaQYTu=c-Hsw640jh4O+FbojYk2g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-17 17:12 ` Vivek Goyal
2014-04-17 17:26 ` Andy Lutomirski
[not found] ` <CALCETrVq4HRpfWOAbZAQbyjuraQd=OxnW=WjSoe5JgBzRStiKg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-17 17:33 ` Simo Sorce
[not found] ` <1397756025.2628.64.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-17 17:35 ` Andy Lutomirski
[not found] ` <CALCETrVBJFgKwRKBE2jAG6kiGgkJ+MyQiw2nyz5yj0h68kCk9A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-17 17:47 ` Simo Sorce
[not found] ` <1397756821.2628.69.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-17 18:05 ` Andy Lutomirski
2014-04-17 18:23 ` Simo Sorce
[not found] ` <1397759013.2628.86.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-17 18:33 ` Andy Lutomirski
2014-04-17 18:50 ` Vivek Goyal
[not found] ` <20140417185023.GA32527-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-17 18:57 ` Vivek Goyal
[not found] ` <20140417185742.GB32527-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-17 19:06 ` Andy Lutomirski
[not found] ` <CALCETrXJPJeGBdauQS_WR5FNaZXR=05NjNKuC6r0xFORt+eaJQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-17 19:15 ` Simo Sorce
2014-04-17 19:19 ` Andy Lutomirski
2014-04-17 19:10 ` Simo Sorce
[not found] ` <1397761817.2628.113.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-17 19:16 ` Vivek Goyal
[not found] ` <20140417191646.GA2461-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-17 19:46 ` Andy Lutomirski
[not found] ` <CALCETrW3F1+3qF3thrAmuoWVbRveBJ2=owpigh4mv6iAafoQCw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-21 15:03 ` Vivek Goyal
2014-04-21 15:47 ` Andy Lutomirski
2014-04-23 15:07 ` Vivek Goyal
2014-04-23 15:37 ` Andy Lutomirski
2014-04-23 16:01 ` Vivek Goyal
2014-04-17 19:23 ` Andy Lutomirski
2014-04-17 17:52 ` Simo Sorce
[not found] ` <1397757169.2628.75.camel-Hs+ccMQdwurzDu64bZtGtWD2FQJk+8+b@public.gmane.org>
2014-04-17 18:04 ` Andy Lutomirski
[not found] ` <CALCETrUon7mZzp12th2bZ=cJyTjn8ePwg_VtPWL_bykjnnpKLw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-17 18:31 ` Simo Sorce
2014-04-17 16:38 ` Vivek Goyal
2014-04-17 16:12 ` Vivek Goyal
2014-04-17 16:05 ` Andy Lutomirski
2014-04-23 16:45 ` Vivek Goyal
2014-04-23 17:29 ` David Miller
[not found] ` <20140423.132955.671992126955940387.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2014-04-24 20:34 ` Vivek Goyal
[not found] ` <20140424203427.GC19091-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-24 20:48 ` David Miller
2014-04-24 21:04 ` Vivek Goyal
2014-04-24 21:11 ` David Miller
[not found] ` <20140424.171155.806959282091051918.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2014-04-25 0:29 ` Simo Sorce
[not found] ` <1397596546-10153-1-git-send-email-vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-22 20:05 ` [PATCH 0/2] net: Implement SO_PEERCGROUP and SO_PASSCGROUP socket options David Miller
2014-04-22 20:08 ` Andy Lutomirski
2014-04-22 20:29 ` David Miller
2014-04-22 20:31 ` Andy Lutomirski
2014-04-22 20:32 ` David Miller
[not found] ` <20140422.163251.1863774803211446171.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2014-04-23 0:37 ` Andy Lutomirski
[not found] ` <CALCETrX_TCbKy-3W590wG3rq9O3Hzbqc_wu3EGg7PKn2NNsTpQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-23 19:05 ` Vivek Goyal
2014-04-23 20:53 ` Daniel J Walsh
[not found] ` <5358284B.7020706-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-24 13:01 ` Vivek Goyal
[not found] ` <20140422.160558.627080587952506099.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2014-04-23 15:55 ` Vivek Goyal
[not found] ` <20140423155512.GA24651-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-23 16:16 ` Vivek Goyal [this message]
2014-04-23 17:21 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140423161621.GC24651@redhat.com \
--to=vgoyal-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org \
--cc=dwalsh-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=kay-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=lpoetter-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=ssorce-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).