| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Aug 2008 23:47:49 +0200 From: Arnd Bergmann <arnd@...db.de> To: Dave Hansen <dave@...ux.vnet.ibm.com> Cc: "Serge E. Hallyn" <serue@...ibm.com>, containers@...ts.linux-foundation.org, Theodore Tso <tytso@....edu>, linux-kernel@...r.kernel.org Subject: Re: checkpoint/restart ABI On Monday 11 August 2008, Dave Hansen wrote: > Thanks for all of the very interesting comments about the ABI. > > Considering that we're still *really* early in getting this concept > merged up into mainline, what do you all think we should do now? I think the two most important aspects here need to be security and simplicity. If you have to choose between the two, it probably makes sense to put security first, because loading untrusted data into the kernel puts you at a significant risk to start with. If you can show a restart interface that lets regular users restart their tasks in a way anyone can verify to be secure, that will be a good indication that you're on the right track. The other problem that you really need to solve is interface stability. What you are creating is a binary representation of many kernel internal data structures, so in our common rules, you have to make sure that you remain forward and backward compatible. Simply saying that you need to run an identical kernel when restarting from a checkpoint is not enough IMHO. Some more words on specific interfaces that we have discussed: The single-file-descriptor approach has the big advantage of keeping the complexity in one place (the kernel). To be consistent with other kernel interfaces, I would make the kernel hand out a file descriptor, not let the user open a file and pass that into the kernel as you do now. A new file system is a good idea for many complex interfaces that make their way into the kernel, but I don't think it will help in this case. For checkpointing a single task, or even a task with its children, a different interface I could imagine would be to have a new file in procfs per pid that you can read as a pipe giving our the same data that you currently save in the checkpoint file descriptor. It does mean that you won't be able to pass flags down easily (you could write to the pipe before you start reading, but that's not too nice). On the restart side, I think the most consistent interface would be a new binfmt_chkpt implementation that you can use to execve a checkpoint, just like you execute an ELF file today. The binfmt can be a module (unlike a syscall), so an administrator that is afraid of the security implications can just disable it by not loading the module. In an execve model, the parent process can set up anything related to credentials as good as it's allowed to and then let the kernel do the rest. Arnd <>< -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists