| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 08 Nov 2013 21:22:48 -0800 From: ebiederm@...ssion.com (Eric W. Biederman) To: Janne Karhunen <janne.karhunen@...il.com> Cc: Gao feng <gaofeng@...fujitsu.com>, linux-fsdevel@...r.kernel.org, Linux Containers <containers@...ts.linux-foundation.org>, Andy Lutomirski <luto@...capital.net>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: [REVIEW][PATCH 1/2] userns: Better restrictions on when proc and sysfs can be mounted Janne Karhunen <janne.karhunen@...il.com> writes: > On Sat, Nov 2, 2013 at 8:06 AM, Gao feng <gaofeng@...fujitsu.com> wrote: > >> And another question, it looks like if we don't have proc/sys fs mounted, >> then proc/sys will be failed to be mounted? > > I have been wondering the same. Was quite some illogical surprise that > we have to be doing overlay mounts. This is the exact opposite from what > anyone would expect. Before I address the question of bugs I will answer the question of semantics. In weird cases like chroot jails it is desirable not to mount /sys and /proc and if root sets that policy it would be unfortunate if user namespaces overrode the policy. It limits what an attacker can accomplish. So yes in the case of /proc and /sys the goal is to limit you to functionality you could have had with bind mounts. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists