| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 May 2014 11:16:14 +0200 From: Seth Forshee <seth.forshee@...onical.com> To: Marian Marinov <mm@...com> Cc: linux-kernel@...r.kernel.org, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Jens Axboe <axboe@...nel.dk>, Arnd Bergmann <arnd@...db.de>, Eric Biederman <ebiederm@...ssion.com>, Serge Hallyn <serge.hallyn@...onical.com>, lxc-devel@...ts.linuxcontainers.org Subject: Re: [RFC PATCH 11/11] loop: Allow priveleged operations for root in the namespace which owns a device On Fri, May 23, 2014 at 08:48:25AM +0300, Marian Marinov wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > One question about this patch. > > Why don't you use the devices cgroup check if the root user in that namespace is allowed to use this device? > > This way you can be sure that the root in that namespace can not access devices to which the host system did not gave > him access to. That might be possible, but I don't want to require something on the host to whitelist the device for the container. Then loop would need to automatically add the device to devices.allow, which doesn't seem desirable to me. But I'm not entirely opposed to the idea if others think this is a better way to go. Seth -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists