lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 25 Jul 2016 17:54:20 -0500
From:	"Serge E. Hallyn" <serge@...lyn.com>
To:	Tejun Heo <tj@...nel.org>
Cc:	Aleksa Sarai <asarai@...e.de>,
	James Bottomley <James.Bottomley@...senPartnership.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Li Zefan <lizefan@...wei.com>,
	Johannes Weiner <hannes@...xchg.org>,
	"Serge E. Hallyn" <serge.hallyn@...ntu.com>,
	Aditya Kali <adityakali@...gle.com>,
	Chris Wilson <chris@...is-wilson.co.uk>,
	linux-kernel@...r.kernel.org, cgroups@...r.kernel.org,
	Christian Brauner <cbrauner@...e.de>, dev@...ncontainers.org
Subject: Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for
 direct descendants

Quoting Tejun Heo (tj@...nel.org):
> Hello, Aleksa.
> 
> On Fri, Jul 22, 2016 at 06:30:07PM +1000, Aleksa Sarai wrote:
> > Just to be clear, the "ns subdir operation" is a cgroup namespaced process
> > moving A -> A_subdir which is racing against some administrative process
> > moving everything from A -> B (but not wanting to move A -> A_subdir)?
> 
> Yes.
> 
> > So should there be policy within the kernel to not permit a process outside
> > a cgroup namespace to move processes inside the namespace? Or would you be
> > concerned about people escaping the administrator's attempts to reorganise
> > the hierarchy?
> 
> Pushed that far, I frankly can't assess what the implications and
> side-effects would be.
> 
> > What if we extended rename(2) so that it /does/ allow for reorganisation of
> > the hierarchy? So an administrator could use rename to change the point at
> > which a cgroupns root is rooted at, but not be able to move the actual
> > processes within the cgroup namespace around? The administrator could also
> > join the cgroupns (without needing to join the userns) and then just move
> > things around that way?
> > 
> > Do any of those suggestions seem reasonable?
> 
> Unfortunately not.  I get what you're trying to do and am sure we can
> make some specific scenarios work with the right set of hacks and
> holes, but this type of approach is very dangerous in the long term.
> 
> The downside we have now is that we need an explicit delegation from
> userland and that stems from the architectural constraints of
> cgroupfs.  It's not ideal but an acceptable situation.  Let's please
> not riddle the whole thing with holes that we don't understand for an
> inconvenience which can be worked around otherwise.

It's something which distros, post-machine-install scripts, and
 post-pkg-install scripts can all very easily setup.  They have to
setup subuid and subgid too if you want safe unprivileged containers,
so I really don't feel this is so arduous.  What is the use case where
none of these are an option?  (I don't doubt that it exists since you
are pushing pretty hard)

-serge

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ