| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 07 Dec 2012 10:21:44 -0800 From: ebiederm@...ssion.com (Eric W. Biederman) To: Serge Hallyn <serge.hallyn@...onical.com> Cc: Andrew Morton <akpm@...ux-foundation.org>, Rui Xiang <leo.ruixiang@...il.com>, containers@...ts.linux-foundation.org, netdev@...r.kernel.org Subject: Re: [PATCH RFC 0/5] Containerize syslog Serge Hallyn <serge.hallyn@...onical.com> writes: > Not as a separate justification admittedly, but the description was > meant to explain it: right now /dev/kmsg and sys_syslog are not safe > and useful in a container; The user namespace solves this the biggest practical problem, like it solves so many other problems of excessive privileges in a container. Since these patches are still mostly in the design proof-of-concept/design phase I am inclined to see how getting a usable user namespace affects the situation on the ground. But I do think there are issues to be solved in some fashion. We have the possibiloity of configuring firewall logging rules that are not usable in containers. Similarly reasons for mount failures and number of other cases go silent. I think it makes some sense to change where we put things in the kernel log to solve these things but it also makes sense to ask the question is there a better solution. Hopefully a little more experience with these issues and time playing with ideas can make things clear. Eric -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists