| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Jun 2016 08:47:12 +0200 From: Richard Weinberger <richard@....at> To: Andi Kleen <andi@...stfloor.org>, Shanker Wang <shanker@...a.tsinghua.edu.cn> Cc: netdev@...r.kernel.org, Hannes Frederic Sowa <hannes@...essinduktion.org>, Richard Weinberger <richard.weinberger@...il.com>, Guillaume Nault <g.nault@...halink.fr>, Miao Wang <shankerwangmiao@...il.com> Subject: Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp Am 20.06.2016 um 07:02 schrieb Andi Kleen: > Shanker Wang <shanker@...a.tsinghua.edu.cn> writes: > >> This patch removes the check for CAP_NET_ADMIN in the initial namespace >> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user >> namespace the net namespace was created so that /dev/ppp cat get opened >> in a unprivileged container. > > Seems dangerous. From a quick look at the PPP ioctl there is no limit > how many PPP devices this can create. So a container having access to > this would be able to fill all kernel memory. Probably needs more > auditing and hardening first. > > In general there seems to be a lot of attack surface for root > in PPP. You are right. Shanker Wang, I had also another at the open function, it is more complicated than I thought. Please see how ppp_unattached_ioctl() is called. Before we give containers access to it the use of nsproxy has to be removed. Not sure how easy this will be, especially since you cannot break existing users. Thanks, //richard
Powered by blists - more mailing lists