| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Oct 2009 09:16:25 -0500 From: "Serge E. Hallyn" <serue@...ibm.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Sukadev Bhattiprolu <sukadev@...ux.vnet.ibm.com>, randy.dunlap@...cle.com, arnd@...db.de, linux-api@...r.kernel.org, Containers <containers@...ts.linux-foundation.org>, Nathan Lynch <nathanl@...tin.ibm.com>, linux-kernel@...r.kernel.org, Louis.Rilling@...labs.com, kosaki.motohiro@...fujitsu.com, hpa@...or.com, mingo@...e.hu, torvalds@...ux-foundation.org, Alexey Dobriyan <adobriyan@...il.com>, roland@...hat.com, Pavel Emelyanov <xemul@...nvz.org> Subject: Re: [RFC][v8][PATCH 0/10] Implement clone3() system call Quoting Eric W. Biederman (ebiederm@...ssion.com): > Sukadev Bhattiprolu <sukadev@...ux.vnet.ibm.com> writes: > The only real argument in favor of doing this in user space is greater > flexibility. Yyyyup. > I can see checkpointing/restoring a single thread process > without a pid namespace. Anything more and you are just asking for > trouble. > > A design that weakens security. How does it weaken security? It requires CAP_SYS_ADMIN, and, when targeted capabilities are added, it will require CAP_SYS_ADMIN to only those pid namespaces in which we choose a pid. > Increases maintenance costs. Does it really? It re-uses most of the existing code. More so than the only existing in-kernel restart code I've seen does. > All for > an unreliable result seems like a bad one to me. I've personally always been on the fence as to whether we rebuild the process tree in user-space or kernel. And I'm still on the fence, as nothing you've said has convinced me otherwise. > > | The pid assignment code is currently ugly. I asked that we just pass > > | in the min max pid pids that already exist into the core pid > > | assignment function and a constrained min/max that only admits a > > | single pid when we are allocating a struct pid for restart. That was > > | not done and now we have a weird abortion with unnecessary special cases. > > > > I did post a version of the patch attemptint to implement that. As > > pointed out in: > > > > http://lkml.org/lkml/2009/8/17/445 > > > > we would need more checks in alloc_pidmap() to cover cases like min or max > > being invalid or min being greater than max or max being greater than pid_max > > etc. Those checks also made the code ugly (imo). > > If you need more checks you are doing it wrong. The code already has min > and max values, and even a start value. I was just strongly suggesting > we generalize where we get the values from, and then we have not special > cases. (I'm not sure whether this argument is a separate one - regarding the implementation of choosing the pid - from the kernel-vs-userspace one or not, so will wait for a response to my other email about your API) thanks, -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists