lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110812211353.GA19030@peqn>
Date:	Fri, 12 Aug 2011 16:13:53 -0500
From:	Serge Hallyn <serge.hallyn@...onical.com>
To:	Daniel Lezcano <daniel.lezcano@...e.fr>
Cc:	akpm@...ux-foundation.org, containers@...ts.linux-foundation.org,
	bonbons@...ux-vserver.org, oleg@...sign.ru,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] Notify container-init parent a 'reboot' occured

Quoting Daniel Lezcano (daniel.lezcano@...e.fr):
> On 08/12/2011 06:29 PM, Serge Hallyn wrote:
> > Quoting Daniel Lezcano (daniel.lezcano@...e.fr):
> > ...
> >>> Doesn't this mean that an unprivileged task in a container can shut
> >>> down the container?
> >> Ha ha ! Right, good catch :)
> >>
> >> Yes, rethinking about it, we can do what initially proposed Bruno by
> >> just preventing to reboot when we are not in the init_pid_ns. Actually, 
> >> the sys_reboot occurs after the services shutdown and "kill -1 SIGTERM"
> >> and "kill -1 SIGKILL", and would not make sense to do that in a child
> >> pid namespace, except if we are in a container where we don't want to
> >> reboot :)
> >>
> >> So IMO, it is safe to do:
> >>
> >> 	if (!ns_capable(current_pid_ns()->user_ns, CAP_SYS_BOOT))
> >>  		return -EPERM;
> >> 	
> >> 	if (pid_ns != &init_pid_ns)
> >> 		return pid_namespace_reboot(pid_ns, cmd, buffer);
> > So I don't know if you want to prepend
> > http://kernel.ubuntu.com/git?p=serge/linux-syslogns.git;a=commit;h=63556e9a39bcd75ec4a88333425800905013c73e
> > to your patchset, or just check nsown_capable(CAP_SYS_BOOT) for now,
> > but as soon as you resend with that I'll happily, nay,
> > ecstatically ack.
> 
> Ok, in order to not mix the functionnalities, I will send in a separate
> patch the nsown_capable change.

Actually the nsown_capable was a temp hack fix anyway, for a problem
we don't actually have.

I forgot you are not using user namespaces yet anyway.  So you can just
leave it as

	if (!capable(CAP_SYS_BOOT))
		return -EPERM;

for now.  Since you're root in the init user namespace, that'll pass
(as soon as you don't drop it from bounding set of course)

thanks,
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ