| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4EB06D27.4020507@msgid.tls.msk.ru> Date: Wed, 02 Nov 2011 02:05:27 +0400 From: Michael Tokarev <mjt@....msk.ru> To: Kay Sievers <kay.sievers@...y.org> CC: Lennart Poettering <mzxreary@...inter.de>, greg@...ah.com, Paul Menage <paul@...lmenage.org>, linux-kernel@...r.kernel.org, david@...ar.dk, "Eric W. Biederman" <ebiederm@...ssion.com>, Linux Containers <lxc-devel@...ts.sourceforge.net>, Linux Containers <containers@...ts.osdl.org>, "Serge E. Hallyn" <serge@...lyn.com>, harald@...hat.com Subject: Re: [lxc-devel] Detecting if you are running in a container [Replying to an oldish email...] On 12.10.2011 20:59, Kay Sievers wrote: > On Mon, Oct 10, 2011 at 23:41, Lennart Poettering <mzxreary@...inter.de> wrote: >> On Mon, 10.10.11 13:59, Eric W. Biederman (ebiederm@...ssion.com) wrote: > >>> - udev. All of the kernel interfaces for udev should be supported in >>> current kernels. However I believe udev is useless because container >>> start drops CAP_MKNOD so we can't do evil things. So I would >>> recommend basing the startup of udev on presence of CAP_MKNOD. >> >> Using CAP_MKNOD as test here is indeed a good idea. I'll make sure udev >> in a systemd world makes use of that. > > Done. > > http://git.kernel.org/?p=linux/hotplug/udev.git;a=commitdiff;h=9371e6f3e04b03692c23e392fdf005a08ccf1edb Maybe CAP_MKNOD isn't actually a good idea, having in mind devtmpfs? Without CAP_MKNOD, is devtmpfs still being populated internally by the kernel, so that udev only needs to change ownership/permissions and maintain symlinks in response to device changes, and perform other duties (reacting to other types of events) normally? In other words, provided devtmpfs works even without CAP_MKNOD, I can easily imagine a whole system running without this capability from the very early boot, with all functionality in place, including udev and what not... And having CAP_MKNOD in container may not be that bad either, while cgroup device.permission is set correctly - some nodes may need to be created still, even in an unprivileged containers. Who filters out CAP_MKNOD during container startup (I don't see it in the code, which only removes CAP_SYS_BOOT, and even that due to current limitation), and which evil things can be done if it is not filtered? Thanks, /mjt -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists