| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4EC52FBF.1010407@parallels.com> Date: Thu, 17 Nov 2011 20:01:03 +0400 From: Pavel Emelyanov <xemul@...allels.com> To: Oleg Nesterov <oleg@...hat.com> CC: Linus Torvalds <torvalds@...ux-foundation.org>, Andrew Morton <akpm@...ux-foundation.org>, Alan Cox <alan@...ux.intel.com>, Roland McGrath <roland@...k.frob.com>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Tejun Heo <tj@...nel.org>, Cyrill Gorcunov <gorcunov@...nvz.org>, James Bottomley <jbottomley@...allels.com> Subject: Re: [RFC][PATCH 0/3] fork: Add the ability to create tasks with given pids On 11/17/2011 07:49 PM, Oleg Nesterov wrote: > On 11/17, Pavel Emelyanov wrote: >> >> Gentlemen, please, find some time for this, your ACK/NACK on the API proposal >> is required badly. > > Please. > >> The proposal is to introduce the CLONE_CHILD_USEPIDS flag for clone() syscall >> and pass the pids values in the child_tidptr. In order not to introduce the >> hole for the pid-reuse attack, using this flag will result in EPERM in case >> the pid namespace we're trying to create pid in has at least one pid (except >> for the init's one) generated with regular fork()/clone(). >> >> Currently Tejun and Oleg are worrying only about the intrusiveness of this >> approach, although Oleg agrees, that it solves all the problems it should. The >> previous attempts to implement the similar stuff stopped, but no objections >> against this were expressed. So the decision of whether it's OK to go this >> way or not is required. > > Yes, personally I'd prefer /proc/set_last_pid (or something similar) which > simply writes to pid_ns->last_pid. Perhaps it is less convenient from the > user-space pov (serialization, security) but it is much simpler. Yes, this is also possible. I have a working prototype of /proc/sys/kernel/ns_last_pid with the security issue solved, but setting sysctl then cloning seems more obfuscating to me than just passing an array of pids to clone. > OTOH, I do not pretend I understand the user-space needs, so I won't argue. > This series seems correct, the bugs we discussed are fixed. > > But. Speaking of API, it differs a bit compared to the previous version... > >> The API will be used like in the code below >> >> /* restore new pid namespace with an init in it */ >> pid = clone(CLONE_NEWPID); > > Yes, CLONE_NEWPID | CLONE_CHILD_USEPIDS is not possible. It should be. If we (in theory, but) restore two pid namespaces with one being a child of another we will have to create an init of the child ns with predefined pid in the parent ns. > Then how the array of pids in child_tidptr[] can be useful? If CLONE_NEWPID > can't restore the pid_nr's in the parent namespaces, then probably this > doesn't makes sense at all? > > IOW. I think we should either allow CLONE_NEWPID | CLONE_CHILD_USEPIDS > (with additional check in set_pidmap() to ensure that CLONE_NEWPID > comes with child_tidptr[0] == 1), or we should treat the "overloaded" > child_tidptr as a simple pid_t. The child_tidptr[0] == 1 check will also work. Currently I check for the ns->child_reaper being NULL instead. > Again, I won't insist. Just I want to be sure we do not miss something > adding the new API. > > Oleg. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists