| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 16 Sep 2012 04:56:06 -0700 From: ebiederm@...ssion.com (Eric W. Biederman) To: Alan Cox <alan@...rguk.ukuu.org.uk> Cc: "Serge E. Hallyn" <serge@...lyn.com>, Aristeu Rozanski <aris@...vo.org>, Neil Horman <nhorman@...driver.com>, "Serge E. Hallyn" <serue@...ibm.com>, containers@...ts.linux-foundation.org, linux-kernel@...r.kernel.org, Michal Hocko <mhocko@...e.cz>, Thomas Graf <tgraf@...g.ch>, Paul Mackerras <paulus@...ba.org>, "Aneesh Kumar K.V" <aneesh.kumar@...ux.vnet.ibm.com>, Arnaldo Carvalho de Melo <acme@...stprotocols.net>, Johannes Weiner <hannes@...xchg.org>, Tejun Heo <tj@...nel.org>, cgroups@...r.kernel.org, Paul Turner <pjt@...gle.com>, Ingo Molnar <mingo@...hat.com> Subject: Re: Controlling devices and device namespaces Alan Cox <alan@...rguk.ukuu.org.uk> writes: >> One piece of the puzzle is that we should be able to allow unprivileged >> device node creation and access for any device on any filesystem >> for which it unprivileged access is safe. > > Which devices are "safe" is policy for all interesting and useful cases, > as are file permissions, security tags, chroot considerations and the > like. > > It's a complete non starter. There are a handful of device nodes that the kernel creates with mode 0666. Esentially it is just /dev/tty /dev/null /dev/zero and a few others. Enourmous numbers of programs won't work without them. Making them both interesting and useful. In very peculiar cases I can see not wanting to have access to generally safe devices, like in other peculiar cases we don't have want access to the network stack. As for the general case device nodes for real hardware in a container which I think is the "interesting" case you were referring to. I personally find that case icky and boring. The sanest way I can think of handling real hardware device nodes is a tmpfs (acting like devtmpfs) mounted on /dev in the containers mount namespace, but also visible outside to the global root mounted somewhere interesting. We have a fuse filesystem pretending to be sysfs and relaying file accesses from the real sysfs for just the devices that we want to allow to that container. Then to add a device in a container the managing daemon makes the devices available in the pretend sysfs, calls mknod on the tmpfs and fakes the uevents. The only case I don't see that truly covering is keeping the stat data the same for files of migrated applications. Shrug perhaps that will just have to be handled with another synthesized uevent. Hey userspace I just hot-unplugged and hot-plugged your kernel please cope. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists