| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 8 Mar 2014 03:39:29 +0100 From: Lennart Poettering <mzerqung@...inter.de> To: Lukasz Pawelczyk <havner@...il.com> Cc: systemd-devel@...ts.freedesktop.org, libvir-list@...hat.com, linux-input@...r.kernel.org, linux-kernel@...r.kernel.org, lxc-devel@...ts.linuxcontainers.org Subject: Re: [systemd-devel] Suspending access to opened/active /dev/nodes during application runtime On Fri, 07.03.14 21:51, Lukasz Pawelczyk (havner@...il.com) wrote: > >> Problem: > >> Has anyone thought about a mechanism to limit/remove an access to a > >> device during an application runtime? Meaning we have an > >> application that has an open file descriptor to some /dev/node and > >> depending on *something* it gains or looses the access to it > >> gracefully (with or without a notification, but without any fatal > >> consequences). > > > > logind can mute input devices as sessions are switched, to enable > > unpriviliged X11 and wayland compositors. > > Would you please elaborate on this? Where is this mechanism? How does > it work without kernel space support? Is there some kernel space > support I’m not aware of? There's EVIOCREVOKE for input devices and DRM_IOCTL_SET_MASTER/DRM_IOCTL_DROP_MASTER for DRM devices. See logind sources. > > Before you think about doing something like this, you need to fix the > > kernel to provide namespaced devices (good luck!) > > Precisly! That’s the generic idea. I’m not for implementing it though > at this moment. I just wanted to know whether anybody actually though > about it or maybe someone is interested in starting such a work, etc. It's not just about turning on and turning off access to the event stream. It's mostly about enumeration and probing which doesn't work in containers, and is particularly messy if you intend to share devices between containers. > > logind can do this for you between sessions. But such a container setup > > will never work without proper device namespacing. > > So how can it do it when there is no kernel support? You mean it could > be doing this if the support were there? EVIOCREVOKE and the DRM ioctls are pretty real... Lennart -- Lennart Poettering, Red Hat -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists