| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Jul 2014 23:22:01 -0700 From: ebiederm@...ssion.com (Eric W. Biederman) To: David Drysdale <drysdale@...gle.com> Cc: LSM List <linux-security-module@...r.kernel.org>, "linux-kernel\@vger.kernel.org" <linux-kernel@...r.kernel.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Alexander Viro <viro@...iv.linux.org.uk>, Meredydd Luff <meredydd@...atehouse.org>, Kees Cook <keescook@...omium.org>, James Morris <james.l.morris@...cle.com>, Andy Lutomirski <luto@...capital.net>, Paolo Bonzini <pbonzini@...hat.com>, Paul Moore <paul@...l-moore.com>, Christoph Hellwig <hch@...radead.org>, Linux API <linux-api@...r.kernel.org> Subject: Re: [RFC PATCHv2 00/11] Adding FreeBSD's Capsicum security framework I have cut this down to just focus on O_BENEATH openat case. David Drysdale <drysdale@...gle.com> writes: > On Mon, Jul 28, 2014 at 10:13 PM, Eric W. Biederman > <ebiederm@...ssion.com> wrote: >> Nope. What you can implement today if you want fine grained limitations >> like this is to create a mount namespace with exactly the subdirectory >> tree you want to allow access to and to return a file descriptor that >> points into that mount namespace. (When complete the only user of that >> mount namespace would be your file descriptor). > > How does that solve the particular example I mentioned? The DFD > within the mount namespace will still allow any operation on any file > that's already in the subdirectory -- or am I misunderstanding > something? The goal was to bound the DFD to the directory and all of it's subdirectories such that openat(dfd, "../../..") would open the dfd, and that further opens of other directories would also not allow you to escape. Since the mount namespace only contains the choosen directory and it's subdirectories that works easily and trivially. So while you can indeed perform any file operation on that dfd who cares because none of those operations can get you anywhere you aren't supposed to be. My point was that you can as granular as you would like by binding a dfd to a mount namespace instead of binding a process to a mount namespace, and the code already exists and is being maintained. So while things are not packaged in the form that has been requested it looks to me as if the functionality for directories already exists within the Linux kernel. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists