| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Mar 2015 08:04:40 -0500 From: ebiederm@...ssion.com (Eric W. Biederman) To: Dave Hansen <dave@...1.net> Cc: Andrew Morton <akpm@...ux-foundation.org>, Kees Cook <keescook@...omium.org>, tytso@....edu, Oleg Nesterov <oleg@...hat.com>, linux-kernel@...r.kernel.org, dave.hansen@...ux.intel.com Subject: Re: [RFCv2][PATCH 1/2] fs proc: make pagemap a privileged interface Dave Hansen <dave@...1.net> writes: > From: Dave Hansen <dave.hansen@...ux.intel.com> > > Changes from v1: > * Do not allow a child pid namespace to unset paranoid > when its parent had it set. > * Update description text to clarify the options we > have to solve this problem. Again. Nacked-by: "Eric W. Biederman" <ebiederm@...ssion.com> The option name "paranoid" is entirely too general. Who knows what it referrs to. A mount option is not an appropriate place to control one small bit of policy like this. Proc mount options are a real pain in the butt to deal with and to maintain. Further a per pid namespace decision does not actually work, for having restricted policy only for a small set of processes because it is only with very careful container setup that you would expose this policy. If you really need a subset of processes with a restricted policy make it a prctl, and bloat struct task. Then disallow a process with the prctl set from reading the file. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists