lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87k2yflqqf.fsf@x220.int.ebiederm.org>
Date:	Tue, 17 Mar 2015 08:04:40 -0500
From:	ebiederm@...ssion.com (Eric W. Biederman)
To:	Dave Hansen <dave@...1.net>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	Kees Cook <keescook@...omium.org>, tytso@....edu,
	Oleg Nesterov <oleg@...hat.com>, linux-kernel@...r.kernel.org,
	dave.hansen@...ux.intel.com
Subject: Re: [RFCv2][PATCH 1/2] fs proc: make pagemap a privileged interface

Dave Hansen <dave@...1.net> writes:

> From: Dave Hansen <dave.hansen@...ux.intel.com>
>
> Changes from v1:
>  * Do not allow a child pid namespace to unset paranoid
>    when its parent had it set.
>  * Update description text to clarify the options we
>    have to solve this problem.

Again.

Nacked-by: "Eric W. Biederman" <ebiederm@...ssion.com>

The option name "paranoid" is entirely too general.  Who knows what
it referrs to.

A mount option is not an appropriate place to control one small bit of
policy like this.  Proc mount options are a real pain in the butt to
deal with and to maintain. 

Further a per pid namespace decision does not actually work, for having
restricted policy only for a small set of processes because it is only
with very careful container setup that you would expose this policy.

If you really need a subset of processes with a restricted policy make
it a prctl, and bloat struct task.  Then disallow a process with the
prctl set from reading the file.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ