lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 29 Jan 2016 02:54:11 -0600 From: serge.hallyn@...ntu.com To: linux-kernel@...r.kernel.org Cc: adityakali@...gle.com, tj@...nel.org, linux-api@...r.kernel.org, containers@...ts.linux-foundation.org, cgroups@...r.kernel.org, lxc-devel@...ts.linuxcontainers.org, akpm@...ux-foundation.org, ebiederm@...ssion.com, gregkh@...uxfoundation.org, lizefan@...wei.com, hannes@...xchg.org, Serge Hallyn <serge.hallyn@...ntu.com>, Serge Hallyn <serge.hallyn@...onical.com> Subject: [PATCH 8/8] Add FS_USERNS_FLAG to cgroup fs From: Serge Hallyn <serge.hallyn@...ntu.com> allowing root in a non-init user namespace to mount it. This should now be safe, because 1. non-init-root cannot mount a previously unbound subsystem 2. the task doing the mount must be privileged with respect to the user namespace owning the cgroup namespace 3. the mounted subsystem will have its current cgroup as the root dentry. the permissions will be unchanged, so tasks will receive no new privilege over the cgroups which they did not have on the original mounts. Signed-off-by: Serge Hallyn <serge.hallyn@...onical.com> --- kernel/cgroup.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/cgroup.c b/kernel/cgroup.c index 3e04df0..7a58749 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c @@ -2216,12 +2216,14 @@ static struct file_system_type cgroup_fs_type = { .name = "cgroup", .mount = cgroup_mount, .kill_sb = cgroup_kill_sb, + .fs_flags = FS_USERNS_MOUNT, }; static struct file_system_type cgroup2_fs_type = { .name = "cgroup2", .mount = cgroup_mount, .kill_sb = cgroup_kill_sb, + .fs_flags = FS_USERNS_MOUNT, }; static char * -- 1.7.9.5
Powered by blists - more mailing lists