| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGXu5jJtJJRGchihX8wXOo0NumtdFMT3P4JM=GPeqPt811aM3w@mail.gmail.com> Date: Thu, 23 Jun 2016 14:03:46 -0700 From: Kees Cook <keescook@...omium.org> To: Topi Miettinen <toiwoton@...il.com> Cc: LKML <linux-kernel@...r.kernel.org>, Andy Lutomirski <luto@...nel.org>, "Serge E. Hallyn" <serge@...lyn.com>, Jonathan Corbet <corbet@....net>, Tejun Heo <tj@...nel.org>, Li Zefan <lizefan@...wei.com>, Johannes Weiner <hannes@...xchg.org>, Serge Hallyn <serge.hallyn@...onical.com>, James Morris <james.l.morris@...cle.com>, Andrew Morton <akpm@...ux-foundation.org>, David Howells <dhowells@...hat.com>, David Woodhouse <David.Woodhouse@...el.com>, Ard Biesheuvel <ard.biesheuvel@...aro.org>, "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>, Petr Mladek <pmladek@...e.com>, "open list:DOCUMENTATION" <linux-doc@...r.kernel.org>, "open list:CONTROL GROUP (CGROUP)" <cgroups@...r.kernel.org>, "open list:CAPABILITIES" <linux-security-module@...r.kernel.org> Subject: Re: [PATCH] capabilities: add capability cgroup controller On Thu, Jun 23, 2016 at 8:07 AM, Topi Miettinen <toiwoton@...il.com> wrote: > There are many basic ways to control processes, including capabilities, > cgroups and resource limits. However, there are far fewer ways to find > out useful values for the limits, except blind trial and error. > > Currently, there is no way to know which capabilities are actually used. > Even the source code is only implicit, in-depth knowledge of each > capability must be used when analyzing a program to judge which > capabilities the program will exercise. > > Add a new cgroup controller for monitoring of capabilities > in the cgroup. > > Test case demonstrating basic capability monitoring and how the > capabilities are combined at next level (boot to rdshell): > > (initramfs) cd /sys/fs > (initramfs) mount -t cgroup2 cgroup cgroup > (initramfs) cd cgroup > (initramfs) echo +capability > cgroup.subtree_control > (initramfs) mkdir test; cd test > (initramfs) echo +capability > cgroup.subtree_control > (initramfs) ls > capability.used cgroup.events cgroup.subtree_control > cgroup.controllers cgroup.procs > (initramfs) mkdir first second > (initramfs) sh > > BusyBox v1.22.1 (Debian 1:1.22.0-19) built-in shell (ash) > Enter 'help' for a list of built-in commands. > > (initramfs) cd first > (initramfs) echo $$ >cgroup.procs > (initramfs) cat capability.used > 0000000000000000 # nothing so far > (initramfs) mknod /dev/z_$$ c 1 2 > (initramfs) cat capability.used > 0000000008000000 # CAP_MKNOD > (initramfs) cat ../capability.used > 0000000008000000 # also seen at next higher level > (initramfs) exit > (initramfs) sh > > BusyBox v1.22.1 (Debian 1:1.22.0-19) built-in shell (ash) > Enter 'help' for a list of built-in commands. > > (initramfs) cd second > (initramfs) echo $$ >cgroup.procs > (initramfs) cat capability.used > 0000000000000000 # nothing so far > (initramfs) chown 1234 /dev/z_* > (initramfs) cat capability.used > 0000000000000001 # CAP_CHROOT nitpick: this is CAP_CHOWN, not CAP_CHROOT -Kees -- Kees Cook Chrome OS & Brillo Security
Powered by blists - more mailing lists