lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <576D7F34.50201@linux.vnet.ibm.com>
Date:	Fri, 24 Jun 2016 14:43:00 -0400
From:	Stefan Berger <stefanb@...ux.vnet.ibm.com>
To:	Jason Gunthorpe <jgunthorpe@...idianresearch.com>
Cc:	tpmdd-devel@...ts.sourceforge.net, jarkko.sakkinen@...ux.intel.com,
	linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH] tpm: vtpm_proxy: Introduce flag to prevent sysfs entries

On 06/24/2016 01:48 PM, Jason Gunthorpe wrote:
> On Fri, Jun 24, 2016 at 10:36:55AM -0400, Stefan Berger wrote:
>> Introduce TPM_VTPM_PROXY_NO_SYSFS flag that prevents a vtpm_proxy driver
>> instance from having the typical sysfs entries that shows the state of the
>> TPM. The flag is to be set in the ioctl creating the vtpm_proxy device
>> pair and maps on a new chip flags TPM_CHIP_FLAG_NO_SYSFS.
> No other subsystem does something so goofy, this really needs to be
> part of namespace support for TPM.

And I am not sure how to go about this. TPM2 by the way doesn't have 
such entries, so it's much better from that perspective.

>
> Why can't you just make the sysfs files unreadable in user space?

There are actually ways to go about this. Likely bind-mounting over 
/sys/device/virtual/tpm would be one solution to hide all virtual TPM 
device. Another is applying an AppArmor policy to the container denying 
access to tpm directories or entries. SELinux would not be so easy.

The flag in this patch seemed like a 'cheap' way to eliminate that 
problem as well.

> If a container can make them readable again can't it also just create
> the chardev node?

What do you mean by making them readable again? The chardev node can be 
created inside the container with the major and minor numbers as it was 
created with the ioctl.

     Stefan


>
> Jason
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ