| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160803214437.GI6879@twins.programming.kicks-ass.net> Date: Wed, 3 Aug 2016 23:44:37 +0200 From: Peter Zijlstra <peterz@...radead.org> To: Kees Cook <keescook@...omium.org> Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, Jeff Vander Stoep <jeffv@...gle.com>, Ingo Molnar <mingo@...hat.com>, Arnaldo Carvalho de Melo <acme@...nel.org>, Alexander Shishkin <alexander.shishkin@...ux.intel.com>, "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, LKML <linux-kernel@...r.kernel.org>, Jonathan Corbet <corbet@....net> Subject: Re: [kernel-hardening] Re: [PATCH 1/2] security, perf: allow further restriction of perf_event_open On Wed, Aug 03, 2016 at 11:53:41AM -0700, Kees Cook wrote: > > Kees Cook <keescook@...omium.org> writes: > > > >> On Tue, Aug 2, 2016 at 1:30 PM, Peter Zijlstra <peterz@...radead.org> wrote: > >> Let me take this another way instead. What would be a better way to > >> provide a mechanism for system owners to disable perf without an LSM? > >> (Since far fewer folks run with an enforcing "big" LSM: I'm seeking as > >> wide a coverage as possible.) > > > > I vote for sandboxes. Perhaps seccomp. Perhaps a per userns sysctl. > > Perhaps something else. > > Peter, did you happen to see Eric's solution to this problem for > namespaces? Basically, a per-userns sysctl instead of a global sysctl. > Is that something that would be acceptable here? Someone would have to educate me on what a userns is and how that would help here.
Powered by blists - more mailing lists