lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 2 Feb 2017 13:48:14 -0500
From:   Tejun Heo <tj@...nel.org>
To:     Li Zefan <lizefan@...wei.com>, Johannes Weiner <hannes@...xchg.org>
Cc:     cgroups@...r.kernel.org, linux-kernel@...r.kernel.org,
        kernel-team@...com
Subject: Re: [PATCH cgroup/for-4.11] cgroup: drop the matching uid
 requirement on migration for cgroup v2

On Fri, Jan 20, 2017 at 11:29:54AM -0500, Tejun Heo wrote:
> Along with the write access to the cgroup.procs or tasks file, cgroup
> has required the writer's euid, unless root, to match [s]uid of the
> target process or task.  On cgroup v1, this is necessary because
> there's nothing preventing a delegatee from pulling in tasks or
> processes from all over the system.
> 
> If a user has a cgroup subdirectory delegated to it, the user would
> have write access to the cgroup.procs or tasks file.  If there are no
> further checks than file write access check, the user would be able to
> pull processes from all over the system into its subhierarchy which is
> clearly not the intended behavior.  The matching [s]uid requirement
> partially prevents this problem by allowing a delegatee to pull in the
> processes that belongs to it.  This isn't a sufficient protection
> however, because a user would still be able to jump processes across
> two disjoint sub-hierarchies that has been delegated to them.
> 
> cgroup v2 resolves the issue by requiring the writer to have access to
> the common ancestor of the cgroup.procs file of the source and target
> cgroups.  This confines each delegatee to their own sub-hierarchy
> proper and bases all permission decisions on the cgroup filesystem
> rather than having to pull in explicit uid matching.
> 
> cgroup v2 has still been applying the matching [s]uid requirement just
> for historical reasons.  On cgroup2, the requirement doesn't serve any
> purpose while unnecessarily complicating the permission model.  Let's
> drop it.
> 
> Signed-off-by: Tejun Heo <tj@...nel.org>

Applied to cgroup/for-4.11.

Thanks.

-- 
tejun

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ