| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFLxGvw2-k1zKkD+cy-ZdfdXv05PLBib-VqnHRkWGNxfCSF-iA@mail.gmail.com>
Date: Wed, 22 Feb 2017 21:11:22 +0100
From: Richard Weinberger <richard.weinberger@...il.com>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Alexey Gladkov <gladkov.alexey@...il.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
"Kirill A. Shutemov" <kirill@...temov.name>,
Vasiliy Kulikov <segoon@...nwall.com>,
Al Viro <viro@...iv.linux.org.uk>,
Oleg Nesterov <oleg@...hat.com>,
Pavel Emelyanov <xemul@...allels.com>,
Andy Lutomirski <luto@...capital.net>
Subject: Re: [PATCH] Add pidfs filesystem
On Mon, Feb 20, 2017 at 5:05 AM, Eric W. Biederman
<ebiederm@...ssion.com> wrote:
> Alexey Gladkov <gladkov.alexey@...il.com> writes:
>
>> The pidfs filesystem contains a subset of the /proc file system which
>> contains only information about the processes.
>
> My summary of your motivation.
>
> It hurts when I create a container with a processes with uid 0 inside of
> it. This generates lots of hacks to attempt to limit uid 0.
>
> My answer: Don't run a container with a real uid 0 inside of it.
I agree. Unless I miss something I'd say use a user namespace
to get decent permission checks in /proc (and /sys).
--
Thanks,
//richard
Powered by blists - more mailing lists