| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170224232327.GA9126@obsidianresearch.com>
Date: Fri, 24 Feb 2017 16:23:27 -0700
From: Jason Gunthorpe <jgunthorpe@...idianresearch.com>
To: James Bottomley <James.Bottomley@...senPartnership.com>
Cc: open list <linux-kernel@...r.kernel.org>, dhowells@...hat.com,
linux-security-module@...r.kernel.org,
tpmdd-devel@...ts.sourceforge.net
Subject: Re: [tpmdd-devel] [PATCH v2 6/7] tpm: expose spaces via a device
link /dev/tpms<n>
On Fri, Feb 24, 2017 at 06:01:00PM -0500, James Bottomley wrote:
> Well, as a glib answer, I'd say the TPM is a device, so the thing which
> restricts device access to containers is the device cgroup ... that's
> what we should be plugging into. I'd have to look, but I suspect the
> device cgroup basically operates on device node appearance, so it
> should "just work"(tm). I can explore when I'm back home.
Seems reasonable..
It just seems confusing to call something a namespace that isn't also
a CLONE_NEW* option..
FWIW more background on the topic:
Stefan was concerned about information leakage via sysfs of TPM data,
eg that a container could still touch the host's TPM. I wonder if
device cgroup could be extended to block access to the sysfs
directories containing a disallowed 'dev' ?
I was also wondering about kernel use from within the container -
all kernel consumers are locked to physical tpm0.. But maybe the
kernel can consult the right device cgroup to find an allowed TPM?
Jason
Powered by blists - more mailing lists