lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <87d16tb2y5.fsf@xmission.com> Date: Thu, 14 Sep 2017 12:33:06 -0500 From: ebiederm@...ssion.com (Eric W. Biederman) To: Richard Guy Briggs <rgb@...hat.com> Cc: cgroups@...r.kernel.org, Linux Containers <containers@...ts.linux-foundation.org>, Linux API <linux-api@...r.kernel.org>, Linux Audit <linux-audit@...hat.com>, Linux FS Devel <linux-fsdevel@...r.kernel.org>, Linux Kernel <linux-kernel@...r.kernel.org>, Linux Network Development <netdev@...r.kernel.org>, Aristeu Rozanski <arozansk@...hat.com>, David Howells <dhowells@...hat.com>, Eric Paris <eparis@...isplace.org>, jlayton@...hat.com, Andy Lutomirski <luto@...nel.org>, mszeredi@...hat.com, Paul Moore <pmoore@...hat.com>, "Serge E. Hallyn" <serge@...lyn.com>, Steve Grubb <sgrubb@...hat.com>, trondmy@...marydata.com, Al Viro <viro@...iv.linux.org.uk> Subject: Re: RFC: Audit Kernel Container IDs Richard Guy Briggs <rgb@...hat.com> writes: > The trigger is a pseudo filesystem (proc, since PID tree already exists) > write of a u64 representing the container ID to a file representing a > process that will become the first process in a new container. > This might place restrictions on mount namespaces required to define a > container, or at least careful checking of namespaces in the kernel to > verify permissions of the orchestrator so it can't change its own > container ID. Why a u64? Why a proc filesystem write and not a magic audit message? I don't like the fact that the proc filesystem entry is likely going to be readable and abusable by non-audit contexts? Why the ability to change the containerid? What is the use case you are thinking of there? Eric
Powered by blists - more mailing lists