lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Wed, 4 Apr 2018 20:45:09 +0300
From:   Alexey Dobriyan <adobriyan@...il.com>
To:     alban@...volk.io
Cc:     linux-kernel@...r.kernel.org, ebiederm@...ssion.com
Subject: Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc
 mounts when not fully visible

> Instead, it introduces new options in proc to disable some proc entries (TBD).

No, no, no, no.

Blacklists are bad, mmkay.

The reason is that quite dangerous new /proc entries get added
(think /proc/kpageflags) and suddenly they are enabled inside container.

> The granularity does not need to be per proc entry.

I think it does. Grouping always becomes either too fine or too coarse.

> Granularity can be improved later if use cases exist.

Granularity can not be tightened as it may break existing users.
So new granularity options are going to be invented until finally it is
per file.

>	"maskedPaths": [
>		"/proc/kcore",
>		"/proc/latency_stats",
>		"/proc/timer_list",
>		"/proc/timer_stats",
>		"/proc/sched_debug",
>		"/sys/firmware",
>		"/proc/scsi"
>	],

Just say no to drugs.


> /proc/kcore

As a side note:
/proc/kcore should be more or less safe because it is under CAP_SYS_RAWIO.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ