| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Ywk2NMwurnBYhU+D@slm.duckdns.org>
Date: Fri, 26 Aug 2022 11:08:04 -1000
From: Tejun Heo <tj@...nel.org>
To: Michal Koutný <mkoutny@...e.com>
Cc: linux-kernel@...r.kernel.org, cgroups@...r.kernel.org,
bpf@...r.kernel.org, Aditya Kali <adityakali@...gle.com>,
Serge Hallyn <serge.hallyn@...onical.com>,
Roman Gushchin <roman.gushchin@...ux.dev>,
Yonghong Song <yhs@...com>,
Muneendra Kumar <muneendra.kumar@...adcom.com>,
Yosry Ahmed <yosryahmed@...gle.com>,
Hao Luo <haoluo@...gle.com>
Subject: Re: [PATCH 0/4] Honor cgroup namespace when resolving cgroup id
Hello,
On Fri, Aug 26, 2022 at 06:52:34PM +0200, Michal Koutný wrote:
> Cgroup id is becoming a new way for userspace how to refer to cgroups it
> wants to act upon. As opposed to cgroupfs (paths, opened FDs), the
> current approach does not reflect limited view by (non-init) cgroup
> namespaces.
Looking at the code, I'm not quite sure we're actually plugging all holes in
terms of lookup. I think cgroup_get_from_path() would allow walking up past
the ns boundary. We aren't using kernfs ns support and I don't see anything
preventing ..'ing past the boundary.
> This patches don't aim to limit what a user can do (consider an uid=0 in
> mere cgroup namespace) but to provide consistent view within a
> namespace.
Considering userns and the fact that we try to isolate two separate sub
hierarchies delegated to the same UID, I think we'd have to tighten down on
the behaviors so that visiblity scope matches the permission scope.
Thanks.
--
tejun
Powered by blists - more mailing lists