| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220829125957.GB3579@blackbody.suse.cz>
Date: Mon, 29 Aug 2022 14:59:57 +0200
From: Michal Koutný <mkoutny@...e.com>
To: Yosry Ahmed <yosryahmed@...gle.com>
Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Cgroups <cgroups@...r.kernel.org>, bpf <bpf@...r.kernel.org>,
Tejun Heo <tj@...nel.org>, Aditya Kali <adityakali@...gle.com>,
Serge Hallyn <serge.hallyn@...onical.com>,
Roman Gushchin <roman.gushchin@...ux.dev>,
Yonghong Song <yhs@...com>,
Muneendra Kumar <muneendra.kumar@...adcom.com>,
Hao Luo <haoluo@...gle.com>
Subject: Re: [PATCH 4/4] cgroup/bpf: Honor cgroup NS in cgroup_iter for
ancestors
On Fri, Aug 26, 2022 at 10:41:37AM -0700, Yosry Ahmed <yosryahmed@...gle.com> wrote:
> I understand that currently cgroup_iter is the only user of this, but
> for future use cases, is it safe to assume that cgrp will always be
> inside ns? Would it be safer to do something like:
I preferred the simpler root_cgrp comparison to avoid pointer
arithmetics in cgroup_is_descendant. But I also made the assumption of
cgrp in ns.
Thanks, I'll likely adjust cgroup_path_ns to make it more robust for
an external cgrp.
I'd like to clarify, if a process A in a broad cgroup ns sets up a BPF
cgroup iterator, exposes it via bpffs and than a process B in a narrowed
cgroup ns (which excludes the origin cgroup) wants to traverse the
iterator, should it fail straight ahead (regardless of iter order)?
The alternative would be to allow self-dereference but prohibit any
iterator moves (regardless of order).
Thanks,
Michal
Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)
Powered by blists - more mailing lists