lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <vrozw5w2l32ni43akbf3xceq6rqpkskdlwbp2ko32qxv546n6s@qtw4l3qt357v>
Date: Thu, 15 Aug 2024 14:12:06 +0200
From: Michal Koutný <mkoutny@...e.com>
To: Chen Ridong <chenridong@...wei.com>
Cc: tj@...nel.org, lizefan.x@...edance.com, hannes@...xchg.org, 
	longman@...hat.com, cgroups@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] cgroup: update some statememt about delegation

Hi,
thanks for writing up on the care needed when you only use namespacing
(and not de-privilgation) for delegation.

On Thu, Aug 15, 2024 at 02:41:18AM GMT, Chen Ridong <chenridong@...wei.com> wrote:
...

What about some more clarifications to prevent other confusions?

> --- a/Documentation/admin-guide/cgroup-v2.rst
> +++ b/Documentation/admin-guide/cgroup-v2.rst
> @@ -533,10 +533,12 @@ cgroup namespace on namespace creation.
>  Because the resource control interface files in a given directory
>  control the distribution of the parent's resources, the delegatee
>  shouldn't be allowed to write to them.  For the first method, this is
> -achieved by not granting access to these files.  For the second, the
> -kernel rejects writes to all files other than "cgroup.procs" and
> -"cgroup.subtree_control" on a namespace root from inside the
> -namespace.
> +achieved by not granting access to these files.  For the second, files
> +outside the namespace shouldn't be visible from within the delegated
                         should be hidden from the delegatee by the
means of at least mount namespacing, and the kernel...

> +namespace, and the kernel rejects writes to all files on a namespace
> +root from inside the namespace, except for those files listed in
          inside the cgroup namespace

> +"/sys/kernel/cgroup/delegate" (including "cgroup.procs", "cgroup.threads",
> +"cgroup.subtree_control", etc.).
  
...
> -	 * except for the files explicitly marked delegatable -
> -	 * cgroup.procs and cgroup.subtree_control.
> +	 * except for the set delegatable files shown in /sys/kernel/cgroup/delegate,
> +	 * including cgroup.procs, cgroup.threads and cgroup.subtree_control, etc.

"Marked delegatable" (meaning CFTYPE_NS_DELEGATABLE) is appropriate
comment in the code, a reference to the sysfs file is only consequential
to this marking. A minimal change would be like:

-	 * cgroup.procs and cgroup.subtree_control.
+	 * e.g. cgroup.procs and cgroup.subtree_control.

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ