lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5262cc0e-8e89-4ba0-8777-2ba49ec7c1f8@huawei.com>
Date: Thu, 15 Aug 2024 20:28:51 +0800
From: chenridong <chenridong@...wei.com>
To: Michal Koutný <mkoutny@...e.com>
CC: <tj@...nel.org>, <lizefan.x@...edance.com>, <hannes@...xchg.org>,
	<longman@...hat.com>, <cgroups@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] cgroup: update some statememt about delegation



On 2024/8/15 20:12, Michal Koutný wrote:
> Hi,
> thanks for writing up on the care needed when you only use namespacing
> (and not de-privilgation) for delegation.
> 
> On Thu, Aug 15, 2024 at 02:41:18AM GMT, Chen Ridong <chenridong@...wei.com> wrote:
> ...
> 
> What about some more clarifications to prevent other confusions?
> 
>> --- a/Documentation/admin-guide/cgroup-v2.rst
>> +++ b/Documentation/admin-guide/cgroup-v2.rst
>> @@ -533,10 +533,12 @@ cgroup namespace on namespace creation.
>>   Because the resource control interface files in a given directory
>>   control the distribution of the parent's resources, the delegatee
>>   shouldn't be allowed to write to them.  For the first method, this is
>> -achieved by not granting access to these files.  For the second, the
>> -kernel rejects writes to all files other than "cgroup.procs" and
>> -"cgroup.subtree_control" on a namespace root from inside the
>> -namespace.
>> +achieved by not granting access to these files.  For the second, files
>> +outside the namespace shouldn't be visible from within the delegated
>                           should be hidden from the delegatee by the
> means of at least mount namespacing, and the kernel...
> 
>> +namespace, and the kernel rejects writes to all files on a namespace
>> +root from inside the namespace, except for those files listed in
>            inside the cgroup namespace
> 
>> +"/sys/kernel/cgroup/delegate" (including "cgroup.procs", "cgroup.threads",
>> +"cgroup.subtree_control", etc.).
>    
> ...
>> -	 * except for the files explicitly marked delegatable -
>> -	 * cgroup.procs and cgroup.subtree_control.
>> +	 * except for the set delegatable files shown in /sys/kernel/cgroup/delegate,
>> +	 * including cgroup.procs, cgroup.threads and cgroup.subtree_control, etc.
> 
> "Marked delegatable" (meaning CFTYPE_NS_DELEGATABLE) is appropriate
> comment in the code, a reference to the sysfs file is only consequential
> to this marking. A minimal change would be like:
> 
> -	 * cgroup.procs and cgroup.subtree_control.
> +	 * e.g. cgroup.procs and cgroup.subtree_control.
Thank you, Michal, I will send new patch.

Thanks,
Ridong

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ