[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20091217.225856.145758950057800056.mrs@deli>
Date: Thu, 17 Dec 2009 22:58:56 +0000 (GMT)
From: Mark Seaborn <mrs@...hic-beasts.com>
To: andi@...stfloor.org
Cc: michael@...top.org, drepper@...il.com,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
linux-security-module@...r.kernel.org, david@...g.hm,
socketcan@...tkopp.net, alan@...rguk.ukuu.org.uk,
herbert@...dor.apana.org.au, Valdis.Kletnieks@...edu,
bdonlan@...il.com, zbr@...emap.net, cscott@...ott.net,
jmorris@...ei.org, ebiederm@...ssion.com, bernie@...ewiz.org
Subject: Re: [PATCH] Security: Add prctl(PR_{GET,SET}_NETWORK) interface.
Andi Kleen <andi@...stfloor.org> wrote:
> > This is not very good because in some situations it is useful to disable
> > connect() and bind() while still allowing ptracing of other processes. For
> > example, Plash creates a new UID for each sandbox and it is possible to use
> > strace and gdb inside a sandbox. Currently Plash is not able to block
> > network access or allow only limited network access. If you treat ptrace()
> > this way we won't have the ability to use strace and gdb while limiting
> > network access.
>
> No that's not what the hunk does. I first thought the same. But it actually
> just limits these processes from initiating ptracing themselves. You can still
> attach gdb/strace to them.
No, I specifically mean running gdb/strace *inside* the sandbox so
that sandboxed processes can initiate ptrace on other processes inside
the same sandbox. At the moment you can create a Plash sandbox and
run strace inside it with a command like the following, and strace
will successfully ptrace the subprocess that it spawns:
pola-run -B -e strace echo foo
I wouldn't want this to stop working just because the "disable
networking" flag has been set for all processes in the sandbox.
In practice Plash would set "disable networking" for all sandboxed
processes and then selectively enable limited network access by
passing file descriptors into the sandboxed processes via a socket.
> Now I'm not sure if that's closing all holes, but at least I can't come
> up with any obvious ones currently. I think I would still prefer a more
> general security container in general.
Well, yeah, adding a boolean just for network access seems pretty ad-hoc.
It sets alarm bells ringing if "disable networking" also functions as
"disable initiating ptrace()". Isn't there a way of doing the latter
independently?
Cheers,
Mark
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists