| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <m14okqqwo1.fsf@fess.ebiederm.org>
Date: Mon, 08 Mar 2010 14:24:30 -0800
From: ebiederm@...ssion.com (Eric W. Biederman)
To: "Serge E. Hallyn" <serue@...ibm.com>
Cc: Daniel Lezcano <daniel.lezcano@...e.fr>,
Pavel Emelyanov <xemul@...allels.com>,
Sukadev Bhattiprolu <sukadev@...ux.vnet.ibm.com>,
Linux Netdev List <netdev@...r.kernel.org>,
containers@...ts.linux-foundation.org,
Netfilter Development Mailinglist
<netfilter-devel@...r.kernel.org>,
Ben Greear <greearb@...delatech.com>
Subject: Re: [RFC][PATCH] ns: Syscalls for better namespace sharing control.
"Serge E. Hallyn" <serue@...ibm.com> writes:
> Quoting Eric W. Biederman (ebiederm@...ssion.com):
>> Daniel Lezcano <daniel.lezcano@...e.fr> writes:
>> I guess my meaning is I was expecting.
>> child = fork();
>> if (child == 0) {
>> execve(...);
>> }
>> waitpid(child);
>>
>> This puts /bin/sh in the container as well.
>>
>> I'm not certain about the /proc/self thing I have never encountered that.
>> But I guess if your pid is outside of the pid namespace of that instance
>> of proc /proc/self will be a broken symlink.
>>
>> Eric
>
> Hmm, worse than a broken symlink, will it be a wrong symlink if just
> the right pid is created in the container?
It won't happen. readlink and followlink are both based on
task_tgid_nr_ns(current, ns_of_proc).
Which fails if your process is not known in that pid namespace.
Eric
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists