| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <52D4F471.7020600@redhat.com> Date: Tue, 14 Jan 2014 09:25:21 +0100 From: Jan Kaluža <jkaluza@...hat.com> To: Casey Schaufler <casey@...aufler-ca.com>, davem@...emloft.net CC: LKML <linux-kernel@...r.kernel.org>, netdev@...r.kernel.org, eparis@...hat.com, rgb@...hat.com, tj@...nel.org, lizefan@...wei.com, containers@...ts.linux-foundation.org, cgroups@...r.kernel.org, viro@...iv.linux.org.uk Subject: Re: [PATCH v4 0/3] Send audit/procinfo/cgroup data in socket-level control message On 01/13/2014 08:44 PM, Casey Schaufler wrote: > On 1/13/2014 12:01 AM, Jan Kaluza wrote: >> Hi, >> >> this patchset against net-next (applies also to linux-next) adds 3 new types >> of "Socket"-level control message (SCM_AUDIT, SCM_PROCINFO and SCM_CGROUP). > > How about the group list, while you're at it? That would be of course possible, but I would rather start with these three patches at the beginning before adding more features, because I'm not sure if there is consensus on accepting them. But I have no problem with introducing group list later. >> >> Server-like processes in many cases need credentials and other >> metadata of the peer, to decide if the calling process is allowed to >> request a specific action, or the server just wants to log away this >> type of information for auditing tasks. >> >> The current practice to retrieve such process metadata is to look that >> information up in procfs with the $PID received over SCM_CREDENTIALS. >> This is sufficient for long-running tasks, but introduces a race which >> cannot be worked around for short-living processes; the calling >> process and all the information in /proc/$PID/ is gone before the >> receiver of the socket message can look it up. >> >> Changes introduced in this patchset can also increase performance >> of such server-like processes, because current way of opening and >> parsing /proc/$PID/* files is much more expensive than receiving these >> metadata using SCM. >> >> Changes in v4: >> - Rebased to work with the latest net-next tree >> >> Changes in v3: >> - Better description of patches (Thanks to Kay Sievers) >> >> Changes in v2: >> - use PATH_MAX instead of PAGE_SIZE in SCM_CGROUP patch >> - describe each patch individually >> >> Jan Kaluza (3): >> Send loginuid and sessionid in SCM_AUDIT >> Send comm and cmdline in SCM_PROCINFO >> Send cgroup_path in SCM_CGROUP >> >> include/linux/socket.h | 9 ++++++ >> include/net/af_unix.h | 10 ++++++ >> include/net/scm.h | 67 ++++++++++++++++++++++++++++++++++++++-- >> net/core/scm.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++ >> net/unix/af_unix.c | 70 ++++++++++++++++++++++++++++++++++++++++++ >> 5 files changed, 237 insertions(+), 2 deletions(-) >> > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists