Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110816062515.GB3733@albatros>
Date: Tue, 16 Aug 2011 10:25:15 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Subject: Re: 32/64 bitness restriction for pid namespace

On Tue, Aug 16, 2011 at 01:46 +0400, Solar Designer wrote:
> > My point is still that we should keep the only flag - lock current
> > process and implement simple re-exec of vzctl.
> 
> It's not so simple.  It means, for example, that Owl built for x86_64
> should also contain a version of vzctl built for i686 - but it normally
> lacks development tools and libraries for that (we don't currently do
> multilib within a single build of Owl).
> 
> > But other ways like workaround of multiple execve() calls are welcome.
> 
> Given your discovery, maybe we should have execve() return an error code
> like -EPERM, such that the library would not try the shell?

Other way - do syscall(__NR_execve, ...) instead of execve(...).  It is
a bit ugly, but given it will be used in only one place (and explicitly
by programs, whithout any wrapper) IMO it's acceptable.

-- 
Vasiliy

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.