|
Message-ID: <20111123144928.GA3893@hallyn.com> Date: Wed, 23 Nov 2011 14:49:28 +0000 From: "Serge E. Hallyn" <serge@...lyn.com> To: Vasiliy Kulikov <segoon@...nwall.com> Cc: Serge Hallyn <serge.hallyn@...onical.com>, Kees Cook <keescook@...omium.org>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, kernel-hardening@...ts.openwall.com Subject: Re: [RFC] Make Yama pid_ns aware Quoting Vasiliy Kulikov (segoon@...nwall.com): > Actually, what concerns me is not ptrace, but symlink/hardling > protection. There is no interaction between namespaces in case of > containers via symlinks in the basic case. In case of ptrace I don't > think the child ns may weaken the parent ns - child ns may not access > processes of the parent namespace and everything it may ptrace is > already inside of this ns. Oh, yes. If you're saying the symlink protection shouldn't be per-pidns, I agree it seems an odd fit. How about a version of this patch leaving symlink protection out of pidns (maybe in user ns), and just putting ptrace protection per-pidns? -serge
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.