Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGXu5j+Y6JnTFhw3Fax_MYLvLLBMO5JOHLgaVyBB2LMsOwhUHw@mail.gmail.com>
Date: Mon, 28 Nov 2011 10:12:50 -0800
From: Kees Cook <keescook@...omium.org>
To: Vasiliy Kulikov <segoon@...nwall.com>
Cc: "Serge E. Hallyn" <serge@...lyn.com>, Serge Hallyn <serge.hallyn@...onical.com>, 
	linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, 
	kernel-hardening@...ts.openwall.com
Subject: Re: [RFC] Make Yama pid_ns aware

On Wed, Nov 23, 2011 at 8:55 AM, Vasiliy Kulikov <segoon@...nwall.com> wrote:
> On Wed, Nov 23, 2011 at 14:49 +0000, Serge E. Hallyn wrote:
>> Quoting Vasiliy Kulikov (segoon@...nwall.com):
>> > Actually, what concerns me is not ptrace, but symlink/hardling
>> > protection.  There is no interaction between namespaces in case of
>> > containers via symlinks in the basic case.  In case of ptrace I don't
>> > think the child ns may weaken the parent ns - child ns may not access
>> > processes of the parent namespace and everything it may ptrace is
>> > already inside of this ns.
>>
>> Oh, yes.  If you're saying the symlink protection shouldn't be
>> per-pidns, I agree it seems an odd fit.
>>
>> How about a version of this patch leaving symlink protection
>> out of pidns (maybe in user ns), and just putting ptrace
>> protection per-pidns?
>
> I don't think moving symlink/hardling from pid ns to user ns is a good
> idea as user ns is not matured yet.  Also we (Openwall) want to use Yama
> almost as-is in our RHEL6 and RHEL5-based kernels with OpenVZ support
> which don't have user namespaces yet at all (yes, it is not a cause for
> mainline decisions :-) ).
>
> While user ns is not yet ready, I don't clearly see what is the division
> of security policies among namespaces including user namespace.  I had
> a view that all stuff related to processes (i.e. distinct processes in
> several ways) belongs to pid ns, all net stuff to net ns, etc.  If we
> differentiate user ns and pid ns, only strictly things handling pids
> (like kill(2), procfs, ptrace(2), etc.) belong to pid ns and all other
> process-related stuff (like credentials handling, these symlink/hardling
> things, etc.) belong to user namespaces.
>
> Can we probably leave them in pid ns for now and when user ns is matured
> just move it from pid ns to user ns?  Is it possible without breaking
> Yama's ABI (I think so)?

So it sounds like you'll send a new patch where only ptrace_scope is
tied to pidns?

-Kees

-- 
Kees Cook
ChromeOS Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.