Mike Waychison wrote:
> >No need to hijack, it's already done. Removing calls to
> >proc_check_root() will allow access to different namespaces detached
> >mounts, etc. It's been tried and actually works.
>
> See previous message as why we don't want to allow this.
If you can ptrace any process which is in another namespace, then you
_effectively_ have full access to that namespace. It's quite easy to
do, and negates the supposed security of namespaces.
Because of that, there's _no_ real security benefit from denying
access to /proc/NNN/fd/ if you are able to ptrace task NNN.
What I think makes sense is this:
1. Deny access to /proc/NNN/fd/, /proc/NNN/cwd, /proc/NNN/root
if task NNN cannot be ptraced.
3. Allow entry to /proc/NNN/fd/, /proc/NNN/cwd, /proc/NNN/root
if ptrace is allowed; the namespace being irrelevant.
3. Use _exactly_ the same condition as for ptracing,
i.e. MAY_PTRACE in fs/proc/base.c. Ensure that condition is
consistent with the tests in kernel/ptrace.c, possibly putting
the condition in a common header file to keep it consistent in
future.
4. If further restrictions are desired, to make namespaces more
strict, those should be implemented by further restrictions on
which tasks are allowed to ptrace other tasks.
-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]