Re: [RFC][PATCH] rbind across namespaces

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jamie Lokier wrote:
Mike Waychison wrote:

No need to hijack, it's already done.  Removing calls to
proc_check_root() will allow access to different namespaces detached
mounts, etc.  It's been tried and actually works.

See previous message as why we don't want to allow this.


If you can ptrace any process which is in another namespace, then you
_effectively_ have full access to that namespace.  It's quite easy to
do, and negates the supposed security of namespaces.

Because of that, there's _no_ real security benefit from denying
access to /proc/NNN/fd/ if you are able to ptrace task NNN.

What I think makes sense is this:

   1. Deny access to /proc/NNN/fd/, /proc/NNN/cwd, /proc/NNN/root
      if task NNN cannot be ptraced.

   3. Allow entry to /proc/NNN/fd/, /proc/NNN/cwd, /proc/NNN/root
      if ptrace is allowed; the namespace being irrelevant.

   3. Use _exactly_ the same condition as for ptracing,
      i.e. MAY_PTRACE in fs/proc/base.c.  Ensure that condition is
      consistent with the tests in kernel/ptrace.c, possibly putting
      the condition in a common header file to keep it consistent in
      future.

   4. If further restrictions are desired, to make namespaces more
      strict, those should be implemented by further restrictions on
      which tasks are allowed to ptrace other tasks.


Indeed. A combination of MAY_PTRACE ||ed with a check against current sounds reasonable to me.

Mike Waychison
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux