From: David Drysdale <drysdale@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: LSM List <linux-security-module@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Meredydd Luff <meredydd@senatehouse.org>,
Kees Cook <keescook@chromium.org>,
James Morris <james.l.morris@oracle.com>,
Linux API <linux-api@vger.kernel.org>,
qemu-devel <qemu-devel@nongnu.org>
Subject: Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1)
Date: Thu, 3 Jul 2014 19:39:27 +0100 [thread overview]
Message-ID: <20140703183927.GA1629@google.com> (raw)
In-Reply-To: <53B51E81.4090700@redhat.com>
On Thu, Jul 03, 2014 at 11:12:33AM +0200, Paolo Bonzini wrote:
> Il 30/06/2014 12:28, David Drysdale ha scritto:
> >Hi all,
> >
> >The last couple of versions of FreeBSD (9.x/10.x) have included the
> >Capsicum security framework [1], which allows security-aware
> >applications to sandbox themselves in a very fine-grained way. For
> >example, OpenSSH now (>= 6.5) uses Capsicum in its FreeBSD version to
> >restrict sshd's credentials checking process, to reduce the chances of
> >credential leakage.
>
> Hi David,
>
> we've had similar goals in QEMU. QEMU can be used as a virtual
> machine monitor from the command line, but it also has an API that
> lets a management tool drive QEMU via AF_UNIX sockets. Long term,
> we would like to have a restricted mode for QEMU where all file
> descriptors are obtained via SCM_RIGHTS or /dev/fd, and syscalls can
> be locked down.
>
> Currently we do use seccomp v2 BPF filters, but unfortunately this
> didn't help very much. QEMU supports hotplugging hence the filter
> must whitelist anything that _might_ be used in the future, which is
> generally... too much.
>
> Something like Capsicum would be really nice because it attaches
> capabilities to file descriptors. However, I wonder however how
> extensible Capsicum could be, and I am worried about the
> proliferation of capabilities that its design naturally leads to.
True, capability rights are likely to expand over time (although
FreeBSD only expanded from 55 to 60 between 9.x and 10.x).
> Given Linux's previous experience with BPF filters, what do you
> think about attaching specific BPF programs to file descriptors?
> Then whenever a syscall is run that affects a file descriptor, the
> BPF program for the file descriptor (attached to a struct file* as
> in Capsicum) would run in addition to the process-wide filter.
That sounds kind of clever, but also kind of complicated.
Off the top of my head, one particular problem is that not all
fd->struct file conversions in the kernel are completely specified
by an enclosing syscall and the explicit values of its parameters.
For example, the actual contents of the arguments to io_submit(2)
aren't visible to a seccomp-bpf program (as it can't read the __user
memory for the iocb structures), and so it can't distinguish a
read from a write.
Also, there could potentially be some odd interactions with file
descriptors passed between processes, if the BPF program relies
on assumptions about the environment of the original process. For
example, what happens if an x86_64 process passes a filter-attached
FD to an ia32 process? Given that the syscall numbers are
arch-specific, I guess that means the filter program would have
to include arch-specific branches for any possible variant.
More generally, I suspect that keeping things simpler will end
up being more secure. Capsicum was based on well-studied ideas
from the world of object capability-based security, and I'd be
nervous about adding complications that take us further away from
that.
> An equivalent of PR_SET_NO_NEW_PRIVS can also be added to file
> descriptors, so that a program that doesn't lock down syscalls can
> still lock down the operations (including fcntls and ioctls) on
> specific file descriptors.
>
> Converting FreeBSD capabilities to BPF programs can be easily
> implemented in userspace.
I get the idea, but I'm not sure it would be that easy! The
BPF-generation library would need to hold all of the mappings
from system calls (and their arguments) to the equivalent
required rights -- and vice versa.
That mapping would also need be kept closely in sync with the kernel
and other system libraries -- if a new syscall is added and libc (or
some other library) started using it, the equivalent BPF chunks would
need to be updated to cope.
> > [Capsicum also includes 'capability mode', which locks down the
> > available syscalls so the rights restrictions can't just be bypassed
> > by opening new file descriptors; I'll describe that separately later.]
>
> This can also be implemented in userspace via seccomp and
> PR_SET_NO_NEW_PRIVS.
Well, mostly (and in fact I've got an attempt to do exactly that at
https://github.com/google/capsicum-test/blob/dev/linux-bpf-capmode.c).
But there are a few wrinkles with that approach.
First, we need Kees Cook's patches to allow seccomp filters
to be synchronized across existing threads, but hopefully they
will make it in soon.
Next, there's one awkward syscall case. In capability mode we'd like
to prevent processes from sending signals with kill(2)/tgkill(2)
to other processes, but they should still be able to send themselves
signals. For example, abort(3) generates:
tgkill(gettid(), gettid(), SIGABRT)
Only allowing kill(self) is hard to encode in a seccomp-bpf program, at
least in a way that survives forking.
Finally, capability mode also turns on strict-relative lookups
process-wide; in other words, every openat(dfd, ...) operation
acts as though it has the O_BENEATH_ONLY flag set, regardless of
whether the dfd is a Capsicum capability. I can't see a way to
do that with a BPF program (although it would be possible to add
a filter that polices the requirement to include O_BENEATH_ONLY
rather than implicitly adding it).
So although a capability-mode implementation in terms of seccomp-bpf
is tantalizingly close, at the moment I've got it implemented as a new
seccomp mode.
> > [Policing the rights checks anywhere else, for example at the system
> > call boundary, isn't a good idea because it opens up the possibility
> > of time-of-check/time-of-use (TOCTOU) attacks [2] where FDs are
> > changed (as openat/close/dup2 are allowed in capability mode) between
> > the 'check' at syscall entry and the 'use' at fget() invocation.]
>
> In the case of BPF filters, I wonder if you could stash the BPF
> "environment" somewhere and then use it at fget() invocation.
> Alternatively, it can be reconstructed at fget() time, similar to
> your introduction of fgetr().
Stashing something at syscall entry to be referred to later always
makes me worry about TOCTOU vulnerabilities, but the details might
be OK in this case (given that no check occurs at syscall entry)...
> Thanks,
>
> Paolo
Many thanks for taking the time to comment and think of innovative
ideas!
David
WARNING: multiple messages have this Message-ID (diff)
From: David Drysdale <drysdale-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
To: Paolo Bonzini <pbonzini-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: LSM List
<linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Greg Kroah-Hartman
<gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>,
Alexander Viro
<viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>,
Meredydd Luff <meredydd-zPN50pYk8eUaUu29zAJCuw@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
James Morris
<james.l.morris-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
qemu-devel <qemu-devel-qX2TKyscuCcdnm+yROfE0A@public.gmane.org>
Subject: Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1)
Date: Thu, 3 Jul 2014 19:39:27 +0100 [thread overview]
Message-ID: <20140703183927.GA1629@google.com> (raw)
In-Reply-To: <53B51E81.4090700-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
On Thu, Jul 03, 2014 at 11:12:33AM +0200, Paolo Bonzini wrote:
> Il 30/06/2014 12:28, David Drysdale ha scritto:
> >Hi all,
> >
> >The last couple of versions of FreeBSD (9.x/10.x) have included the
> >Capsicum security framework [1], which allows security-aware
> >applications to sandbox themselves in a very fine-grained way. For
> >example, OpenSSH now (>= 6.5) uses Capsicum in its FreeBSD version to
> >restrict sshd's credentials checking process, to reduce the chances of
> >credential leakage.
>
> Hi David,
>
> we've had similar goals in QEMU. QEMU can be used as a virtual
> machine monitor from the command line, but it also has an API that
> lets a management tool drive QEMU via AF_UNIX sockets. Long term,
> we would like to have a restricted mode for QEMU where all file
> descriptors are obtained via SCM_RIGHTS or /dev/fd, and syscalls can
> be locked down.
>
> Currently we do use seccomp v2 BPF filters, but unfortunately this
> didn't help very much. QEMU supports hotplugging hence the filter
> must whitelist anything that _might_ be used in the future, which is
> generally... too much.
>
> Something like Capsicum would be really nice because it attaches
> capabilities to file descriptors. However, I wonder however how
> extensible Capsicum could be, and I am worried about the
> proliferation of capabilities that its design naturally leads to.
True, capability rights are likely to expand over time (although
FreeBSD only expanded from 55 to 60 between 9.x and 10.x).
> Given Linux's previous experience with BPF filters, what do you
> think about attaching specific BPF programs to file descriptors?
> Then whenever a syscall is run that affects a file descriptor, the
> BPF program for the file descriptor (attached to a struct file* as
> in Capsicum) would run in addition to the process-wide filter.
That sounds kind of clever, but also kind of complicated.
Off the top of my head, one particular problem is that not all
fd->struct file conversions in the kernel are completely specified
by an enclosing syscall and the explicit values of its parameters.
For example, the actual contents of the arguments to io_submit(2)
aren't visible to a seccomp-bpf program (as it can't read the __user
memory for the iocb structures), and so it can't distinguish a
read from a write.
Also, there could potentially be some odd interactions with file
descriptors passed between processes, if the BPF program relies
on assumptions about the environment of the original process. For
example, what happens if an x86_64 process passes a filter-attached
FD to an ia32 process? Given that the syscall numbers are
arch-specific, I guess that means the filter program would have
to include arch-specific branches for any possible variant.
More generally, I suspect that keeping things simpler will end
up being more secure. Capsicum was based on well-studied ideas
from the world of object capability-based security, and I'd be
nervous about adding complications that take us further away from
that.
> An equivalent of PR_SET_NO_NEW_PRIVS can also be added to file
> descriptors, so that a program that doesn't lock down syscalls can
> still lock down the operations (including fcntls and ioctls) on
> specific file descriptors.
>
> Converting FreeBSD capabilities to BPF programs can be easily
> implemented in userspace.
I get the idea, but I'm not sure it would be that easy! The
BPF-generation library would need to hold all of the mappings
from system calls (and their arguments) to the equivalent
required rights -- and vice versa.
That mapping would also need be kept closely in sync with the kernel
and other system libraries -- if a new syscall is added and libc (or
some other library) started using it, the equivalent BPF chunks would
need to be updated to cope.
> > [Capsicum also includes 'capability mode', which locks down the
> > available syscalls so the rights restrictions can't just be bypassed
> > by opening new file descriptors; I'll describe that separately later.]
>
> This can also be implemented in userspace via seccomp and
> PR_SET_NO_NEW_PRIVS.
Well, mostly (and in fact I've got an attempt to do exactly that at
https://github.com/google/capsicum-test/blob/dev/linux-bpf-capmode.c).
But there are a few wrinkles with that approach.
First, we need Kees Cook's patches to allow seccomp filters
to be synchronized across existing threads, but hopefully they
will make it in soon.
Next, there's one awkward syscall case. In capability mode we'd like
to prevent processes from sending signals with kill(2)/tgkill(2)
to other processes, but they should still be able to send themselves
signals. For example, abort(3) generates:
tgkill(gettid(), gettid(), SIGABRT)
Only allowing kill(self) is hard to encode in a seccomp-bpf program, at
least in a way that survives forking.
Finally, capability mode also turns on strict-relative lookups
process-wide; in other words, every openat(dfd, ...) operation
acts as though it has the O_BENEATH_ONLY flag set, regardless of
whether the dfd is a Capsicum capability. I can't see a way to
do that with a BPF program (although it would be possible to add
a filter that polices the requirement to include O_BENEATH_ONLY
rather than implicitly adding it).
So although a capability-mode implementation in terms of seccomp-bpf
is tantalizingly close, at the moment I've got it implemented as a new
seccomp mode.
> > [Policing the rights checks anywhere else, for example at the system
> > call boundary, isn't a good idea because it opens up the possibility
> > of time-of-check/time-of-use (TOCTOU) attacks [2] where FDs are
> > changed (as openat/close/dup2 are allowed in capability mode) between
> > the 'check' at syscall entry and the 'use' at fget() invocation.]
>
> In the case of BPF filters, I wonder if you could stash the BPF
> "environment" somewhere and then use it at fget() invocation.
> Alternatively, it can be reconstructed at fget() time, similar to
> your introduction of fgetr().
Stashing something at syscall entry to be referred to later always
makes me worry about TOCTOU vulnerabilities, but the details might
be OK in this case (given that no check occurs at syscall entry)...
> Thanks,
>
> Paolo
Many thanks for taking the time to comment and think of innovative
ideas!
David
WARNING: multiple messages have this Message-ID (diff)
From: David Drysdale <drysdale@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Kees Cook <keescook@chromium.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Meredydd Luff <meredydd@senatehouse.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
qemu-devel <qemu-devel@nongnu.org>,
LSM List <linux-security-module@vger.kernel.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
James Morris <james.l.morris@oracle.com>,
Linux API <linux-api@vger.kernel.org>
Subject: Re: [Qemu-devel] [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1)
Date: Thu, 3 Jul 2014 19:39:27 +0100 [thread overview]
Message-ID: <20140703183927.GA1629@google.com> (raw)
In-Reply-To: <53B51E81.4090700@redhat.com>
On Thu, Jul 03, 2014 at 11:12:33AM +0200, Paolo Bonzini wrote:
> Il 30/06/2014 12:28, David Drysdale ha scritto:
> >Hi all,
> >
> >The last couple of versions of FreeBSD (9.x/10.x) have included the
> >Capsicum security framework [1], which allows security-aware
> >applications to sandbox themselves in a very fine-grained way. For
> >example, OpenSSH now (>= 6.5) uses Capsicum in its FreeBSD version to
> >restrict sshd's credentials checking process, to reduce the chances of
> >credential leakage.
>
> Hi David,
>
> we've had similar goals in QEMU. QEMU can be used as a virtual
> machine monitor from the command line, but it also has an API that
> lets a management tool drive QEMU via AF_UNIX sockets. Long term,
> we would like to have a restricted mode for QEMU where all file
> descriptors are obtained via SCM_RIGHTS or /dev/fd, and syscalls can
> be locked down.
>
> Currently we do use seccomp v2 BPF filters, but unfortunately this
> didn't help very much. QEMU supports hotplugging hence the filter
> must whitelist anything that _might_ be used in the future, which is
> generally... too much.
>
> Something like Capsicum would be really nice because it attaches
> capabilities to file descriptors. However, I wonder however how
> extensible Capsicum could be, and I am worried about the
> proliferation of capabilities that its design naturally leads to.
True, capability rights are likely to expand over time (although
FreeBSD only expanded from 55 to 60 between 9.x and 10.x).
> Given Linux's previous experience with BPF filters, what do you
> think about attaching specific BPF programs to file descriptors?
> Then whenever a syscall is run that affects a file descriptor, the
> BPF program for the file descriptor (attached to a struct file* as
> in Capsicum) would run in addition to the process-wide filter.
That sounds kind of clever, but also kind of complicated.
Off the top of my head, one particular problem is that not all
fd->struct file conversions in the kernel are completely specified
by an enclosing syscall and the explicit values of its parameters.
For example, the actual contents of the arguments to io_submit(2)
aren't visible to a seccomp-bpf program (as it can't read the __user
memory for the iocb structures), and so it can't distinguish a
read from a write.
Also, there could potentially be some odd interactions with file
descriptors passed between processes, if the BPF program relies
on assumptions about the environment of the original process. For
example, what happens if an x86_64 process passes a filter-attached
FD to an ia32 process? Given that the syscall numbers are
arch-specific, I guess that means the filter program would have
to include arch-specific branches for any possible variant.
More generally, I suspect that keeping things simpler will end
up being more secure. Capsicum was based on well-studied ideas
from the world of object capability-based security, and I'd be
nervous about adding complications that take us further away from
that.
> An equivalent of PR_SET_NO_NEW_PRIVS can also be added to file
> descriptors, so that a program that doesn't lock down syscalls can
> still lock down the operations (including fcntls and ioctls) on
> specific file descriptors.
>
> Converting FreeBSD capabilities to BPF programs can be easily
> implemented in userspace.
I get the idea, but I'm not sure it would be that easy! The
BPF-generation library would need to hold all of the mappings
from system calls (and their arguments) to the equivalent
required rights -- and vice versa.
That mapping would also need be kept closely in sync with the kernel
and other system libraries -- if a new syscall is added and libc (or
some other library) started using it, the equivalent BPF chunks would
need to be updated to cope.
> > [Capsicum also includes 'capability mode', which locks down the
> > available syscalls so the rights restrictions can't just be bypassed
> > by opening new file descriptors; I'll describe that separately later.]
>
> This can also be implemented in userspace via seccomp and
> PR_SET_NO_NEW_PRIVS.
Well, mostly (and in fact I've got an attempt to do exactly that at
https://github.com/google/capsicum-test/blob/dev/linux-bpf-capmode.c).
But there are a few wrinkles with that approach.
First, we need Kees Cook's patches to allow seccomp filters
to be synchronized across existing threads, but hopefully they
will make it in soon.
Next, there's one awkward syscall case. In capability mode we'd like
to prevent processes from sending signals with kill(2)/tgkill(2)
to other processes, but they should still be able to send themselves
signals. For example, abort(3) generates:
tgkill(gettid(), gettid(), SIGABRT)
Only allowing kill(self) is hard to encode in a seccomp-bpf program, at
least in a way that survives forking.
Finally, capability mode also turns on strict-relative lookups
process-wide; in other words, every openat(dfd, ...) operation
acts as though it has the O_BENEATH_ONLY flag set, regardless of
whether the dfd is a Capsicum capability. I can't see a way to
do that with a BPF program (although it would be possible to add
a filter that polices the requirement to include O_BENEATH_ONLY
rather than implicitly adding it).
So although a capability-mode implementation in terms of seccomp-bpf
is tantalizingly close, at the moment I've got it implemented as a new
seccomp mode.
> > [Policing the rights checks anywhere else, for example at the system
> > call boundary, isn't a good idea because it opens up the possibility
> > of time-of-check/time-of-use (TOCTOU) attacks [2] where FDs are
> > changed (as openat/close/dup2 are allowed in capability mode) between
> > the 'check' at syscall entry and the 'use' at fget() invocation.]
>
> In the case of BPF filters, I wonder if you could stash the BPF
> "environment" somewhere and then use it at fget() invocation.
> Alternatively, it can be reconstructed at fget() time, similar to
> your introduction of fgetr().
Stashing something at syscall entry to be referred to later always
makes me worry about TOCTOU vulnerabilities, but the details might
be OK in this case (given that no check occurs at syscall entry)...
> Thanks,
>
> Paolo
Many thanks for taking the time to comment and think of innovative
ideas!
David
next prev parent reply other threads:[~2014-07-03 18:39 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-30 10:28 [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) David Drysdale
2014-06-30 10:28 ` [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) David Drysdale
2014-06-30 14:49 ` Andy Lutomirski
2014-06-30 15:49 ` David Drysdale
2014-06-30 15:53 ` Andy Lutomirski
2014-07-08 12:07 ` Christoph Hellwig
2014-07-08 12:07 ` Christoph Hellwig
2014-07-08 12:48 ` Meredydd Luff
2014-07-08 12:48 ` Meredydd Luff
2014-07-08 12:51 ` Christoph Hellwig
2014-07-08 12:51 ` Christoph Hellwig
2014-07-08 13:04 ` Meredydd Luff
2014-07-08 13:04 ` Meredydd Luff
2014-07-08 13:12 ` Christoph Hellwig
2014-06-30 20:40 ` Andi Kleen
2014-06-30 21:11 ` Andy Lutomirski
2014-07-01 9:53 ` David Drysdale
2014-07-01 9:53 ` David Drysdale
2014-07-01 18:58 ` Loganaden Velvindron
2014-07-08 12:03 ` Christoph Hellwig
2014-07-08 12:03 ` Christoph Hellwig
2014-07-08 16:54 ` David Drysdale
2014-07-08 16:54 ` David Drysdale
2014-07-09 8:48 ` Christoph Hellwig
2014-06-30 10:28 ` [PATCH 02/11] selftests: Add test of O_BENEATH_ONLY & openat(2) David Drysdale
2014-06-30 10:28 ` David Drysdale
2014-06-30 10:28 ` [PATCH 03/11] capsicum: rights values and structure definitions David Drysdale
2014-06-30 10:28 ` David Drysdale
2014-06-30 10:28 ` [PATCH 04/11] capsicum: implement fgetr() and friends David Drysdale
2014-06-30 10:28 ` David Drysdale
2014-06-30 10:28 ` [PATCH 05/11] capsicum: convert callers to use fgetr() etc David Drysdale
2014-06-30 10:28 ` [PATCH 06/11] capsicum: implement sockfd_lookupr() David Drysdale
2014-06-30 10:28 ` [PATCH 07/11] capsicum: convert callers to use sockfd_lookupr() etc David Drysdale
2014-06-30 10:28 ` [PATCH 08/11] capsicum: add new LSM hooks on FD/file conversion David Drysdale
2014-06-30 10:28 ` [PATCH 09/11] capsicum: implementations of new LSM hooks David Drysdale
2014-06-30 16:05 ` Andy Lutomirski
2014-06-30 16:05 ` Andy Lutomirski
2014-07-02 13:49 ` Paul Moore
2014-07-02 13:49 ` Paul Moore
2014-07-02 17:09 ` David Drysdale
2014-07-02 17:09 ` David Drysdale
2014-06-30 10:28 ` [PATCH 10/11] capsicum: invocation " David Drysdale
2014-06-30 10:28 ` [PATCH 11/11] capsicum: add syscalls to limit FD rights David Drysdale
2014-06-30 10:28 ` [PATCH 1/5] man-pages: open.2: describe O_BENEATH_ONLY flag David Drysdale
2014-06-30 22:22 ` Andy Lutomirski
2014-06-30 10:28 ` [PATCH 2/5] man-pages: capsicum.7: describe Capsicum capability framework David Drysdale
2014-06-30 10:28 ` [PATCH 3/5] man-pages: rights.7: Describe Capsicum primary rights David Drysdale
2014-06-30 10:28 ` [PATCH 4/5] man-pages: cap_rights_limit.2: limit FD rights for Capsicum David Drysdale
2014-06-30 14:53 ` Andy Lutomirski
2014-06-30 14:53 ` Andy Lutomirski
2014-06-30 15:35 ` David Drysdale
2014-06-30 15:35 ` David Drysdale
2014-06-30 16:06 ` Andy Lutomirski
2014-06-30 16:06 ` Andy Lutomirski
2014-06-30 16:32 ` David Drysdale
2014-06-30 10:28 ` [PATCH 5/5] man-pages: cap_rights_get: retrieve Capsicum fd rights David Drysdale
2014-06-30 22:28 ` Andy Lutomirski
2014-06-30 22:28 ` Andy Lutomirski
2014-07-01 9:19 ` David Drysdale
2014-07-01 9:19 ` David Drysdale
2014-07-01 14:18 ` Andy Lutomirski
2014-07-03 9:12 ` [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) Paolo Bonzini
2014-07-03 9:12 ` [Qemu-devel] " Paolo Bonzini
2014-07-03 10:01 ` Loganaden Velvindron
2014-07-03 10:01 ` [Qemu-devel] " Loganaden Velvindron
2014-07-03 18:39 ` David Drysdale [this message]
2014-07-03 18:39 ` David Drysdale
2014-07-03 18:39 ` David Drysdale
2014-07-04 7:03 ` Paolo Bonzini
2014-07-04 7:03 ` [Qemu-devel] " Paolo Bonzini
2014-07-04 7:03 ` Paolo Bonzini
2014-07-07 10:29 ` David Drysdale
2014-07-07 10:29 ` [Qemu-devel] " David Drysdale
2014-07-07 12:20 ` Paolo Bonzini
2014-07-07 12:20 ` [Qemu-devel] " Paolo Bonzini
2014-07-07 14:11 ` David Drysdale
2014-07-07 14:11 ` [Qemu-devel] " David Drysdale
2014-07-07 14:11 ` David Drysdale
2014-07-07 22:33 ` Alexei Starovoitov
2014-07-07 22:33 ` [Qemu-devel] " Alexei Starovoitov
2014-07-07 22:33 ` Alexei Starovoitov
2014-07-08 14:58 ` Kees Cook
2014-07-08 14:58 ` [Qemu-devel] " Kees Cook
2014-07-08 14:58 ` Kees Cook
2014-08-16 15:41 ` Pavel Machek
2014-08-16 15:41 ` [Qemu-devel] " Pavel Machek
2014-08-16 15:41 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140703183927.GA1629@google.com \
--to=drysdale@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=meredydd@senatehouse.org \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.