All of lore.kernel.org
 help / color / mirror / Atom feed
From: Linus Torvalds <torvalds@linux-foundation.org>
To: Andrew Lutomirski <luto@mit.edu>
Cc: Will Drewry <wad@chromium.org>,
	linux-kernel@vger.kernel.org, keescook@chromium.org,
	john.johansen@canonical.com, serge.hallyn@canonical.com,
	coreyb@linux.vnet.ibm.com, pmoore@redhat.com, eparis@redhat.com,
	djm@mindrot.org, segoon@openwall.com, rostedt@goodmis.org,
	jmorris@namei.org, scarybeasts@gmail.com, avi@redhat.com,
	penberg@cs.helsinki.fi, viro@zeniv.linux.org.uk, mingo@elte.hu,
	akpm@linux-foundation.org, khilman@ti.com,
	borislav.petkov@amd.com, amwang@redhat.com, oleg@redhat.com,
	ak@linux.intel.com, eric.dumazet@gmail.com, gregkh@suse.de,
	dhowells@redhat.com, daniel.lezcano@free.fr,
	linux-fsdevel@vger.kernel.org,
	linux-security-module@vger.kernel.org, olofj@chromium.org,
	mhalcrow@google.com, dlaor@redhat.com, corbet@lwn.net,
	alan@lxorguk.ukuu.org.uk
Subject: Re: [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch
Date: Thu, 12 Jan 2012 17:17:31 -0800	[thread overview]
Message-ID: <CA+55aFxSgYFp1psum3amgqqsT-rrvGd1T8BXJSA-mgd1EdHrwg@mail.gmail.com> (raw)
In-Reply-To: <CAObL_7F8aYPDQ1xTFjOxWgoZfrtGNFVgMe2Ld61_=D+YY427qA@mail.gmail.com>

On Thu, Jan 12, 2012 at 5:11 PM, Andrew Lutomirski <luto@mit.edu> wrote:
>
> What if you're a daemon that needs something like CAP_NET_BIND but
> also wants to be able to run other helpers without CAP_NET_BIND?
>
> (Also, preventing dropping of privileges will probably make a patch
> more complicted -- I'll have to find and update all the places that
> allow dropping privileges.)

Hey, if it actually makes it more complicated to say "don't change
privileges", then I guess my argument that it should be simpler is
wrong.

That said, the thing you bring up is *not* the actual use-case for the
suggestion. The use-case is a "run untrusted code". So the use-case
would be to set the flag after you've dropped CAP_NET_BIND, and
*before* you actually run the other helpers. You clearly must have a
fork() or something like that there, since you want to keep the
NET_BIND in the original daemon.

So I don't t think your example is actually the expected situation.
The obvious approach for your example is
 - run deamon with CAP_NET_BIND
 - per connection, fork, drop privileges in child, then set
"restricted" flag, and run the untrusted code.

(where the restricted mode setting may well obviously also do other
things - like limit allowed system calls etc)

                      Linus

  reply	other threads:[~2012-01-13  1:17 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-01-12 23:38 [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch Will Drewry
2012-01-12 23:38 ` [PATCH v3 2/3] seccomp_filters: system call filtering using BPF Will Drewry
2012-01-13  0:51   ` Randy Dunlap
2012-01-12 23:59     ` Will Drewry
2012-01-12 23:59       ` Will Drewry
2012-01-13  1:35       ` Randy Dunlap
2012-01-13 17:39   ` Eric Paris
2012-01-13 18:50     ` Will Drewry
2012-01-13 18:50       ` Will Drewry
2012-01-12 23:38 ` [PATCH v3 3/3] Documentation: prctl/seccomp_filter Will Drewry
2012-01-15  1:52   ` Randy Dunlap
2012-01-16  1:41     ` Will Drewry
2012-01-17 23:29   ` Eric Paris
2012-01-17 23:29     ` Eric Paris
2012-01-17 23:54     ` Will Drewry
2012-01-12 23:47 ` [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch Linus Torvalds
2012-01-13  0:03   ` Will Drewry
2012-01-13  0:42   ` Andrew Lutomirski
2012-01-13  0:57     ` Linus Torvalds
2012-01-13  0:57       ` Linus Torvalds
2012-01-13  1:11       ` Andrew Lutomirski
2012-01-13  1:11         ` Andrew Lutomirski
2012-01-13  1:17         ` Linus Torvalds [this message]
2012-01-14 13:30           ` Jamie Lokier
2012-01-14 19:21             ` Will Drewry
2012-01-14 19:21               ` Will Drewry
2012-01-14 20:22             ` Linus Torvalds
2012-01-14 21:04               ` Andrew Lutomirski
2012-01-15 20:16               ` Casey Schaufler
2012-01-15 20:59                 ` Andrew Lutomirski
2012-01-15 21:32                   ` Casey Schaufler
2012-01-15 21:32                     ` Casey Schaufler
2012-01-15 22:07                     ` Andrew Lutomirski
2012-01-16  2:04                       ` Will Drewry
2012-01-16  2:04                         ` Will Drewry
2012-01-18  3:12                         ` Eric W. Biederman
2012-01-18  3:12                           ` Eric W. Biederman
2012-01-16  2:41                       ` Casey Schaufler
2012-01-16  2:41                         ` Casey Schaufler
2012-01-16  7:45                         ` Andrew Lutomirski
2012-01-16 18:02                           ` Casey Schaufler
2012-01-16 18:02                             ` Casey Schaufler
2012-01-13  1:37         ` Will Drewry
2012-01-13  1:41           ` Andrew Lutomirski
2012-01-13  1:41             ` Andrew Lutomirski
2012-01-13  2:09             ` Kees Cook
2012-01-13  2:09               ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CA+55aFxSgYFp1psum3amgqqsT-rrvGd1T8BXJSA-mgd1EdHrwg@mail.gmail.com \
    --to=torvalds@linux-foundation.org \
    --cc=ak@linux.intel.com \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=amwang@redhat.com \
    --cc=avi@redhat.com \
    --cc=borislav.petkov@amd.com \
    --cc=corbet@lwn.net \
    --cc=coreyb@linux.vnet.ibm.com \
    --cc=daniel.lezcano@free.fr \
    --cc=dhowells@redhat.com \
    --cc=djm@mindrot.org \
    --cc=dlaor@redhat.com \
    --cc=eparis@redhat.com \
    --cc=eric.dumazet@gmail.com \
    --cc=gregkh@suse.de \
    --cc=jmorris@namei.org \
    --cc=john.johansen@canonical.com \
    --cc=keescook@chromium.org \
    --cc=khilman@ti.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@mit.edu \
    --cc=mhalcrow@google.com \
    --cc=mingo@elte.hu \
    --cc=oleg@redhat.com \
    --cc=olofj@chromium.org \
    --cc=penberg@cs.helsinki.fi \
    --cc=pmoore@redhat.com \
    --cc=rostedt@goodmis.org \
    --cc=scarybeasts@gmail.com \
    --cc=segoon@openwall.com \
    --cc=serge.hallyn@canonical.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=wad@chromium.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.