linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Alexey Dobriyan <adobriyan@gmail.com>
To: Oren Laadan <orenl@cs.columbia.edu>
Cc: Dave Hansen <dave@linux.vnet.ibm.com>,
	akpm@linux-foundation.org, containers@lists.linux-foundation.org,
	xemul@parallels.com, serue@us.ibm.com, mingo@elte.hu,
	hch@infradead.org, torvalds@linux-foundation.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 00/30] C/R OpenVZ/Virtuozzo style
Date: Wed, 15 Apr 2009 00:49:12 +0400	[thread overview]
Message-ID: <20090414204912.GA28458@x200.localdomain> (raw)
In-Reply-To: <49E4D115.5080601@cs.columbia.edu>

> >>> * not having CAP_SYS_ADMIN on restart(2)
> >> Surely you have read already on the containers mailing list that
> >> for the *time being* we attempt to get as far as possible without
> >> requiring root privileges, to identify security hot-spots.
> > 
> > More or less everything is hotspot.
> 
> Going back to my example of a subtree above: what sort of security
> issues you would have here, assuming all restart operations go via
> the usual security checks just like syscalls, and we take special
> care about values we allow as input, e.g. cpu debug registers etc ?

This is like asking if everything goes through correct security checks
how will you screw something up. Everything won't go via usual security
checks.

Just for giggles, writing exploit for localhost hole becomes easier --
you very effectively turn off all randomization kernel does because VMA
boundaries comes from disk.

> BTW, the checks for cpu registers and other values for sanity is
> needed anyway to ensure that the kernel freak out if wrong input
> is fed (maliciously or by mistake).

Out of head, mucking with registers of setuid program is no-no.
As well as mucking with dirty data of setuid program.

Capabilities will come from disk.

Many EPERM checks are suspect.

do_arch_prctl(ARCH_SET_GS) has TASK_SIZE check, do you?

> >> And surely you have read there the observation that for the general
> >> case root privileges will probably be inevitable.
> >>
> >> And surely you don't seriously think that adding this check changes
> >> the "design"...
> > 
> > This is not about design now, this is about if you allow restart(2) for
> > everyone, you open kernel to very very high number of holes of all
> > types. I wrote about it in reply to your code.
> > 
> 
> And there are many examples where this is not the case. The current
> patchset (v14-rc3), for example, to the best of my knowledge, does
> not have such issues (well, need to add checks for validity of regs
> but there is a FIXME comment :)

And such an obvious issue like segmentt RPL is fixed? :-)

  parent reply	other threads:[~2009-04-14 20:49 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-04-10  2:32 [PATCH 00/30] C/R OpenVZ/Virtuozzo style Alexey Dobriyan
2009-04-10  2:44 ` Alexey Dobriyan
2009-04-10  5:07 ` Dave Hansen
2009-04-13  9:14   ` Alexey Dobriyan
2009-04-13 11:16     ` Dave Hansen
2009-04-13 18:07     ` Dave Hansen
2009-04-14  4:26     ` Oren Laadan
2009-04-14 14:58       ` Alexey Dobriyan
2009-04-14 18:08         ` Oren Laadan
2009-04-14 18:34           ` Alexey Dobriyan
2009-04-14 19:31             ` Oren Laadan
2009-04-14 20:08               ` Alexey Dobriyan
2009-04-14 20:49           ` Alexey Dobriyan [this message]
2009-04-14 21:11             ` Dave Hansen
2009-04-14 21:39             ` Serge E. Hallyn
2009-04-15 19:21               ` CAP_SYS_ADMIN on restart(2) (was: Re: [PATCH 00/30] C/R OpenVZ/Virtuozzo style) Alexey Dobriyan
2009-04-15 20:22                 ` Serge E. Hallyn
2009-04-15 20:23                 ` Dave Hansen
2009-04-15 20:39                   ` Serge E. Hallyn
2009-04-15 21:05                     ` CAP_SYS_ADMIN on restart(2) Oren Laadan
2009-04-15 21:16                       ` Serge E. Hallyn
2009-04-16 15:35                         ` Alexey Dobriyan
2009-04-16 16:29                           ` Serge E. Hallyn
2009-04-10  8:28 ` [PATCH 00/30] C/R OpenVZ/Virtuozzo style Ingo Molnar
2009-04-10 11:45   ` Alexey Dobriyan
2009-04-10 15:06 ` Linus Torvalds
2009-04-13  7:39   ` Alexey Dobriyan
2009-04-13 18:39     ` Linus Torvalds
2009-04-13 19:30       ` Ingo Molnar
2009-04-14 12:29       ` Alexey Dobriyan
2009-04-14 13:44         ` Ingo Molnar
2009-04-14 16:53           ` Alexey Dobriyan
2009-04-14 17:09         ` Linus Torvalds
2009-04-14 17:19           ` Randy Dunlap
2009-04-14 17:32             ` Linus Torvalds
2009-04-14  5:46 ` Oren Laadan
2009-04-14 15:19   ` Alexey Dobriyan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090414204912.GA28458@x200.localdomain \
    --to=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=containers@lists.linux-foundation.org \
    --cc=dave@linux.vnet.ibm.com \
    --cc=hch@infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=orenl@cs.columbia.edu \
    --cc=serue@us.ibm.com \
    --cc=torvalds@linux-foundation.org \
    --cc=xemul@parallels.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).