From: Sargun Dhillon <email@example.com> To: Tycho Andersen <firstname.lastname@example.org> Cc: LKML <email@example.com>, Linux Containers <firstname.lastname@example.org>, Linux API <email@example.com> Subject: Re: [RFC PATCH] ptrace: add PTRACE_GETFD request Date: Fri, 6 Dec 2019 11:03:08 -0800 [thread overview] Message-ID: <CAMp4zn-Ni-nHrQgn34jV6gzanTiF+wxPrr_zqM47McZQ8TKa5w@mail.gmail.com> (raw) In-Reply-To: <20191206141045.GA22803@cisco> On Fri, Dec 6, 2019 at 6:10 AM Tycho Andersen <firstname.lastname@example.org> wrote: > > On Thu, Dec 05, 2019 at 11:44:53PM +0000, Sargun Dhillon wrote: > > PTRACE_GETFD is a generic ptrace API that allows the tracer to > > get file descriptors from the traceee. > > > > The primary reason to use this syscall is to allow sandboxers to > > I might change this to "one motivation to use this ptrace command", > because I'm sure people will invent other crazy uses soon after it's > added :) > Another use-case that's come up has been transparent proxy for service meshes. Rather than doing intercept at L4 (iptables), or DNS, just rewriting the connect is nicer. A side benefit is that getpeername still works. > > take action on an FD on behalf of the tracee. For example, this > > can be combined with seccomp's user notification feature to extract > > a file descriptor and call privileged syscalls, like binding > > a socket to a privileged port. > > This can already be accomplished via injecting parasite code like CRIU > does; adding a ptrace() command like this makes it much nicer to be > sure, but it is redundant. > > Tycho How can you do this if the tracee doesn't have privilege? For example, if the tracee doesn't have CAP_SYS_BIND_SERVICE, how could you get it to bind to a port that's privileged without taking the file descriptor and doing it in a process that does have CAP_SYS_BIND_SERVICE? The other aspect is that doing the parasitic code thing is kind of slow, in that it requires quite a few operations.
next prev parent reply other threads:[~2019-12-06 19:03 UTC|newest] Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-12-05 23:44 Sargun Dhillon 2019-12-06 2:38 ` Jann Horn 2019-12-06 6:16 ` Sargun Dhillon 2019-12-06 6:52 ` Aleksa Sarai 2019-12-06 8:25 ` Christian Brauner 2019-12-06 12:23 ` Oleg Nesterov 2019-12-06 14:10 ` Tycho Andersen 2019-12-06 19:03 ` Sargun Dhillon [this message] 2019-12-06 19:05 ` Jann Horn 2019-12-06 19:05 ` Jann Horn 2019-12-06 20:45 ` Andy Lutomirski
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CAMp4zn-Ni-nHrQgn34jV6gzanTiF+wxPrr_zqM47McZQ8TKa5w@mail.gmail.com \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --subject='Re: [RFC PATCH] ptrace: add PTRACE_GETFD request' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).