Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4043168yba; Tue, 9 Apr 2019 09:55:29 -0700 (PDT) X-Google-Smtp-Source: APXvYqz4hVQPT1pWACLiIFmFAXOVf9nNIqqPDl5kY2yvY18Bx+tgeLPeK4qX8YuMTqt1RghzoS9m X-Received: by 2002:a63:6b08:: with SMTP id g8mr28822377pgc.211.1554828929328; Tue, 09 Apr 2019 09:55:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554828929; cv=none; d=google.com; s=arc-20160816; b=ibYHCXYL4UpFIMTyYIGdswsnFz4P1hw9moLG8NMTBQNQJw/nrn01iXuWcCKOLE8CnB vakCOR5SWty0ThMnuBX2a3Hdo5S0/2XLTbxqzOprvN52RMg1Y+ZayPJxvS8yDEO0lQWe 1hucGerhLFkViH+QtgtG80VU6BijoOfTcwX+xNSRUZiY9G8YF96U2/wK5br6t0o1ADuC ssmOVSy8P3rKWGOstkDE4IRXGPBQA2/nKdix2uvrUbmgrIOKQ2ltjGfbjbUJtkqBq+eZ xGzTmEW/GkbNfwyoD9rIs+CMmX87Gb5yqwfEO44/z9b0sqH3+WCQnaduHzTzDx1RgJa2 XGeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=3jIhnjF74CISNf3nExSKH5Oqn5TCnpH9cHpwC1QyZbs=; b=zQOW6P7wdptm9SUE9ZLD8ozV8+0PcFz5qw1bGFoPhOERMs7gI+A06HKKtwr7SRM8xh PzQ/Q/209kXzFRM/vtj3bml3GMyNV8oLyn+4JTj5Wc49llxk7WBjY4wetXaI5SN01O+l TjwS83lDS7mANwMyD+oCC/QHWsj00zyuk8Jg6Jeo3TMFCcHsc6gfJ0nMIF2x2tFTp6GI WUrw1QzA88xAIStCZWjVLHXvQ9PGIeuRLLNArYFMUU59ONVOuN3OEkgMmMeuJysU1/DH B6S1lcg0AU+kZokhO7HWYqbn1JY2s8Y8D/9OBVVMVwkPv25VR3c/o2VZnY5v40jHD4FL a2QA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=KALgglw6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b65si1146475pfg.120.2019.04.09.09.55.13; Tue, 09 Apr 2019 09:55:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=KALgglw6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726547AbfDIQyh (ORCPT + 99 others); Tue, 9 Apr 2019 12:54:37 -0400 Received: from mail-ua1-f65.google.com ([209.85.222.65]:46538 "EHLO mail-ua1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726512AbfDIQyh (ORCPT ); Tue, 9 Apr 2019 12:54:37 -0400 Received: by mail-ua1-f65.google.com with SMTP id v7so5723784uak.13 for ; Tue, 09 Apr 2019 09:54:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3jIhnjF74CISNf3nExSKH5Oqn5TCnpH9cHpwC1QyZbs=; b=KALgglw6sXGgZdjwzyzwLhGzuiKwgV1WjeGLG/C7Leh+PG0wjQ4wvMsbFh8zPYjZOj 1OQnz7PtMhReDJVYbNxorXkEKDX90qEDQshXaYzt8CaAhkOUPu+Ws1SJE3JyqWqs5egN hmFGrLrKbsYj+VUSFjh0a4+u7wbksX58vN5xc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3jIhnjF74CISNf3nExSKH5Oqn5TCnpH9cHpwC1QyZbs=; b=aFKQp90snQaWx0EXj7UG8Ife89qk4cORz3SOtkyoXHWj8WX3kShhgF3VIVZOZR/ugh siQbzCahZalCA0unwNQCJ9rvpZiCjUIKHHa6YURMTc8d4sdAMoebMdGxYYo05Y+ZgOD+ HS1bL7k9PDVcPADfqQvD8fokWqHIZJvrLjZgrxIujBlvhz5DrVcCpvkA8ypBvlzA5IOf rM8noywyW6jZPY01vtduNXskYXDQjgI37hRNagfF1+VzP198xUZjnmqEbRGizGvYjHX+ 5e3mbH4YV1k9naN2vLgaJKTvJGoyY6yIb2yd58wvGkE/jiByDa/w5dkDXwqfnGQtLx8D LS3A== X-Gm-Message-State: APjAAAVZRrfKXqSGBBOHGPoY4V5v+jym7+XawdkLkPQQRas3KUrZ7o1g nrdw/61XE7psI0BS/1Ob4ojIFHQmOSA= X-Received: by 2002:ab0:7493:: with SMTP id n19mr19637884uap.121.1554828875778; Tue, 09 Apr 2019 09:54:35 -0700 (PDT) Received: from mail-ua1-f46.google.com (mail-ua1-f46.google.com. [209.85.222.46]) by smtp.gmail.com with ESMTPSA id y12sm1193632vsq.16.2019.04.09.09.54.32 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Apr 2019 09:54:32 -0700 (PDT) Received: by mail-ua1-f46.google.com with SMTP id g8so5750474uaj.0 for ; Tue, 09 Apr 2019 09:54:32 -0700 (PDT) X-Received: by 2002:ab0:60cd:: with SMTP id g13mr19230566uam.85.1554828871567; Tue, 09 Apr 2019 09:54:31 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Kees Cook Date: Tue, 9 Apr 2019 09:54:20 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v3 bpf-next 02/21] bpf: Sysctl hook To: Andrey Ignatov Cc: Network Development , Alexei Starovoitov , Daniel Borkmann , Roman Gushchin , kernel-team , Luis Chamberlain , Alexey Dobriyan , LKML , "linux-fsdevel@vger.kernel.org" , Jann Horn , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 5, 2019 at 12:36 PM Andrey Ignatov wrote: > Containerized applications may run as root and it may create problems > for whole host. Specifically such applications may change a sysctl and > affect applications in other containers. > > Furthermore in existing infrastructure it may not be possible to just > completely disable writing to sysctl, instead such a process should be > gradual with ability to log what sysctl are being changed by a > container, investigate, limit the set of writable sysctl to currently > used ones (so that new ones can not be changed) and eventually reduce > this set to zero. Actual-root-in-a-container is pretty powerful. What about module loading, or /dev files? Instead of sysctl-specific hooks, what about VFS hooks, which would be able to cover all file-based APIs. This is what, for example, Landlock was working on doing (also with eBPF). -- Kees Cook