Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261950AbVEXSQe (ORCPT ); Tue, 24 May 2005 14:16:34 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261946AbVEXSQe (ORCPT ); Tue, 24 May 2005 14:16:34 -0400 Received: from mail.shareable.org ([81.29.64.88]:55515 "EHLO mail.shareable.org") by vger.kernel.org with ESMTP id S261425AbVEXSQW (ORCPT ); Tue, 24 May 2005 14:16:22 -0400 Date: Tue, 24 May 2005 19:15:54 +0100 From: Jamie Lokier To: Mike Waychison Cc: Miklos Szeredi , linuxram@us.ibm.com, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, akpm@osdl.org, viro@parcelfarce.linux.theplanet.co.uk Subject: Re: [RFC][PATCH] rbind across namespaces Message-ID: <20050524181554.GA13760@mail.shareable.org> References: <1116660380.4397.66.camel@localhost> <20050521134615.GB4274@mail.shareable.org> <429277CA.9050300@google.com> <4292D416.5070001@waychison.com> <4293612F.3000708@google.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4293612F.3000708@google.com> User-Agent: Mutt/1.4.1i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1575 Lines: 38 Mike Waychison wrote: > >No need to hijack, it's already done. Removing calls to > >proc_check_root() will allow access to different namespaces detached > >mounts, etc. It's been tried and actually works. > > See previous message as why we don't want to allow this. If you can ptrace any process which is in another namespace, then you _effectively_ have full access to that namespace. It's quite easy to do, and negates the supposed security of namespaces. Because of that, there's _no_ real security benefit from denying access to /proc/NNN/fd/ if you are able to ptrace task NNN. What I think makes sense is this: 1. Deny access to /proc/NNN/fd/, /proc/NNN/cwd, /proc/NNN/root if task NNN cannot be ptraced. 3. Allow entry to /proc/NNN/fd/, /proc/NNN/cwd, /proc/NNN/root if ptrace is allowed; the namespace being irrelevant. 3. Use _exactly_ the same condition as for ptracing, i.e. MAY_PTRACE in fs/proc/base.c. Ensure that condition is consistent with the tests in kernel/ptrace.c, possibly putting the condition in a common header file to keep it consistent in future. 4. If further restrictions are desired, to make namespaces more strict, those should be implemented by further restrictions on which tasks are allowed to ptrace other tasks. -- Jamie - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/