Re: (pspace,pid) vs true pid virtualization

From: Herbert Poetzl
Date: Thu Feb 16 2006 - 14:10:37 EST

Next message: Daniel Walker: "Re: [PATCH] FUTEX: one more return ."
Previous message: James Bottomley: "Re: Linux 2.6.16-rc3"
In reply to: Dave Hansen: "Re: (pspace,pid) vs true pid virtualization"
Next in thread: Dave Hansen: "Re: (pspace,pid) vs true pid virtualization"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Feb 16, 2006 at 09:41:32AM -0800, Dave Hansen wrote:
> On Thu, 2006-02-16 at 15:30 +0100, Herbert Poetzl wrote:
> > > - Should a process have some sort of global (on the machine identifier)?
> >
> > this is mandatory, as it is required to kill any process
> > from the host (admin) context, without entering the pid
> > space (which would lead to all kind of security issues)
>
> Giving admin processes the ability to enter pid spaces seems like it
> solves an entire class of problems, right?.

really depends on the situation and the setup.
let me give a few examples here (I'll assume
fully blown guests not just pid spaces here)

- guest is running some kind of resource hog,
which already reached the given guest limits

any attempt to enter the guest will fail
because the limits do not permit that

- the guest has been suspended (unscheduled)
because of some fork bomb running inside
and you want to kill off only the bomb

entering the guest would immediately stop
your process, so no way to send signals

- there is a pid killer running inside the
guest, which kills every newly created
process as soon as it is discovered

entering the guest would kill your shell

> Could you explain a bit what kinds of security issues it introduces?

well, it introduces a bunch of issues, not all
directly security related, here some of them:
(I keep them general because most of them can
be worked around by additional checks and flags)

- ptrace from inside the context could hijack
your 'admin' task and use it for all kind
of evil stuff

- entering the guest *spaces might cause some
issues with dynamic libraries

- you process would show up in task lists and
guest security tracers, which might give a
false alarm when they get aware of your kill
task

- the entire guest accounting, regarding tasks
would get messed up by the 'outside' process

In general, I prefer to think of this as working
with nuclear material via an actuator from behind
a 4" lead wall -- you just do not want to go in
to fix things :)

best,
Herbert

> -- Dave
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Daniel Walker: "Re: [PATCH] FUTEX: one more return ."
Previous message: James Bottomley: "Re: Linux 2.6.16-rc3"
In reply to: Dave Hansen: "Re: (pspace,pid) vs true pid virtualization"
Next in thread: Dave Hansen: "Re: (pspace,pid) vs true pid virtualization"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]