Re: [PATCH v3 4/4] Allow unprivileged chroot when safe

From: Vasiliy Kulikov
Date: Thu Feb 09 2012 - 04:39:47 EST

Next message: Kasatkin, Dmitry: "Re: [RFC][PATCH v1 5/9] ima: allocating iint improvements"
Previous message: Srikar Dronamraju: "Re: [PATCH v10 take 3 3.3-rc2 1/9] uprobes: Install and removebreakpoints."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 30, 2012 at 14:51 -0800, Andy Lutomirski wrote:
> That's neat! CLONE_NEWPID might be safe with no_new_privs, too.
> Unprivileged CLONE_NEWPID would also be a nice, straightforward way to
> start up a process hierarchy and then reliably kill the whole thing
> when you're done with it.

It worth checking whether creating HUGE number or pid namespaces is
able to lock down the system for a significant period of time. E.g.
triggering thousands of pid_ns enumeration under a spinlock.

The same with every "enable this privileged feature to unprivileged
users under certain circumstances" step.

Thanks,

--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Kasatkin, Dmitry: "Re: [RFC][PATCH v1 5/9] ima: allocating iint improvements"
Previous message: Srikar Dronamraju: "Re: [PATCH v10 take 3 3.3-rc2 1/9] uprobes: Install and removebreakpoints."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]