Re: [PATCH v3 bpf-next 02/21] bpf: Sysctl hook

From: Kees Cook
Date: Tue Apr 09 2019 - 12:54:39 EST

Next message: Eric Anholt: "Re: [PATCH v2 2/3] drm: Add a drm_gem_objects_lookup helper"
Previous message: Kees Cook: "Re: [PATCH v3 bpf-next 00/21] bpf: Sysctl hook"
Next in thread: Andrey Ignatov: "Re: [PATCH v3 bpf-next 02/21] bpf: Sysctl hook"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Apr 5, 2019 at 12:36 PM Andrey Ignatov <rdna@xxxxxx> wrote:
> Containerized applications may run as root and it may create problems
> for whole host. Specifically such applications may change a sysctl and
> affect applications in other containers.
>
> Furthermore in existing infrastructure it may not be possible to just
> completely disable writing to sysctl, instead such a process should be
> gradual with ability to log what sysctl are being changed by a
> container, investigate, limit the set of writable sysctl to currently
> used ones (so that new ones can not be changed) and eventually reduce
> this set to zero.

Actual-root-in-a-container is pretty powerful. What about module
loading, or /dev files? Instead of sysctl-specific hooks, what about
VFS hooks, which would be able to cover all file-based APIs. This is
what, for example, Landlock was working on doing (also with eBPF).

--
Kees Cook

Next message: Eric Anholt: "Re: [PATCH v2 2/3] drm: Add a drm_gem_objects_lookup helper"
Previous message: Kees Cook: "Re: [PATCH v3 bpf-next 00/21] bpf: Sysctl hook"
Next in thread: Andrey Ignatov: "Re: [PATCH v3 bpf-next 02/21] bpf: Sysctl hook"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]