Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible

LKML Archive on lore.kernel.org
help / color / mirror / Atom feed

From: Alexey Dobriyan <adobriyan@gmail.com>
To: alban@kinvolk.io
Cc: linux-kernel@vger.kernel.org, ebiederm@xmission.com
Subject: Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible
Date: Wed, 4 Apr 2018 20:45:09 +0300	[thread overview]
Message-ID: <20180404174509.GA2540@avx2> (raw)

> Instead, it introduces new options in proc to disable some proc entries (TBD).

No, no, no, no.

Blacklists are bad, mmkay.

The reason is that quite dangerous new /proc entries get added
(think /proc/kpageflags) and suddenly they are enabled inside container.

> The granularity does not need to be per proc entry.

I think it does. Grouping always becomes either too fine or too coarse.

> Granularity can be improved later if use cases exist.

Granularity can not be tightened as it may break existing users.
So new granularity options are going to be invented until finally it is
per file.

>	"maskedPaths": [
>		"/proc/kcore",
>		"/proc/latency_stats",
>		"/proc/timer_list",
>		"/proc/timer_stats",
>		"/proc/sched_debug",
>		"/sys/firmware",
>		"/proc/scsi"
>	],

Just say no to drugs.

> /proc/kcore

As a side note:
/proc/kcore should be more or less safe because it is under CAP_SYS_RAWIO.

next             reply	other threads:[~2018-04-04 17:45 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-04 17:45 Alexey Dobriyan [this message]
  -- strict thread matches above, loose matches on Subject: below --
2018-04-04 17:49 Alexey Dobriyan
2018-04-04 23:59 ` Eric W. Biederman
2018-04-04 11:53 Alban Crequy
2018-04-04 14:45 ` Eric W. Biederman
2018-04-04 15:34   ` Aleksa Sarai
2018-04-04 18:42   ` Serge E. Hallyn
2018-04-04 22:02     ` Eric W. Biederman
2018-04-05 14:19   ` Christian Brauner
2018-04-13 22:41   ` Djalal Harouni
2018-04-16 14:16     ` Alexey Gladkov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180404174509.GA2540@avx2 \
    --to=adobriyan@gmail.com \
    --cc=alban@kinvolk.io \
    --cc=ebiederm@xmission.com \
    --cc=linux-kernel@vger.kernel.org \
    --subject='Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).