Re: [RFC][PATCH] rbind across namespaces

[Mike Waychison]

Jamie Lokier wrote:
> Mike Waychison wrote:
>
> > > No need to hijack, it's already done.  Removing calls to
> > > proc_check_root() will allow access to different namespaces detached
> > > mounts, etc.  It's been tried and actually works.
> >
> > See previous message as why we don't want to allow this.
>
>
> If you can ptrace any process which is in another namespace, then you
> _effectively_ have full access to that namespace.  It's quite easy to
> do, and negates the supposed security of namespaces.
>
> Because of that, there's _no_ real security benefit from denying
> access to /proc/NNN/fd/ if you are able to ptrace task NNN.
>
> What I think makes sense is this:
>
>    1. Deny access to /proc/NNN/fd/, /proc/NNN/cwd, /proc/NNN/root
>       if task NNN cannot be ptraced.
>
>    3. Allow entry to /proc/NNN/fd/, /proc/NNN/cwd, /proc/NNN/root
>       if ptrace is allowed; the namespace being irrelevant.
>
>    3. Use _exactly_ the same condition as for ptracing,
>       i.e. MAY_PTRACE in fs/proc/base.c.  Ensure that condition is
>       consistent with the tests in kernel/ptrace.c, possibly putting
>       the condition in a common header file to keep it consistent in
>       future.
>
>    4. If further restrictions are desired, to make namespaces more
>       strict, those should be implemented by further restrictions on
>       which tasks are allowed to ptrace other tasks.

Indeed.  A combination of MAY_PTRACE ||ed with a check against current 
sounds reasonable to me.

Mike Waychison
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/