Re: [RFC][PATCH] rbind across namespaces

From: Jamie Lokier
Date: Tue May 24 2005 - 16:52:37 EST

Next message: George G. Davis: "[PATCH] net: Add netconsole support to cs89x0 driver"
Previous message: Prakash Punnoor: "Re: cpufreq/speedstep won't work on Sony Vaio PCG-F807K"
In reply to: Mike Waychison: "Re: [RFC][PATCH] rbind across namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mike Waychison wrote:
> > 1. Deny access to /proc/NNN/fd/, /proc/NNN/cwd, /proc/NNN/root
> > if task NNN cannot be ptraced.
> >
> > 3. Allow entry to /proc/NNN/fd/, /proc/NNN/cwd, /proc/NNN/root
> > if ptrace is allowed; the namespace being irrelevant.
> >
> > 3. Use _exactly_ the same condition as for ptracing,
> > i.e. MAY_PTRACE in fs/proc/base.c. Ensure that condition is
> > consistent with the tests in kernel/ptrace.c, possibly putting
> > the condition in a common header file to keep it consistent in
> > future.
> >
> > 4. If further restrictions are desired, to make namespaces more
> > strict, those should be implemented by further restrictions on
> > which tasks are allowed to ptrace other tasks.
> >
>
> Indeed. A combination of MAY_PTRACE ||ed with a check against current
> sounds reasonable to me.

Note that MAY_PTRACE already includes a check against current.

-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: George G. Davis: "[PATCH] net: Add netconsole support to cs89x0 driver"
Previous message: Prakash Punnoor: "Re: cpufreq/speedstep won't work on Sony Vaio PCG-F807K"
In reply to: Mike Waychison: "Re: [RFC][PATCH] rbind across namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]