Re: RFC: disablenetwork facility. (v4)

From: Serge E. Hallyn
Date: Wed Dec 30 2009 - 13:00:52 EST

Next message: Miguel BotÃn: "Re: BFS v0.313 CPU scheduler for 2.6.32"
Previous message: Ingo Molnar: "Re: [PATCH 0/3][GIT PULL][v2.6.33] tracing: various fixes"
In reply to: Eric W. Biederman: "Re: RFC: disablenetwork facility. (v4)"
Next in thread: Eric W. Biederman: "Re: RFC: disablenetwork facility. (v4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx):
> "Serge E. Hallyn" <serue@xxxxxxxxxx> writes:
>
> >> In common cap we drop the new capabilities if we are being ptraced.
> >> Look for brm->unsafe.
> >
> > Yes - that isn't the issue.
>
> Right. Sorry. I saw that we set unsafe and totally
> missed that we don't act on it in that case.
>
> > It goes back to finding a way to figure out what is inside the
> > file when the installer obviously thought we shouldn't be able
> > to read the file.
> >
> > Do we care? <shrug>
>
> <shrug>
>
> I expect two lines of testing bprm->unsafe and failing
> at the right point would solve that.

But what is the right response? Prevent excecution? Stop the
tracer? Enter some one-shot mode where the whole exec appears
as one step, but tracing continues if execution continues on a
dumpable file?

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Miguel BotÃn: "Re: BFS v0.313 CPU scheduler for 2.6.32"
Previous message: Ingo Molnar: "Re: [PATCH 0/3][GIT PULL][v2.6.33] tracing: various fixes"
In reply to: Eric W. Biederman: "Re: RFC: disablenetwork facility. (v4)"
Next in thread: Eric W. Biederman: "Re: RFC: disablenetwork facility. (v4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]