Re: [RFC] capabilities: add capability cgroup controller

On 06/23/16 05:59, Kees Cook wrote: > On Wed, Jun 22, 2016 at 5:01 PM, Serge E. Hallyn wrote: >> Quoting Kees Cook (keesc...@chromium.org): >>> On Wed, Jun 22, 2016 at 11:17 AM, Serge E. Hallyn wrote: Quoting Topi Miettinen (toiwo...@gmail.com): > On

Re: [RFC] capabilities: add capability cgroup controller

On 06/23/16 05:59, Kees Cook wrote: > On Wed, Jun 22, 2016 at 5:01 PM, Serge E. Hallyn wrote: >> Quoting Kees Cook (keesc...@chromium.org): >>> On Wed, Jun 22, 2016 at 11:17 AM, Serge E. Hallyn wrote: Quoting Topi Miettinen (toiwo...@gmail.com): > On 06/22/16 17:14, Serge E. Hallyn

Re: [RFC] capabilities: add capability cgroup controller

On Wed, Jun 22, 2016 at 5:01 PM, Serge E. Hallyn wrote: > Quoting Kees Cook (keesc...@chromium.org): >> On Wed, Jun 22, 2016 at 11:17 AM, Serge E. Hallyn wrote: >> > Quoting Topi Miettinen (toiwo...@gmail.com): >> >> On 06/22/16 17:14, Serge E. Hallyn wrote:

Re: [RFC] capabilities: add capability cgroup controller

On Wed, Jun 22, 2016 at 5:01 PM, Serge E. Hallyn wrote: > Quoting Kees Cook (keesc...@chromium.org): >> On Wed, Jun 22, 2016 at 11:17 AM, Serge E. Hallyn wrote: >> > Quoting Topi Miettinen (toiwo...@gmail.com): >> >> On 06/22/16 17:14, Serge E. Hallyn wrote: >> >> > Quoting Topi Miettinen

Re: [RFC] capabilities: add capability cgroup controller

Quoting Kees Cook (keesc...@chromium.org): > On Wed, Jun 22, 2016 at 11:17 AM, Serge E. Hallyn wrote: > > Quoting Topi Miettinen (toiwo...@gmail.com): > >> On 06/22/16 17:14, Serge E. Hallyn wrote: > >> > Quoting Topi Miettinen (toiwo...@gmail.com): > >> >> On 06/21/16 15:45,

Re: [RFC] capabilities: add capability cgroup controller

Quoting Kees Cook (keesc...@chromium.org): > On Wed, Jun 22, 2016 at 11:17 AM, Serge E. Hallyn wrote: > > Quoting Topi Miettinen (toiwo...@gmail.com): > >> On 06/22/16 17:14, Serge E. Hallyn wrote: > >> > Quoting Topi Miettinen (toiwo...@gmail.com): > >> >> On 06/21/16 15:45, Serge E. Hallyn

Re: [RFC] capabilities: add capability cgroup controller

On Wed, Jun 22, 2016 at 11:17 AM, Serge E. Hallyn wrote: > Quoting Topi Miettinen (toiwo...@gmail.com): >> On 06/22/16 17:14, Serge E. Hallyn wrote: >> > Quoting Topi Miettinen (toiwo...@gmail.com): >> >> On 06/21/16 15:45, Serge E. Hallyn wrote: >> >>> Quoting Topi Miettinen

Re: [RFC] capabilities: add capability cgroup controller

On Wed, Jun 22, 2016 at 11:17 AM, Serge E. Hallyn wrote: > Quoting Topi Miettinen (toiwo...@gmail.com): >> On 06/22/16 17:14, Serge E. Hallyn wrote: >> > Quoting Topi Miettinen (toiwo...@gmail.com): >> >> On 06/21/16 15:45, Serge E. Hallyn wrote: >> >>> Quoting Topi Miettinen

Re: [RFC] capabilities: add capability cgroup controller

Quoting Topi Miettinen (toiwo...@gmail.com): > On 06/22/16 17:14, Serge E. Hallyn wrote: > > Quoting Topi Miettinen (toiwo...@gmail.com): > >> On 06/21/16 15:45, Serge E. Hallyn wrote: > >>> Quoting Topi Miettinen (toiwo...@gmail.com): > On 06/19/16 20:01, se...@hallyn.com wrote: > >

Re: [RFC] capabilities: add capability cgroup controller

Quoting Topi Miettinen (toiwo...@gmail.com): > On 06/22/16 17:14, Serge E. Hallyn wrote: > > Quoting Topi Miettinen (toiwo...@gmail.com): > >> On 06/21/16 15:45, Serge E. Hallyn wrote: > >>> Quoting Topi Miettinen (toiwo...@gmail.com): > On 06/19/16 20:01, se...@hallyn.com wrote: > >

Re: [RFC] capabilities: add capability cgroup controller

On 06/22/16 17:14, Serge E. Hallyn wrote: > Quoting Topi Miettinen (toiwo...@gmail.com): >> On 06/21/16 15:45, Serge E. Hallyn wrote: >>> Quoting Topi Miettinen (toiwo...@gmail.com): On 06/19/16 20:01, se...@hallyn.com wrote: > apologies for top posting, this phone doesn't support inline)

Re: [RFC] capabilities: add capability cgroup controller

On 06/22/16 17:14, Serge E. Hallyn wrote: > Quoting Topi Miettinen (toiwo...@gmail.com): >> On 06/21/16 15:45, Serge E. Hallyn wrote: >>> Quoting Topi Miettinen (toiwo...@gmail.com): On 06/19/16 20:01, se...@hallyn.com wrote: > apologies for top posting, this phone doesn't support inline)

Re: [RFC] capabilities: add capability cgroup controller

Quoting Topi Miettinen (toiwo...@gmail.com): > On 06/21/16 15:45, Serge E. Hallyn wrote: > > Quoting Topi Miettinen (toiwo...@gmail.com): > >> On 06/19/16 20:01, se...@hallyn.com wrote: > >>> apologies for top posting, this phone doesn't support inline) > >>> > >>> Where are you preventing less

Re: [RFC] capabilities: add capability cgroup controller

Quoting Topi Miettinen (toiwo...@gmail.com): > On 06/21/16 15:45, Serge E. Hallyn wrote: > > Quoting Topi Miettinen (toiwo...@gmail.com): > >> On 06/19/16 20:01, se...@hallyn.com wrote: > >>> apologies for top posting, this phone doesn't support inline) > >>> > >>> Where are you preventing less

Re: [RFC] capabilities: add capability cgroup controller

Quoting Topi Miettinen (toiwo...@gmail.com): > On 06/21/16 15:45, Serge E. Hallyn wrote: > > Quoting Topi Miettinen (toiwo...@gmail.com): > >> On 06/19/16 20:01, se...@hallyn.com wrote: > >>> apologies for top posting, this phone doesn't support inline) > >>> > >>> Where are you preventing less

Re: [RFC] capabilities: add capability cgroup controller

Quoting Topi Miettinen (toiwo...@gmail.com): > On 06/21/16 15:45, Serge E. Hallyn wrote: > > Quoting Topi Miettinen (toiwo...@gmail.com): > >> On 06/19/16 20:01, se...@hallyn.com wrote: > >>> apologies for top posting, this phone doesn't support inline) > >>> > >>> Where are you preventing less

Re: [RFC] capabilities: add capability cgroup controller

On 06/21/16 15:45, Serge E. Hallyn wrote: > Quoting Topi Miettinen (toiwo...@gmail.com): >> On 06/19/16 20:01, se...@hallyn.com wrote: >>> apologies for top posting, this phone doesn't support inline) >>> >>> Where are you preventing less privileged tasks from limiting the caps of a >>> more

Re: [RFC] capabilities: add capability cgroup controller

On 06/21/16 15:45, Serge E. Hallyn wrote: > Quoting Topi Miettinen (toiwo...@gmail.com): >> On 06/19/16 20:01, se...@hallyn.com wrote: >>> apologies for top posting, this phone doesn't support inline) >>> >>> Where are you preventing less privileged tasks from limiting the caps of a >>> more

Re: [RFC] capabilities: add capability cgroup controller

Quoting Topi Miettinen (toiwo...@gmail.com): > On 06/19/16 20:01, se...@hallyn.com wrote: > > apologies for top posting, this phone doesn't support inline) > > > > Where are you preventing less privileged tasks from limiting the caps of a > > more privileged task? It looks like you are relying

Re: [RFC] capabilities: add capability cgroup controller

Quoting Topi Miettinen (toiwo...@gmail.com): > On 06/19/16 20:01, se...@hallyn.com wrote: > > apologies for top posting, this phone doesn't support inline) > > > > Where are you preventing less privileged tasks from limiting the caps of a > > more privileged task? It looks like you are relying

Re: [RFC] capabilities: add capability cgroup controller

On 06/19/16 20:01, se...@hallyn.com wrote: > apologies for top posting, this phone doesn't support inline) > > Where are you preventing less privileged tasks from limiting the caps of a > more privileged task? It looks like you are relying on the cgroupfs for that? I didn't think that aspect.

Re: [RFC] capabilities: add capability cgroup controller

On 06/19/16 20:01, se...@hallyn.com wrote: > apologies for top posting, this phone doesn't support inline) > > Where are you preventing less privileged tasks from limiting the caps of a > more privileged task? It looks like you are relying on the cgroupfs for that? I didn't think that aspect.

Re: [RFC] capabilities: add capability cgroup controller

apologies for top posting, this phone doesn't support inline) Where are you preventing less privileged tasks from limiting the caps of a more privileged task? It looks like you are relying on the cgroupfs for that? Overall I'm not a fan of this for several reasons. Can you tell us precisely

Re: [RFC] capabilities: add capability cgroup controller

apologies for top posting, this phone doesn't support inline) Where are you preventing less privileged tasks from limiting the caps of a more privileged task? It looks like you are relying on the cgroupfs for that? Overall I'm not a fan of this for several reasons. Can you tell us precisely

[RFC] capabilities: add capability cgroup controller

Add a new cgroup controller for enforcement of and monitoring of capabilities in the cgroup. Test case (boot to rdshell); BusyBox v1.22.1 (Debian 1:1.22.0-19) built-in shell (ash) Enter 'help' for a list of built-in commands. (initramfs) cd /sys/fs (initramfs) mount -t cgroup2 cgroup cgroup

[RFC] capabilities: add capability cgroup controller

Add a new cgroup controller for enforcement of and monitoring of capabilities in the cgroup. Test case (boot to rdshell); BusyBox v1.22.1 (Debian 1:1.22.0-19) built-in shell (ash) Enter 'help' for a list of built-in commands. (initramfs) cd /sys/fs (initramfs) mount -t cgroup2 cgroup cgroup