subject:"\[RFC v3 18\/22\] cgroup,landlock\: Add CGRP_NO_NEW

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

2016-09-20 Thread Mickaël Salaün

On 20/09/2016 06:37, Sargun Dhillon wrote: > On Thu, Sep 15, 2016 at 09:41:33PM +0200, Mickaël Salaün wrote: >> >> On 15/09/2016 06:48, Alexei Starovoitov wrote: >>> On Wed, Sep 14, 2016 at 09:38:16PM -0700, Andy Lutomirski wrote: On Wed, Sep 14, 2016 at 9:31 PM, Alexei Starovoitov wrot

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

2016-09-19 Thread Sargun Dhillon

On Thu, Sep 15, 2016 at 09:41:33PM +0200, Mickaël Salaün wrote: > > On 15/09/2016 06:48, Alexei Starovoitov wrote: > > On Wed, Sep 14, 2016 at 09:38:16PM -0700, Andy Lutomirski wrote: > >> On Wed, Sep 14, 2016 at 9:31 PM, Alexei Starovoitov > >> wrote: > >>> On Wed, Sep 14, 2016 at 09:08:57PM -07

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

2016-09-15 Thread Mickaël Salaün

On 15/09/2016 06:48, Alexei Starovoitov wrote: > On Wed, Sep 14, 2016 at 09:38:16PM -0700, Andy Lutomirski wrote: >> On Wed, Sep 14, 2016 at 9:31 PM, Alexei Starovoitov >> wrote: >>> On Wed, Sep 14, 2016 at 09:08:57PM -0700, Andy Lutomirski wrote: On Wed, Sep 14, 2016 at 9:00 PM, Alexei Star

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

2016-09-15 Thread Mickaël Salaün

On 15/09/2016 03:25, Andy Lutomirski wrote: > On Wed, Sep 14, 2016 at 3:11 PM, Mickaël Salaün wrote: >> >> On 14/09/2016 20:27, Andy Lutomirski wrote: >>> On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün wrote: Add a new flag CGRP_NO_NEW_PRIVS for each cgroup. This flag is initially se

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

2016-09-14 Thread Alexei Starovoitov

On Wed, Sep 14, 2016 at 09:38:16PM -0700, Andy Lutomirski wrote: > On Wed, Sep 14, 2016 at 9:31 PM, Alexei Starovoitov > wrote: > > On Wed, Sep 14, 2016 at 09:08:57PM -0700, Andy Lutomirski wrote: > >> On Wed, Sep 14, 2016 at 9:00 PM, Alexei Starovoitov > >> wrote: > >> > On Wed, Sep 14, 2016 at

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

2016-09-14 Thread Andy Lutomirski

On Wed, Sep 14, 2016 at 9:31 PM, Alexei Starovoitov wrote: > On Wed, Sep 14, 2016 at 09:08:57PM -0700, Andy Lutomirski wrote: >> On Wed, Sep 14, 2016 at 9:00 PM, Alexei Starovoitov >> wrote: >> > On Wed, Sep 14, 2016 at 07:27:08PM -0700, Andy Lutomirski wrote: >> >> >> > >> >> >> > This RFC handl

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

2016-09-14 Thread Alexei Starovoitov

On Wed, Sep 14, 2016 at 09:08:57PM -0700, Andy Lutomirski wrote: > On Wed, Sep 14, 2016 at 9:00 PM, Alexei Starovoitov > wrote: > > On Wed, Sep 14, 2016 at 07:27:08PM -0700, Andy Lutomirski wrote: > >> >> > > >> >> > This RFC handle both cgroup and seccomp approaches in a similar way. I > >> >> >

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

2016-09-14 Thread Andy Lutomirski

On Wed, Sep 14, 2016 at 9:00 PM, Alexei Starovoitov wrote: > On Wed, Sep 14, 2016 at 07:27:08PM -0700, Andy Lutomirski wrote: >> >> > >> >> > This RFC handle both cgroup and seccomp approaches in a similar way. I >> >> > don't see why building on top of cgroup v2 is a problem. Is there >> >> > sec

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

2016-09-14 Thread Alexei Starovoitov

On Wed, Sep 14, 2016 at 07:27:08PM -0700, Andy Lutomirski wrote: > >> > > >> > This RFC handle both cgroup and seccomp approaches in a similar way. I > >> > don't see why building on top of cgroup v2 is a problem. Is there > >> > security issues with delegation? > >> > >> What I mean is: cgroup v2

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

2016-09-14 Thread Andy Lutomirski

On Wed, Sep 14, 2016 at 7:19 PM, Alexei Starovoitov wrote: > On Wed, Sep 14, 2016 at 06:25:07PM -0700, Andy Lutomirski wrote: >> On Wed, Sep 14, 2016 at 3:11 PM, Mickaël Salaün wrote: >> > >> > On 14/09/2016 20:27, Andy Lutomirski wrote: >> >> On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün wro

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

2016-09-14 Thread Alexei Starovoitov

On Wed, Sep 14, 2016 at 06:25:07PM -0700, Andy Lutomirski wrote: > On Wed, Sep 14, 2016 at 3:11 PM, Mickaël Salaün wrote: > > > > On 14/09/2016 20:27, Andy Lutomirski wrote: > >> On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün wrote: > >>> Add a new flag CGRP_NO_NEW_PRIVS for each cgroup. This f

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

2016-09-14 Thread Andy Lutomirski

On Wed, Sep 14, 2016 at 3:11 PM, Mickaël Salaün wrote: > > On 14/09/2016 20:27, Andy Lutomirski wrote: >> On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün wrote: >>> Add a new flag CGRP_NO_NEW_PRIVS for each cgroup. This flag is initially >>> set for all cgroup except the root. The flag is clear

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

2016-09-14 Thread Mickaël Salaün

On 14/09/2016 20:27, Andy Lutomirski wrote: > On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün wrote: >> Add a new flag CGRP_NO_NEW_PRIVS for each cgroup. This flag is initially >> set for all cgroup except the root. The flag is clear when a new process >> without the no_new_privs flags is attach

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

2016-09-14 Thread Andy Lutomirski

On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün wrote: > Add a new flag CGRP_NO_NEW_PRIVS for each cgroup. This flag is initially > set for all cgroup except the root. The flag is clear when a new process > without the no_new_privs flags is attached to the cgroup. > > If a cgroup is landlocked, t

[RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

2016-09-14 Thread Mickaël Salaün

Add a new flag CGRP_NO_NEW_PRIVS for each cgroup. This flag is initially set for all cgroup except the root. The flag is clear when a new process without the no_new_privs flags is attached to the cgroup. If a cgroup is landlocked, then any new attempt, from an unprivileged process, to attach a pro

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

[RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

15 matches

Site Navigation

Mail list logo

Footer information