Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Jun 2011 18:26:30 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Subject: Re: HARDEN_VM86

On Wed, Jun 15, 2011 at 19:38 +0400, Vasiliy Kulikov wrote:
> On Wed, Jun 15, 2011 at 18:38 +0400, Solar Designer wrote:
> > If upstream is fine with sysctl's setting gids, and this appears to be
> > the case, then let's go for this.
> 
> I see one problem with gid style - as gid is a per pid_namespace thing,
> it should be configurable per pid_namespace.
> 
> But on the other hand, a potential bug might lead to a privilege
> escalation (not a in-namespace root, but e.g. arbitrary write into any
> physical address) due to the nature of the syscall.  So, in-namespace
> root shouldn't be able to configure who is able to do vm86(2), otherwise
> it is able to gain full root.

With CAP_SYS_RAWIO there is no such problem in OpenVZ by default as
CAP_SYS_RAWIO is disabled in CT by default.  So, specifically for OpenVZ
I see the cap check as a more preferable one.

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.