Date: Sat, 13 Aug 2011 23:22:51 +0400 From: Solar Designer <solar@...nwall.com> To: kernel-hardening@...ts.openwall.com Subject: Re: 32/64 bitness restriction for pid namespace Vasiliy, On Sat, Aug 13, 2011 at 08:55:02PM +0400, Vasiliy Kulikov wrote: > I've decided to go with 2 flags of prctl() - whether 32 bit executable > is allowed on the next execve(), whether 64 bit exec is allowed. If set > both, any bitness is allowed, and the bitness lock depends on the binary > bitness. If none set, don't lock at all. Sounds good. > 1) If execve() fails, e.g. because of missing binary, drop the flag or > keep it? I think dropping is safer. I wouldn't call this safer, but it does feel more logical. > 2) If the binary is non-ELF, e.g. a misc binary? I think execve() > should fail as we expect to run 64/32 bit ELF. This makes sense to me. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.