[Devel] Re: [PATCH 4/6] cr: checkpoint and restore task credentials
Oren Laadan
orenl at cs.columbia.edu
Wed May 20 08:35:44 PDT 2009
Serge -
The 'creator' makes the 'struct user' recursive because to save
an object you need to first save its creator etc. However the
implementation may not call checkpoint_obj() recursively, if
the depth isn't bound a-priory. You probably need to convert
checkpoint_write_user() to do an iterative (loop) implementation
of the recursion...
Oren.
Serge E. Hallyn wrote:
> This patch adds the checkpointing and restart of credentials
> (uids, gids, and capabilities) to Oren's c/r patchset (on top
> of v14). It goes to great pains to re-use (and define when
> needed) common helpers, in order to make sure that as security
> code is modified, the cr code will be updated. Some of the
> helpers should still be moved (i.e. _creds() functions should
> be in kernel/cred.c).
>
> When building the credentials for the restarted process, I
> 1. create a new struct cred as a copy of the running task's
> cred (using prepare_cred())
> 2. always authorize any changes to the new struct cred
> based on the permissions of current_cred() (not the current
> transient state of the new cred).
>
> While this may mean that certain transient_cred1->transient_cred2
> states are allowed which otherwise wouldn't be allowed, the
> fact remains that current_cred() is allowed to transition to
> transient_cred2.
>
> The reconstructed creds are applied to the task at the very
> end of the sys_restart call. This ensures that any objects which
> need to be re-created (file, socket, etc) are re-created using
> the creds of the task calling sys_restart - preventing an unpriv
> user from creating a privileged object, and ensuring that a
> root task can restart a process which had started out privileged,
> created some privileged objects, then dropped its privilege.
>
> With these patches, the root user can restart checkpoint images
> (created by either hallyn or root) of user hallyn's tasks,
> resulting in a program owned by hallyn.
>
> Plenty of bugs to be found, no doubt.
>
> Changelog:
> May 18: fix more refcounting: if (userns 5, uid 0) had
> no active tasks or child user_namespaces, then
> it shouldn't exist at restart or it, its namespace,
> and its whole chain of creators will be leaked.
> May 14: fix some refcounting:
> 1. a new user_ns needs a ref to remain pinned
> by its root user
> 2. current_user_ns needs an extra ref bc objhash
> drops two on restart
> 3. cred needs a ref for the real credentials bc
> commit_creds eats one ref.
> May 13: folded in fix to userns refcounting.
>
> Signed-off-by: Serge E. Hallyn <serue at us.ibm.com>
[...]
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list