nguyen thai <thai.bkset@xxxxxxxxx> writes: > Hi everyone, > > I'm working with SELinux and cgroups to implement SELinux on cgroups > file. This is expected to improve cgroups security. But i'm having na > confusion identifying the possible vulnerabilities of current cgroups > DAC check and what need to be improved. > I know the cgroup interface is the filesystem. But how this can be the > drawback of current implementation. I mean how hackers may use this to > attack the system. Tejun Heo said that the biggest issue with cgroup > is the ability for non-root users to gain access to the raw kernel > control knobs. anyone you explain more about this? The problem is poor design of the basic mechanisms. The result is that in some that in several instances a poor/unmaintainable choice of abstractions were exposed. That is there are values exposed for tweaking that if a non-root user is allowed to change them can lead to subversion of the policy framework that it is the intetion of cgroups to implement. The only sane fix is to go through the exported control knobs and catalogue them as safe or not safe. And then work towards removing the unsafe knobs. Eric -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
