On Thu, Jan 12, 2012 at 9:43 AM, Steven Rostedt <rostedt@xxxxxxxxxxx> wrote: > On Wed, 2012-01-11 at 11:25 -0600, Will Drewry wrote: > >> Filter programs may _only_ cross the execve(2) barrier if last filter >> program was attached by a task with CAP_SYS_ADMIN capabilities in its >> user namespace. Once a task-local filter program is attached from a >> process without privileges, execve will fail. This ensures that only >> privileged parent task can affect its privileged children (e.g., setuid >> binary). > > This means that a non privileged user can not run another program with > limited features? How would a process exec another program and filter > it? I would assume that the filter would need to be attached first and > then the execv() would be performed. But after the filter is attached, > the execv is prevented? Yeah - it means tasks can filter themselves, but not each other. However, you can inject a filter for any dynamically linked executable using LD_PRELOAD. > Maybe I don't understand this correctly. You're right on. This was to ensure that one process didn't cause crazy behavior in another. I think Alan has a better proposal than mine below. (Goes back to catching up.) -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
