[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/6] tools/pygrub: Set mount propagation to private recursively

To: Andrew Cooper <andcooper@xxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Alejandro Vallejo <alejandro.vallejo@xxxxxxxxx>
Date: Thu, 23 Nov 2023 16:49:17 +0000
Cc: Wei Liu <wl@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>
Delivery-date: Thu, 23 Nov 2023 16:49:30 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 22/11/2023 19:48, Andrew Cooper wrote:

On 22/11/2023 7:46 pm, Andrew Cooper wrote:

On 06/11/2023 3:05 pm, Alejandro Vallejo wrote:

This is important in order for every mount done inside a mount namespace to
go away after the namespace itself goes away. The comment referring to
unreliability in Linux 4.19 was just wrong.

This patch sets the story straight and makes the depriv pygrub a bit more
confined should a layer of the onion be vulnerable.

Signed-off-by: Alejandro Vallejo <alejandro.vallejo@xxxxxxxxx>

Acked-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>


Sorry, wants

Fixes: e0342ae5556f ("tools/pygrub: Deprivilege pygrub")

too.  Will fix on commit.

~Andrew


Sounds good.

Cheers,
Alejandro

References:
- [PATCH 0/6] Pygrub security enhancements and bugfixes
  - From: Alejandro Vallejo
- [PATCH 1/6] tools/pygrub: Set mount propagation to private recursively
  - From: Alejandro Vallejo
- Re: [PATCH 1/6] tools/pygrub: Set mount propagation to private recursively
  - From: Andrew Cooper
- Re: [PATCH 1/6] tools/pygrub: Set mount propagation to private recursively
  - From: Andrew Cooper

Prev by Date: Re: [PATCH 6/6] tools/pygrub: Hook libfsimage's fdopen() to pygrub
Next by Date: Re: [PATCH v2.5/6] tools/pygrub: Fix expression before it's copied elsewhere
Previous by thread: Re: [PATCH 1/6] tools/pygrub: Set mount propagation to private recursively
Next by thread: [PATCH 3/6] tools/pygrub: Restrict depriv operation with RLIMIT_AS
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.