Am 20.06.2016 um 07:02 schrieb Andi Kleen: > Shanker Wang <shan...@tuna.tsinghua.edu.cn> writes: > >> This patch removes the check for CAP_NET_ADMIN in the initial namespace >> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user >> namespace the net namespace was created so that /dev/ppp cat get opened >> in a unprivileged container. > > Seems dangerous. From a quick look at the PPP ioctl there is no limit > how many PPP devices this can create. So a container having access to > this would be able to fill all kernel memory. Probably needs more > auditing and hardening first. > > In general there seems to be a lot of attack surface for root > in PPP.
You are right. Shanker Wang, I had also another at the open function, it is more complicated than I thought. Please see how ppp_unattached_ioctl() is called. Before we give containers access to it the use of nsproxy has to be removed. Not sure how easy this will be, especially since you cannot break existing users. Thanks, //richard
