On Thu, Jul 17, 2014 at 11:38:38PM +0200, Justin Pettit wrote:
> On Thu, Jul 17, 2014 at 6:57 PM, Ben Pfaff wrote:
>
> >
> > It probably wouldn't be too hard to do this in OVS, because we used to
> > do something very similar for non-security reasons. It would be a
> > matter of resurrecting the
On Thu, Jul 17, 2014 at 6:57 PM, Ben Pfaff wrote:
>
> It probably wouldn't be too hard to do this in OVS, because we used to
> do something very similar for non-security reasons. It would be a
> matter of resurrecting the "worker" library and adjusting it to better
> suit as a security feature (
On Thu, Jul 17, 2014 at 08:35:04AM +0200, Eric Sesterhenn wrote:
> On 07/16/2014 08:04 PM, Ben Pfaff wrote:
> > A thought I've had about hardening ovs-vswitchd is to adopt an
> > OpenSSH-like privilege separation model, where a simple, separate
> > process with high privilege doles out restricted a
On Thu, Jul 17, 2014 at 08:35:04AM +0200, Eric Sesterhenn wrote:
> On 07/16/2014 08:04 PM, Ben Pfaff wrote:
> > On Wed, Jul 16, 2014 at 02:53:37PM -0300, Flavio Leitner wrote:
> >> On Wed, Jul 16, 2014 at 09:56:20AM -0700, Ben Pfaff wrote:
> >>> On Wed, Jul 16, 2014 at 10:39:17AM -0300, Flavio Leit
On 07/16/2014 08:04 PM, Ben Pfaff wrote:
> On Wed, Jul 16, 2014 at 02:53:37PM -0300, Flavio Leitner wrote:
>> On Wed, Jul 16, 2014 at 09:56:20AM -0700, Ben Pfaff wrote:
>>> On Wed, Jul 16, 2014 at 10:39:17AM -0300, Flavio Leitner wrote:
>>> There's more than one way to chroot. Maybe Eric is thinki
On Wed, Jul 16, 2014 at 02:53:37PM -0300, Flavio Leitner wrote:
> On Wed, Jul 16, 2014 at 09:56:20AM -0700, Ben Pfaff wrote:
> > On Wed, Jul 16, 2014 at 10:39:17AM -0300, Flavio Leitner wrote:
> > There's more than one way to chroot. Maybe Eric is thinking of a
> > model where one chroots to an em
On Wed, Jul 16, 2014 at 09:56:20AM -0700, Ben Pfaff wrote:
> On Wed, Jul 16, 2014 at 10:39:17AM -0300, Flavio Leitner wrote:
> > The main_loop refactoring is a nice thing even without the series, I find
> > the code easier to understand.
>
> That's reasonable, so I applied that patch.
Thanks!
>
On Wed, Jul 16, 2014 at 10:39:17AM -0300, Flavio Leitner wrote:
> The main_loop refactoring is a nice thing even without the series, I find
> the code easier to understand.
That's reasonable, so I applied that patch.
> I don't think there is a need to pre-open files in /dev since they usually
> a
On Fri, Jul 11, 2014 at 01:24:01PM +0200, Eric Sesterhenn wrote:
> Hi,
>
> on my debian installation, the ovsdb-server is running as root. Since I
> prefer to add additional mitigations for running services, I was looking
> into putting the ovsdb-server into a chroot and implemented it in the
> fo
On Fri, Jul 11, 2014 at 01:24:01PM +0200, Eric Sesterhenn wrote:
> on my debian installation, the ovsdb-server is running as root. Since I
> prefer to add additional mitigations for running services, I was looking
> into putting the ovsdb-server into a chroot and implemented it in the
> following t
Hi,
on my debian installation, the ovsdb-server is running as root. Since I
prefer to add additional mitigations for running services, I was looking
into putting the ovsdb-server into a chroot and implemented it in the
following three patches.
These patches are send as a request for comments, sin
11 matches
Mail list logo
