Top search
Forums top search
[PATCH] prctl: add PR_{SET,GET}_CHILD_REAPER to allow simple process supervision
From: Lennart Poettering <lennart@poettering.net> Subject: prctl: add PR_{SET,GET}_CHILD_REAPER to allow simple process supervision Userspace service managers/supervisors need to track their started services. Many services daemonize by ...
Message posted on the July 28th, 2011 - 8:10 PM ET
[PATCH] prctl: add PR_{SET,GET}_CHILD_SUBREAPER to allow simple process supervision
Resending this, it got lost last year's September. We still need it to properly implement init-like service managers. Andrew, care to pick this up again? The issues raised the last year are all expected to be fixed. Thanks, Kay From: Lennart ...
Message posted on the January 7th, 2012 - 11:00 AM ET
[PATCH] prctl: Removed redunant assignment of "error" to zero
Just setting the "error" to error number is enough on failure and It doesn't require to set "error" variable to zero in each switch case, since it was already initialized with zero Signed-off-by: Sasikantha babu ...
Message posted on the May 30th, 2012 - 6:00 AM ET
[PATCH] prctl: Use CAP_SYS_RESOUCE for PR_SET_MM option
CAP_SYS_ADMIN is already overloaded left and right, so to have more finegrained access control use CAP_SYS_RESOUCE here. The CAP_SYS_RESOUCE is chosen because this prctl option allows a current process to adjust some fields of memory map descriptor ...
Message posted on the March 7th, 2012 - 8:00 AM ET
[PATCH] prctl: fix validation of an address
The address should be bigger than dac_mmap_min_addr, because a process with CAP_RAWIO can map a vma bellow mmap_min_addr. Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Kees Cook <keescook@chromium.org> Cc: Cyrill Gorcunov ...
Message posted on the December 29th, 2012 - 6:10 AM ET
[RFC] prctl: Add PR_ codes to restore vDSO and tune up mm_struct entires
While doing restore of a task we need to setup vDSO at predefined address unmapping current one and tune up mm_struct members which are set at Elf loading stage. So I would like to know what people think about the patch below? Maybe I miss ...
Message posted on the November 24th, 2011 - 7:10 AM ET
[PATCH 0/3] Taming execve, setuid, and LSMs
Every now and then, someone wants to let unprivileged programs change something about their execution environment (think unsharing namespaces, changing capabilities, disabling networking, chrooting, mounting and unmounting filesystems). Whether or ...
Message posted on the March 26th, 2010 - 8:50 AM ET
[PATCH] man2/prctl.2: Add PR_GET_TID_ADDRESS description
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org> man2/prctl.2 | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/man2/prctl.2 b/man2/prctl.2 index 012af4d..4906c70 100644 a/man2/prctl.2 +++ b/man2/prctl.2 @@ -761,6 +761,18 ...
Message posted on the February 19th, 2013 - 10:50 AM ET
[PATCH 0/2] Yama: add PTRACE exception tracking
The primary exception to Yama's descendant-based PTRACE restrictions is when an application has a predefined crash handler that is spawned in parallel with the crashed application (e.g. KDE, Chromium). These applications want to bypass the common ...
Message posted on the June 29th, 2010 - 8:40 PM ET
[PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
With this set, a lot of dangerous operations (chroot, unshare, etc) become a lot less dangerous because there is no possibility of subverting privileged binaries. This patch completely breaks apparmor. Someone who understands (and uses) apparmor ...
Message posted on the January 12th, 2012 - 9:20 PM ET
[PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch
This patch is a placeholder until Andy's (luto@mit.edu) patch arrives implementing Linus's proposal for applying a "this is a process that has *no* extra privileges at all, and can never get them". It adds the ...
Message posted on the January 12th, 2012 - 6:40 PM ET
[PATCH v2] seccomp: Make syscall skipping and nr changes more consistent
This fixes two issues that could cause incompatibility between kernel versions: - If a tracer uses SECCOMP_RET_TRACE to select a syscall number higher than the largest known syscall, emulate the unknown vsyscall by returning -ENOSYS. (This is ...
Message posted on the August 1st, 2012 - 9:20 PM ET
[PATCH] Document how capability bits work
Signed-off-by: Andy Lutomirski <luto@amacapital.net> Documentation/security/capabilities.txt | 161 ++++++++++++++++++++++++++++++++ 1 file changed, 161 insertions(+) create mode 100644 Documentation/security/capabilities.txt diff --git ...
Message posted on the December 7th, 2012 - 1:30 PM ET
[PATCH v3 0/4] PR_SET_NO_NEW_PRIVS, unshare, and chroot
This adds PR_{GET,SET}_NO_NEW_PRIVS. As an example of its use, it allows some unshare operations and (sometimes) chroot when no_new_privs is set. Another example is the experimental pam module here: http://web.mit.edu/luto/www/linux/ After some ...
Message posted on the January 30th, 2012 - 11:20 AM ET
May 20th, 2013 - 2:37 AM ET
Join now
Login
