From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7128378901610364928 X-Received: by 2002:a05:6871:783:b0:101:3d98:ba86 with SMTP id o3-20020a056871078300b001013d98ba86mr6472092oap.132.1659706164745; Fri, 05 Aug 2022 06:29:24 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6870:a2c2:b0:10d:fe5b:1920 with SMTP id w2-20020a056870a2c200b0010dfe5b1920ls231352oak.3.-pod-prod-gmail; Fri, 05 Aug 2022 06:29:24 -0700 (PDT) X-Google-Smtp-Source: AA6agR6f+QfLVL8QE5zoIOWU6XqAe9WjRwTGBc0pZrOWby04uRnxxZ7L3zO3IpIfbS2/IXcCgqWj X-Received: by 2002:a05:6870:b528:b0:10e:516e:9e71 with SMTP id v40-20020a056870b52800b0010e516e9e71mr3054162oap.36.1659706164146; Fri, 05 Aug 2022 06:29:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659706164; cv=none; d=google.com; s=arc-20160816; b=SJW/dCwJPLQrwOJZZ9W6MPHwomJyJhz6gGnNe0UNiD5ychAVAsC6SdH/PhqGXQyrfL oWhcQIzMda0Wwie3awzehoqvrO9bVDy3wrR6bc0AuxZXYqptmD9Z5QCCX506Aq/fxwdF Xvjg1xJTS+3YhTvAc/RTuqkb55KC0XIKPk2UILOKiKpKEmxtPXQsjWFFok3UbHuybeEW WhSz9F5ZNoawXXQYMEYSbUmtBySSrUuLKNBr0/WGZBUYO//X/d3UGfvFCWUWii6VCDqm vZBgUFsw8WfVbv2/TLSkGDJCZ48tXuK70UBEAl+d9U2KqWeX6kWJT5ZInqAGWqtluYD2 714Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:from:cc:references:to:content-language:subject :user-agent:mime-version:date:message-id; bh=JgOsRjOt3eUBkzFuDimxv1VpjspxuUi8vApmUl86NoQ=; b=Epxv6/oYuzLzpKuTf5seOl5qlwr/WU1LQD3SRUadMSsfuDgEVnjhyH177+JJashtyc J41nS66hifNAb203V0bLQhiMU1qW7Bv4wwvGRcFxgsMUogUQKbu0bYlK16yTTfJmYCXW hCOpA9PBFznoTPhalgfGqbHrDeJIP20WRAVLmI3ulJ7J2WkvRWoGv9wP5MkMlhjzZ+a1 lVhhprePabzurlUSrwStM+GKyt+OSTFrPKhFf8bS5AEYDH6uFtGFosQwccchyM6/QO/f 6p0hslKnZ73jv4UKlMpmGT6x2E59qE0SH9xBVkq2Rw0wwPPpmL7bx4mVqaSxI8QqIUny QIFg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de Return-Path: Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id i130-20020acaea88000000b0033b5d43a811si145221oih.4.2022.08.05.06.29.23 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 05 Aug 2022 06:29:24 -0700 (PDT) Received-SPF: pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de Received: from [127.0.0.1] (host-80-81-17-52.static.customer.m-online.net [80.81.17.52]) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 275DTKWo010224 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 5 Aug 2022 15:29:21 +0200 Content-Type: multipart/alternative; boundary="------------4ka83kfh8NDaBdZ81TGWQ8sB" Message-ID: <879b165b-ca4e-114b-ab4e-b38121472722@ilbers.de> Date: Fri, 5 Aug 2022 16:29:19 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [PATCH v4 10/21] meta: mark network and sudo tasks Content-Language: en-US To: isar-users , Adriaan Schmidt References: <20220805131035.22844-1-amikan@ilbers.de> <20220805131035.22844-11-amikan@ilbers.de> Cc: Jan Kiszka , Henning Schild , Felix Moessbauer , Baurzhan Ismagulov From: Anton Mikanovich In-Reply-To: <20220805131035.22844-11-amikan@ilbers.de> X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,HTML_MESSAGE autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: W7O51HvsuQ4I This is a multi-part message in MIME format. --------------4ka83kfh8NDaBdZ81TGWQ8sB Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit 05.08.2022 16:10, Anton Mikanovich wrote: > Network access from tasks is now disabled by default. This means that > tasks accessing the network need to be marked as such with the network > flag. > > The same marking is also required for the tasks used sudo. > > Signed-off-by: Anton Mikanovich I still don't have final decision on how to deal with privileged tasks. On the one hand reverting CLONE_NEWUSER flag will allow more smooth downstream migration. On the other hand marking sudo tasks can be helpfull if we are going to get rid of sudo soon. So this moment definitely need some additional discussion. --------------4ka83kfh8NDaBdZ81TGWQ8sB Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit
05.08.2022 16:10, Anton Mikanovich wrote:
Network access from tasks is now disabled by default. This means that
tasks accessing the network need to be marked as such with the network
flag.

The same marking is also required for the tasks used sudo.

Signed-off-by: Anton Mikanovich <amikan@ilbers.de>

I still don't have final decision on how to deal with privileged tasks.
On the one hand reverting CLONE_NEWUSER flag will allow more smooth downstream
migration. On the other hand marking sudo tasks can be helpfull if we are
going to get rid of sudo soon.
So this moment definitely need some additional discussion.

--------------4ka83kfh8NDaBdZ81TGWQ8sB--