[kernel-hardening] Re: procfs mount options

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vasiliy Kulikov <segoon@openwall.com>
To: kernel-hardening@lists.openwall.com
Cc: Eugene Teo <eugeneteo@gmail.com>
Subject: [kernel-hardening] Re: procfs mount options
Date: Sat, 4 Jun 2011 09:47:58 +0400	[thread overview]
Message-ID: <20110604054758.GA4063@albatros> (raw)
In-Reply-To: <20110603191153.GB514@openwall.com>

[-- Attachment #1: Type: text/plain, Size: 2243 bytes --]

Solar,

On Fri, Jun 03, 2011 at 23:11 +0400, Solar Designer wrote:
> I welcome suggestions on how to achieve the desired functionality for
> procfs in a non-confusing and generic way.  It should support the
> following reasonable configuration:
> 
> /proc/PID directories restricted to group proc (except for owners and
> root, indeed).  However, /proc/cpuinfo and the like unrestricted.
> Here's what this looks like on Linux 2.4.x-ow:
> 
> dr-xr-x---  3 root    proc         0 Jun  3 22:59 1
> ...
> dr-xr-x---  3 syslogd proc         0 Jun  3 22:59 205
> dr-xr-x---  3 klogd   proc         0 Jun  3 22:59 211
> ...
> -r--r--r--  1 root    proc         0 Jun  3 23:00 cpuinfo
> ...
> -r--------  1 root    proc 536743936 Jun  3 23:00 kcore
> -r--------  1 root    proc         0 May  5 20:36 kmsg
> ...
> dr-xr-x---  5 root    proc         0 Jun  3 23:00 net
> ...
> -r--r--r--  1 root    proc         0 Jun  3 23:00 uptime
> -r--r--r--  1 root    proc         0 Jun  3 23:00 version
> 
> Perhaps gid=proc,umask=007 should result in the above for /proc/PID, but
> how do we justify it not affecting /proc/cpuinfo, uptime, version (and
> many others)?  How do we justify it nevertheless affecting /proc/net (or
> should another option do that)?

I think it should be done with separate mount options for /proc/self/net
(/proc/net is a symlink to /proc/self/net since net namespaces
introduction) and for /proc/PID.  All other files should be e.g.
chmod'ed go= and then some white list should be chmod'ed to the relaxed
perms.

> Indeed, we could set some of these perms with chmod post-mount, but as
> discussed this has drawbacks.

Where its drawbacks were discussed?  I cannot find anything on
owl-dev.  Do you mean some possible diffirences between procfs files
among different kernel versions?  If so, white list instead of black
list should partly solve it.

>  So ideally our preferred configuration
> (which will be the default on Owl) should be achievable with mount
> options alone.

At least for sysfs it is unreachable if we go in the current direction -
umask doesn't change perms of already created files, and additional
"chmod -R" is needed anyway.

Thanks,

-- 
Vasiliy

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

next      parent reply	other threads:[~2011-06-04  5:47 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20110603191153.GB514@openwall.com>
2011-06-04  5:47 ` Vasiliy Kulikov [this message]
2011-06-04 13:20   ` [kernel-hardening] procfs mount options Solar Designer
2011-06-04 20:09     ` Vasiliy Kulikov
2011-06-04 20:59       ` Solar Designer
2011-06-05 18:24         ` [kernel-hardening] [RFC v1] " Vasiliy Kulikov
2011-06-05 19:26           ` Solar Designer
2011-06-05 19:47             ` Vasiliy Kulikov
2011-06-05 20:10               ` Solar Designer
2011-06-06 18:08                 ` Vasiliy Kulikov
2011-06-06 18:33                   ` Solar Designer
2011-06-08 17:23                     ` [kernel-hardening] [RFC v2] " Vasiliy Kulikov
2011-06-08 17:43                       ` Vasiliy Kulikov
2011-06-12  2:39                       ` Solar Designer
2011-07-24 18:55                         ` Vasiliy Kulikov
     [not found]                         ` <20110724185036.GC3510@albatros>
2011-07-26 14:50                           ` Vasiliy Kulikov
2011-07-29 17:47                             ` [kernel-hardening] procfs {tid,tgid,attr}_allowed " Vasiliy Kulikov
2011-08-04 11:23                               ` [kernel-hardening] " Vasiliy Kulikov
2011-08-10 10:02                                 ` Vasiliy Kulikov
2011-08-10 11:22                                   ` [kernel-hardening] " Solar Designer
2011-08-10 11:25                                 ` Solar Designer
2011-08-10 12:04                                   ` Vasiliy Kulikov
2011-08-10 13:34                                     ` Solar Designer
2011-08-12 18:14                                       ` Simon Marechal
2011-06-06 19:20                 ` [kernel-hardening] [RFC v1] procfs " Vasiliy Kulikov
2011-06-05 19:17         ` [kernel-hardening] " Vasiliy Kulikov
2011-06-05 19:40           ` Solar Designer
2011-06-05 19:53             ` Vasiliy Kulikov
2011-06-05 18:36 ` [kernel-hardening] Re: [owl-dev] " Vasiliy Kulikov
2011-06-05 18:47   ` [kernel-hardening] " Solar Designer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110604054758.GA4063@albatros \
    --to=segoon@openwall.com \
    --cc=eugeneteo@gmail.com \
    --cc=kernel-hardening@lists.openwall.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.