From: Vasiliy Kulikov <segoon@openwall.com>
To: Valdis.Kletnieks@vt.edu
Cc: "H. Peter Anvin" <hpa@zytor.com>,
linux-kernel@vger.kernel.org,
Alexey Dobriyan <adobriyan@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-security-module@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] Re: [PATCH] proc: restrict access to /proc/interrupts
Date: Tue, 8 Nov 2011 00:19:08 +0400 [thread overview]
Message-ID: <20111107201908.GA5827@albatros> (raw)
In-Reply-To: <14202.1320696659@turing-police.cc.vt.edu>
On Mon, Nov 07, 2011 at 15:10 -0500, Valdis.Kletnieks@vt.edu wrote:
> On Mon, 07 Nov 2011 11:18:32 PST, "H. Peter Anvin" said:
>
> > I would like to propose that we add a mount option to procfs, and
> > possibly sysfs, called, say, admingrp. These kinds of files then get
> > restricted to the admingrp (defaulting to gid 0 if no admingrp is
> > provided). Historically on Unix there has been a group of people
> > (usually "adm", but sometimes "log") who are allowed to read (but not
> > write) the log files, which also contains potentially sensitive information.
>
> Probably should be a two part - mount with 'gid=NNN', and then a
> perm=027 or whatever, to be treated similar to a umask. So 027
> would allow root to do anything, would disable write for the gid= group,
> and turn it off completely for others. Less paranoid sites could mount
> it with perm=002.
>
> Does that cover most of the use cases?
At the time of Linux 2.0-2.4 in Owl patch there was a plain on/off
configure option - 022 / 066 umask. Currently procfs restriction is
implemented in Grsecurity with the same all-or-nothing approach.
Brad Spengler told me that there were no user complains about the lack of
flexibility :-) So, I agree that we don't need anything more complex.
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
WARNING: multiple messages have this Message-ID (diff)
From: Vasiliy Kulikov <segoon@openwall.com>
To: Valdis.Kletnieks@vt.edu
Cc: "H. Peter Anvin" <hpa@zytor.com>,
linux-kernel@vger.kernel.org,
Alexey Dobriyan <adobriyan@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-security-module@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH] proc: restrict access to /proc/interrupts
Date: Tue, 8 Nov 2011 00:19:08 +0400 [thread overview]
Message-ID: <20111107201908.GA5827@albatros> (raw)
In-Reply-To: <14202.1320696659@turing-police.cc.vt.edu>
On Mon, Nov 07, 2011 at 15:10 -0500, Valdis.Kletnieks@vt.edu wrote:
> On Mon, 07 Nov 2011 11:18:32 PST, "H. Peter Anvin" said:
>
> > I would like to propose that we add a mount option to procfs, and
> > possibly sysfs, called, say, admingrp. These kinds of files then get
> > restricted to the admingrp (defaulting to gid 0 if no admingrp is
> > provided). Historically on Unix there has been a group of people
> > (usually "adm", but sometimes "log") who are allowed to read (but not
> > write) the log files, which also contains potentially sensitive information.
>
> Probably should be a two part - mount with 'gid=NNN', and then a
> perm=027 or whatever, to be treated similar to a umask. So 027
> would allow root to do anything, would disable write for the gid= group,
> and turn it off completely for others. Less paranoid sites could mount
> it with perm=002.
>
> Does that cover most of the use cases?
At the time of Linux 2.0-2.4 in Owl patch there was a plain on/off
configure option - 022 / 066 umask. Currently procfs restriction is
implemented in Grsecurity with the same all-or-nothing approach.
Brad Spengler told me that there were no user complains about the lack of
flexibility :-) So, I agree that we don't need anything more complex.
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
next prev parent reply other threads:[~2011-11-07 20:19 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-07 17:45 [PATCH] proc: restrict access to /proc/interrupts Vasiliy Kulikov
2011-11-07 18:06 ` Valdis.Kletnieks
2011-11-07 19:01 ` [kernel-hardening] " Vasiliy Kulikov
2011-11-07 19:01 ` Vasiliy Kulikov
2011-11-07 19:18 ` [kernel-hardening] " H. Peter Anvin
2011-11-07 19:18 ` H. Peter Anvin
2011-11-07 19:29 ` [kernel-hardening] " Vasiliy Kulikov
2011-11-07 19:48 ` Eric Paris
2011-11-07 19:50 ` H. Peter Anvin
2011-11-07 20:11 ` Vasiliy Kulikov
2011-11-07 20:47 ` H. Peter Anvin
2011-11-07 21:23 ` Linus Torvalds
2011-11-07 21:35 ` H. Peter Anvin
2011-11-07 23:07 ` Linus Torvalds
2011-11-07 23:21 ` Alan Cox
2011-11-07 23:27 ` Greg KH
2011-11-07 23:40 ` Theodore Tso
2011-11-07 23:45 ` Alan Cox
2011-11-07 23:45 ` Greg KH
2011-11-08 20:07 ` Ted Ts'o
2011-11-09 16:14 ` Greg KH
2011-11-08 9:11 ` Vasiliy Kulikov
2011-11-08 13:23 ` Alan Cox
2011-11-08 17:41 ` Vasiliy Kulikov
2011-11-08 17:06 ` John Stoffel
2011-11-07 19:54 ` Vasiliy Kulikov
2011-11-07 20:10 ` Valdis.Kletnieks
2011-11-07 20:10 ` Valdis.Kletnieks
2011-11-07 20:19 ` Vasiliy Kulikov [this message]
2011-11-07 20:19 ` Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111107201908.GA5827@albatros \
--to=segoon@openwall.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=hpa@zytor.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.