[kernel-hardening] Re: [RFC 3/3] procfs: add documentation for procfs mount options

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Randy Dunlap <rdunlap@xenotime.net>
To: Vasiliy Kulikov <segoon@openwall.com>
Cc: kernel-hardening@lists.openwall.com,
	Andrew Morton <akpm@linux-foundation.org>,
	linux-kernel@vger.kernel.org,
	Alexey Dobriyan <adobriyan@gmail.com>,
	Al Viro <viro@zeniv.linux.org.uk>,
	"H. Peter Anvin" <hpa@zytor.com>, Greg KH <greg@kroah.com>,
	Theodore Tso <tytso@MIT.EDU>, Alan Cox <alan@lxorguk.ukuu.org.uk>,
	Linus Torvalds <torvalds@linux-foundation.org>
Subject: [kernel-hardening] Re: [RFC 3/3] procfs: add documentation for procfs mount options
Date: Tue, 15 Nov 2011 13:11:04 -0800	[thread overview]
Message-ID: <4EC2D568.4040001@xenotime.net> (raw)
In-Reply-To: <20111115112208.GC3002@albatros>

On 11/15/2011 03:22 AM, Vasiliy Kulikov wrote:
> Signed-off-by: Vasiliy Kulikov <seooon@openwall.com>
> --
>  Documentation/filesystems/proc.txt |   39 ++++++++++++++++++++++++++++++++++++
>  1 files changed, 39 insertions(+), 0 deletions(-)
> 
> diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt
> index 0ec91f0..518987e 100644
> --- a/Documentation/filesystems/proc.txt
> +++ b/Documentation/filesystems/proc.txt
> @@ -1542,3 +1544,40 @@ a task to set its own or one of its thread siblings comm value. The comm value
>  is limited in size compared to the cmdline value, so writing anything longer
>  then the kernel's TASK_COMM_LEN (currently 16 chars) will result in a truncated
>  comm value.
> +
> +
> +------------------------------------------------------------------------------
> +Configuring procfs
> +------------------------------------------------------------------------------
> +
> +4.1	Mount options
> +---------------------
> +
> +The following mount options are supported:
> +
> +	hidepid=	Set /proc/<pid>/ access mode.
> +	gid=		Set the group authorized to learn processes information.
> +
> +hidepid=0 means classic mode - everybody may access all /proc/<pid>/ directories
> +(default).
> +
> +hidepid=1 means users may not access any /proc/<pid>/ directories, but their

                                                         directories but their
(drop comma)

> +own.  Sensitive files like cmdline, sched*, status are now protected against
> +other users.  This makes impossible to learn whether any user runs

                 This makes it impossible

> +specific program (given the program doesn't reveal itself by its behaviour).
> +As an additional bonus, as /proc/<pid>/cmdline is unaccessible for other users,
> +poorly written programs passing sensitive information via program arguments are
> +now protected against local eavesdroppers.
> +
> +hidepid=2 means hidepid=1 plus all /proc/<pid>/ will be fully invisible to other
> +users.  It doesn't mean that it hides a fact whether a process with a specific
> +pid value exists (it can be learned by other means, e.g. by "kill -0 $PID"),
> +but it hides process' uid and gid, which may be learned by stat()'ing
> +/proc/<pid>/ otherwise.  It greatly complicates intruder's task of gathering info

                                       complicates an intruder's task of gathering information
(or data) [+ fix line length]


> +about running processes, whether some daemon runs with elevated privileges,
> +whether other user runs some sensitive program, whether other users run any
> +program at all, etc.
> +
> +gid= defines a group authorized to learn processes information otherwise
> +prohibited by hidepid=.  If you use some daemon like identd which have to learn

                                                               which has to learn
or                                                             which must learn
or                                                             which needs to learn

> +information about processes information, just add identd to this group.
> --


-- 
~Randy
*** Remember to use Documentation/SubmitChecklist when testing your code ***

WARNING: multiple messages have this Message-ID (diff)

From: Randy Dunlap <rdunlap@xenotime.net>
To: Vasiliy Kulikov <segoon@openwall.com>
Cc: kernel-hardening@lists.openwall.com,
	Andrew Morton <akpm@linux-foundation.org>,
	linux-kernel@vger.kernel.org,
	Alexey Dobriyan <adobriyan@gmail.com>,
	Al Viro <viro@zeniv.linux.org.uk>,
	"H. Peter Anvin" <hpa@zytor.com>, Greg KH <greg@kroah.com>,
	Theodore Tso <tytso@MIT.EDU>, Alan Cox <alan@lxorguk.ukuu.org.uk>,
	Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [RFC 3/3] procfs: add documentation for procfs mount options
Date: Tue, 15 Nov 2011 13:11:04 -0800	[thread overview]
Message-ID: <4EC2D568.4040001@xenotime.net> (raw)
In-Reply-To: <20111115112208.GC3002@albatros>

On 11/15/2011 03:22 AM, Vasiliy Kulikov wrote:
> Signed-off-by: Vasiliy Kulikov <seooon@openwall.com>
> --
>  Documentation/filesystems/proc.txt |   39 ++++++++++++++++++++++++++++++++++++
>  1 files changed, 39 insertions(+), 0 deletions(-)
> 
> diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt
> index 0ec91f0..518987e 100644
> --- a/Documentation/filesystems/proc.txt
> +++ b/Documentation/filesystems/proc.txt
> @@ -1542,3 +1544,40 @@ a task to set its own or one of its thread siblings comm value. The comm value
>  is limited in size compared to the cmdline value, so writing anything longer
>  then the kernel's TASK_COMM_LEN (currently 16 chars) will result in a truncated
>  comm value.
> +
> +
> +------------------------------------------------------------------------------
> +Configuring procfs
> +------------------------------------------------------------------------------
> +
> +4.1	Mount options
> +---------------------
> +
> +The following mount options are supported:
> +
> +	hidepid=	Set /proc/<pid>/ access mode.
> +	gid=		Set the group authorized to learn processes information.
> +
> +hidepid=0 means classic mode - everybody may access all /proc/<pid>/ directories
> +(default).
> +
> +hidepid=1 means users may not access any /proc/<pid>/ directories, but their

                                                         directories but their
(drop comma)

> +own.  Sensitive files like cmdline, sched*, status are now protected against
> +other users.  This makes impossible to learn whether any user runs

                 This makes it impossible

> +specific program (given the program doesn't reveal itself by its behaviour).
> +As an additional bonus, as /proc/<pid>/cmdline is unaccessible for other users,
> +poorly written programs passing sensitive information via program arguments are
> +now protected against local eavesdroppers.
> +
> +hidepid=2 means hidepid=1 plus all /proc/<pid>/ will be fully invisible to other
> +users.  It doesn't mean that it hides a fact whether a process with a specific
> +pid value exists (it can be learned by other means, e.g. by "kill -0 $PID"),
> +but it hides process' uid and gid, which may be learned by stat()'ing
> +/proc/<pid>/ otherwise.  It greatly complicates intruder's task of gathering info

                                       complicates an intruder's task of gathering information
(or data) [+ fix line length]


> +about running processes, whether some daemon runs with elevated privileges,
> +whether other user runs some sensitive program, whether other users run any
> +program at all, etc.
> +
> +gid= defines a group authorized to learn processes information otherwise
> +prohibited by hidepid=.  If you use some daemon like identd which have to learn

                                                               which has to learn
or                                                             which must learn
or                                                             which needs to learn

> +information about processes information, just add identd to this group.
> --


-- 
~Randy
*** Remember to use Documentation/SubmitChecklist when testing your code ***

next prev parent reply	other threads:[~2011-11-15 21:11 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-11-15 11:22 [kernel-hardening] [RFC 3/3] procfs: add documentation for procfs mount options Vasiliy Kulikov
2011-11-15 11:22 ` Vasiliy Kulikov
2011-11-15 21:11 ` Randy Dunlap [this message]
2011-11-15 21:11   ` Randy Dunlap

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4EC2D568.4040001@xenotime.net \
    --to=rdunlap@xenotime.net \
    --cc=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=greg@kroah.com \
    --cc=hpa@zytor.com \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=segoon@openwall.com \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@MIT.EDU \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.