From: Giuseppe Scrivano <gscrivan@redhat.com>
To: "Colin Walters" <walters@verbum.org>
Cc: linux-kernel@vger.kernel.org, "Kees Cook" <keescook@chromium.org>,
bristot@redhat.com, "Eric W. Biederman" <ebiederm@xmission.com>,
brauner@kernel.org, "Aleksa Sarai" <cyphar@cyphar.com>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Alexander Larsson" <alexl@redhat.com>,
peterz@infradead.org, bmasney@redhat.com
Subject: Re: [PATCH v3 1/2] exec: add PR_HIDE_SELF_EXE prctl
Date: Mon, 23 Jan 2023 20:21:28 +0100 [thread overview]
Message-ID: <874jshdpl3.fsf@redhat.com> (raw)
In-Reply-To: <db72efdd-5cb2-4578-a322-bf894fcf6066@app.fastmail.com> (Colin Walters's message of "Mon, 23 Jan 2023 13:41:04 -0500")
"Colin Walters" <walters@verbum.org> writes:
> On Fri, Jan 20, 2023, at 5:25 AM, Giuseppe Scrivano wrote:
>> This patch adds a new prctl called PR_HIDE_SELF_EXE which allows
>> processes to hide their own /proc/*/exe file. When this prctl is
>> used, every access to /proc/*/exe for the calling process will
>> fail with ENOENT.
>
> How about a mount option for procfs like `mount -t procfs procfs /proc -o rw,nosuid,nodev,magiclink-no-xdev`
>
> Where `magiclink-no-xdev` would cause all magic links to fail to cross a pid namespace or so?
wouldn't that break also stuff like "/proc/self/fd/$FD" after you join a
different PID namespace?
next prev parent reply other threads:[~2023-01-23 19:22 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-20 10:25 [PATCH v3 1/2] exec: add PR_HIDE_SELF_EXE prctl Giuseppe Scrivano
2023-01-20 10:25 ` [PATCH v3 2/2] selftests: add tests for prctl(SET_HIDE_SELF_EXE) Giuseppe Scrivano
2023-01-20 16:05 ` Brian Masney
2023-01-23 18:41 ` [PATCH v3 1/2] exec: add PR_HIDE_SELF_EXE prctl Colin Walters
2023-01-23 19:21 ` Giuseppe Scrivano [this message]
2023-01-23 22:07 ` Colin Walters
2023-01-23 22:54 ` Giuseppe Scrivano
2023-01-23 23:14 ` Colin Walters
2023-01-24 1:53 ` Aleksa Sarai
2023-01-24 7:29 ` Giuseppe Scrivano
2023-01-25 15:28 ` Aleksa Sarai
2023-01-25 16:30 ` Giuseppe Scrivano
2023-01-29 13:59 ` Colin Walters
2023-01-29 16:58 ` Christian Brauner
2023-01-29 18:12 ` Colin Walters
2023-01-30 9:53 ` Christian Brauner
2023-01-30 10:06 ` Christian Brauner
2023-01-30 21:52 ` Colin Walters
2023-01-31 14:17 ` Giuseppe Scrivano
2023-02-25 0:27 ` Andrei Vagin
2023-02-28 14:19 ` Giuseppe Scrivano
2023-01-26 8:25 ` Christian Brauner
2023-01-24 19:17 ` Andrei Vagin
2023-01-27 12:31 ` Christian Brauner
2023-01-27 20:34 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874jshdpl3.fsf@redhat.com \
--to=gscrivan@redhat.com \
--cc=alexl@redhat.com \
--cc=bmasney@redhat.com \
--cc=brauner@kernel.org \
--cc=bristot@redhat.com \
--cc=cyphar@cyphar.com \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=viro@zeniv.linux.org.uk \
--cc=walters@verbum.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.