From: Alexey Gladkov <legion@kernel.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
containers@lists.linux.dev, linux-fsdevel@vger.kernel.org,
Alexey Dobriyan <adobriyan@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>,
Val Cowan <vcowan@redhat.com>
Subject: Re: [RFC PATCH v1 0/6] proc: Add allowlist for procfs files
Date: Thu, 26 Jan 2023 13:30:53 +0100 [thread overview]
Message-ID: <Y9JyfQwAB/M5QmuH@example.org> (raw)
In-Reply-To: <20230125153628.43c12cbe05423fef7d44f0dd@linux-foundation.org>
On Wed, Jan 25, 2023 at 03:36:28PM -0800, Andrew Morton wrote:
> On Wed, 25 Jan 2023 16:28:47 +0100 Alexey Gladkov <legion@kernel.org> wrote:
>
> > The patch expands subset= option. If the proc is mounted with the
> > subset=allowlist option, the /proc/allowlist file will appear. This file
> > contains the filenames and directories that are allowed for this
> > mountpoint. By default, /proc/allowlist contains only its own name.
> > Changing the allowlist is possible as long as it is present in the
> > allowlist itself.
> >
> > This allowlist is applied in lookup/readdir so files that will create
> > modules after mounting will not be visible.
> >
> > Compared to the previous patches [1][2], I switched to a special virtual
> > file from listing filenames in the mount options.
> >
>
> Changlog doesn't explain why you think Linux needs this feature. The
> [2/6] changelog hints that containers might be involved. IOW, please
> fully describe the requirement and use-case(s).
Ok. I will.
Basically, as Christian described, the motivation is to give
containerization programs (docker, podman, etc.) a way to control the
content in procfs.
Now container tools use a list of dangerous files that they hide with
overmount. But procfs is not a static filesystem and using a bad list to
hide dangerous files can't be the solution.
I believe that a container should define a list of files that it considers
useful within the container, and not try to hide what it considers
unwanted.
> Also, please describe why /proc/allowlist is made available via a mount
> option, rather than being permanently present.
Like subset=pid, this file is needed to change the visibility of files in
the procfs mountpoint.
> And why add to subset=, instead of a separate mount option.
>
> Does /proc/allowlist work in subdirectories? Like, permit presence of
> /proc/sys/vm/compact_memory?
Yes. But /proc/allowlist is limited in size to 128K.
> I think the whole thing is misnamed, really. "allowlist" implies
> access permissions. Some of the test here uses "visibility" and other
> places use "presence", which are better. "presentlist" and
> /proc/presentlist might be better. But why not simply /proc/contents?
I don't hold on to the name allowlist at all :) present list is perfect
for me. The /proc/contents is confusing to me.
> Please run these patches through checkpatch and consider the result.
Ok. I will.
--
Rgrds, legion
prev parent reply other threads:[~2023-01-26 12:30 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-25 15:28 [RFC PATCH v1 0/6] proc: Add allowlist for procfs files Alexey Gladkov
2023-01-25 15:28 ` [RFC PATCH v1 1/6] proc: Fix separator for subset option Alexey Gladkov
2023-01-25 15:28 ` [RFC PATCH v1 2/6] proc: Add allowlist to control access to procfs files Alexey Gladkov
2023-01-25 23:36 ` Andrew Morton
2023-01-26 11:13 ` Alexey Gladkov
2023-01-25 23:36 ` Andrew Morton
2023-01-25 15:28 ` [RFC PATCH v1 3/6] proc: Check that subset= option has been set Alexey Gladkov
2023-01-25 15:28 ` [RFC PATCH v1 4/6] proc: Allow to use the allowlist filter in userns Alexey Gladkov
2023-01-25 15:28 ` [RFC PATCH v1 5/6] proc: Validate incoming allowlist Alexey Gladkov
2023-01-28 16:32 ` kernel test robot
2023-01-25 15:28 ` [RFC PATCH v1 6/6] doc: proc: Add description of subset=allowlist Alexey Gladkov
2023-01-25 23:36 ` [RFC PATCH v1 0/6] proc: Add allowlist for procfs files Andrew Morton
2023-01-26 10:16 ` Christian Brauner
2023-01-26 13:39 ` Alexey Gladkov
2023-01-31 13:53 ` Alexey Gladkov
2023-01-26 12:30 ` Alexey Gladkov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y9JyfQwAB/M5QmuH@example.org \
--to=legion@kernel.org \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=containers@lists.linux.dev \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=vcowan@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.