From: ebiederm@xmission.com (Eric W. Biederman)
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Kees Cook <keescook@chromium.org>,
linux-kernel@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Randy Dunlap <rdunlap@xenotime.net>,
Borislav Petkov <bp@alien8.de>,
Vasiliy Kulikov <segoon@openwall.com>,
Dan Ballard <dan@mindstab.net>, Jiri Kosina <jkosina@suse.cz>,
Al Viro <viro@zeniv.linux.org.uk>,
Stephen Wilson <wilsons@start.ca>,
David Rientjes <rientjes@google.com>, Ingo Molnar <mingo@elte.hu>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Eric Paris <eparis@redhat.com>,
"Serge E. Hallyn" <serge.hallyn@canonical.com>,
linux-doc@vger.kernel.org, Colin Walters <walters@verbum.org>
Subject: Re: [PATCH v3] sysctl: control functionality of /proc/pid/mem
Date: Wed, 25 Jan 2012 20:22:46 -0800 [thread overview]
Message-ID: <m17h0fdre1.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20120125153028.17d69f6e.akpm@linux-foundation.org> (Andrew Morton's message of "Wed, 25 Jan 2012 15:30:28 -0800")
Andrew Morton <akpm@linux-foundation.org> writes:
> On Mon, 23 Jan 2012 13:21:15 -0800
> Kees Cook <keescook@chromium.org> wrote:
>
>>
>> Add the "proc_pid_mem" sysctl to control whether or not /proc/pid/mem is
>> allowed to work: 0: disabled, 1: read only, 2: read/write (default).
>>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> ---
>> v3:
>> - document the default, thanks to Randy Dunlap.
>> - remove needless CONFIG_PROC_FS checks, thanks to Eric W. Biederman.
>
> I was wondering about that. Is CONFIG_PROC_FS=n, CONFIG_SYSCTL=y an
> impossible combination? If so, why?
Fundamentally because the only way sysctls get to usespace is threw
/proc/sys/. The binary sysctl emulation layer reads /proc/sys through
the internal kernel mount.
As I recall the symbol define tree:
CONFIG_PROC_SYSCTL select CONFIG_SYSCTL
CONFIG_PROC_SYSCTL depends on CONFIG_PROC_FS.
And the only way CONFIG_SYSCTL gets set is if it is select.
If anyone cares enough we can probably cleanup the Kconfig bits to have
fewer symbols.
At a practical level I think the real reason I objected is that it is
ugly to just dump things into kernel/sysctl.c with #defines everywhere.
Eric
>> --- a/Documentation/sysctl/kernel.txt
>> +++ b/Documentation/sysctl/kernel.txt
>> @@ -56,6 +56,7 @@ show up in /proc/sys/kernel:
>> - printk_delay
>> - printk_ratelimit
>> - printk_ratelimit_burst
>> +- proc_pid_mem
>> - randomize_va_space
>> - real-root-dev ==> Documentation/initrd.txt
>> - reboot-cmd [ SPARC only ]
>> @@ -477,6 +478,20 @@ send before ratelimiting kicks in.
>>
>> ==============================================================
>>
>> +proc_pid_mem:
>> +
>> +This option can be used to select the level of access given to potential
>> +ptracers when using the per-process "mem" file in /proc/pid/mem.
>> +
>> +0 - Disable entirely.
>> +
>> +1 - Allow potential ptracers read access to process memory, but not writes.
>> +
>> +2 - Allow potential ptracers read and write access to process memory. This
>> + is the default.
>> +
>> +==============================================================
>
> I agree with Colin on this (he stole my line!).
>
>
>
> Overall, the patch looks really hacky and random. I felt the same way
> as Vasily: it's easy to see how a significant number of similar (and
> hacky and random) patches could be added, resulting in a regrettable
> mess.
>
> Is there some better designed, more organized way of approaching all of
> this? Random ideas:
>
> - A parallel /procfs-perms filesystem. You write a number into
> /procfs-perms/stat to affect access to /proc/stat (although why the
> heck not just run `chmod /proc/stat'?) It's unclear how to handle
> /proc/pid/. Perhaps literally have a /procfs-perms/pid/ directory.
>
> - Make tasks inherit their /proc/pid/* permissions across fork, do a
> chmod /proc/1/whatever in initscripts.
>
> - Other and better things ;) This particular approach makes my toes
> curl.
next prev parent reply other threads:[~2012-01-26 4:20 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-23 21:21 [PATCH v3] sysctl: control functionality of /proc/pid/mem Kees Cook
2012-01-24 11:03 ` [kernel-hardening] " Vasiliy Kulikov
2012-01-24 11:03 ` Vasiliy Kulikov
2012-01-24 11:12 ` [kernel-hardening] " Alexey Dobriyan
2012-01-24 11:12 ` Alexey Dobriyan
2012-01-24 11:51 ` [kernel-hardening] " Vasiliy Kulikov
2012-01-24 11:51 ` Vasiliy Kulikov
2012-01-31 19:22 ` [kernel-hardening] " Kees Cook
2012-01-31 19:22 ` Kees Cook
2012-01-24 17:34 ` Colin Walters
2012-01-25 23:30 ` Andrew Morton
2012-01-26 4:22 ` Eric W. Biederman [this message]
2012-01-31 19:26 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m17h0fdre1.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=bp@alien8.de \
--cc=dan@mindstab.net \
--cc=eparis@redhat.com \
--cc=jkosina@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=rdunlap@xenotime.net \
--cc=rientjes@google.com \
--cc=segoon@openwall.com \
--cc=serge.hallyn@canonical.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=walters@verbum.org \
--cc=wilsons@start.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.