From: Solar Designer <solar@openwall.com>
To: kernel-hardening@lists.openwall.com
Subject: Re: [kernel-hardening] procfs mount options
Date: Sat, 4 Jun 2011 17:20:54 +0400 [thread overview]
Message-ID: <20110604132054.GC2583@openwall.com> (raw)
In-Reply-To: <20110604054758.GA4063@albatros>
Vasiliy,
On Sat, Jun 04, 2011 at 09:47:58AM +0400, Vasiliy Kulikov wrote:
> I think it should be done with separate mount options for /proc/self/net
> (/proc/net is a symlink to /proc/self/net since net namespaces
> introduction) and for /proc/PID.
OK. What do we call these? pmask (for "p"rocesses) and nmask (for
"n"etwork)? Doesn't this deviation from umask reduce the chances of the
patch getting accepted?.. And is there really much reason to let a user
see others' processes, but not network connections, or vice versa?
(Maybe there is.)
> All other files should be e.g.
> chmod'ed go= and then some white list should be chmod'ed to the relaxed
> perms.
Where would this logic be implemented - hard-coded in the kernel
(enabled with some mount option?) or done by a script in the userspace
post-mount?
> > Indeed, we could set some of these perms with chmod post-mount, but as
> > discussed this has drawbacks.
>
> Where its drawbacks were discussed?
IIRC, you, I, and some others discussed them via Jabber.
> I cannot find anything on
> owl-dev. Do you mean some possible diffirences between procfs files
> among different kernel versions? If so, white list instead of black
> list should partly solve it.
No, I meant race conditions, which you had to deal with by mounting
under a parent directory with restricted perms, then mount --move'ing.
Part of the intent of us patching the kernel is to avoid having to do
things like that. Also, an admin might just "mount /proc", not knowing
that special userspace magic was implemented by the distro.
A possible approach is to implement mount options gid=... and restricted
(name suggested by spender), where the latter would enable a hard-coded
set of permissions. This is not generic, but at least it's simple, not
confusing, and it allows for future changes (we may change what exactly
restricted means).
> > So ideally our preferred configuration
> > (which will be the default on Owl) should be achievable with mount
> > options alone.
>
> At least for sysfs it is unreachable if we go in the current direction -
> umask doesn't change perms of already created files, and additional
> "chmod -R" is needed anyway.
Hmm. I guess I still don't understand your umask vs. mode stuff.
Ideally, I'd have umask apply to each instance of sysfs (and other
special filesystems) individually, affecting all files under that
instance (both those already existing in the kernel at the time of mount
and those appearing after mount). But perhaps that's not how the kernel
keeps track of permissions for those filesystems currently? (Sorry, I
haven't played with this since Linux 2.4, which didn't even have sysfs.)
Thanks,
Alexander
next prev parent reply other threads:[~2011-06-04 13:20 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20110603191153.GB514@openwall.com>
2011-06-04 5:47 ` [kernel-hardening] Re: procfs mount options Vasiliy Kulikov
2011-06-04 13:20 ` Solar Designer [this message]
2011-06-04 20:09 ` [kernel-hardening] " Vasiliy Kulikov
2011-06-04 20:59 ` Solar Designer
2011-06-05 18:24 ` [kernel-hardening] [RFC v1] " Vasiliy Kulikov
2011-06-05 19:26 ` Solar Designer
2011-06-05 19:47 ` Vasiliy Kulikov
2011-06-05 20:10 ` Solar Designer
2011-06-06 18:08 ` Vasiliy Kulikov
2011-06-06 18:33 ` Solar Designer
2011-06-08 17:23 ` [kernel-hardening] [RFC v2] " Vasiliy Kulikov
2011-06-08 17:43 ` Vasiliy Kulikov
2011-06-12 2:39 ` Solar Designer
2011-07-24 18:55 ` Vasiliy Kulikov
[not found] ` <20110724185036.GC3510@albatros>
2011-07-26 14:50 ` Vasiliy Kulikov
2011-07-29 17:47 ` [kernel-hardening] procfs {tid,tgid,attr}_allowed " Vasiliy Kulikov
2011-08-04 11:23 ` [kernel-hardening] " Vasiliy Kulikov
2011-08-10 10:02 ` Vasiliy Kulikov
2011-08-10 11:22 ` [kernel-hardening] " Solar Designer
2011-08-10 11:25 ` Solar Designer
2011-08-10 12:04 ` Vasiliy Kulikov
2011-08-10 13:34 ` Solar Designer
2011-08-12 18:14 ` Simon Marechal
2011-06-06 19:20 ` [kernel-hardening] [RFC v1] procfs " Vasiliy Kulikov
2011-06-05 19:17 ` [kernel-hardening] " Vasiliy Kulikov
2011-06-05 19:40 ` Solar Designer
2011-06-05 19:53 ` Vasiliy Kulikov
2011-06-05 18:36 ` [kernel-hardening] Re: [owl-dev] " Vasiliy Kulikov
2011-06-05 18:47 ` [kernel-hardening] " Solar Designer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110604132054.GC2583@openwall.com \
--to=solar@openwall.com \
--cc=kernel-hardening@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox