From: Vasiliy Kulikov <segoon@openwall.com>
To: kernel-hardening@lists.openwall.com
Subject: Re: [kernel-hardening] [RFC 2/5 v4] procfs: add hidepid= and gid= mount options
Date: Mon, 20 Jun 2011 19:00:52 +0400 [thread overview]
Message-ID: <20110620150052.GA12077@albatros> (raw)
In-Reply-To: <20110620144739.GA31510@openwall.com>
Solar,
On Mon, Jun 20, 2011 at 18:47 +0400, Solar Designer wrote:
> On Mon, Jun 20, 2011 at 06:35:50PM +0400, Vasiliy Kulikov wrote:
> > I didn't post a patch with taskstats and sysctl variables to LKML yet
> > (only the changes in ptrace/capabilities code).
>
> I don't understand the rationale behind the latter. I can try to guess,
> but I'd prefer to see a simple explanation from you. (Maybe I missed
> one.) It sounds like you're going to spend considerable time on those
> changes, but it is not clear to me whether they're needed or not.
>
> So please explain (maybe in a more proper thread than this one).
>
> Unfortunately, I won't have time to participate in a discussion on this
> today (nor in the following few days), but I'd like to be informed
> anyway and maybe others will comment.
The thing is that taskstats' way of gathering process' information
includes registering a "hook" via netlink socket. When any process
exits, taskstats code enumerates registered hookers and sends all
information about exited process via the sockets. It is handled in the
context of exiting task. So, to know whether the hooker may gather
process' information or no (whether exiting task should send info via
the socket), I need a function answering whether *another task* may
ptrace *current task* (ptrace_may_access does the reverse) as the last
check in procinfo_task_may_stat_current() (reversed proc_may_access() in
the past).
The changes are relatively simple (the patch look huge, though) as the
patch touches many functions (including LSM and user namespaces) adding
new explicit "task" argument instead of implicit "current" without
important functional changes.
Without ptrace changes HARDEN_PROC is unlikely to be consistently
working because of taskstats.
Also you might want to read my another mail where I've clarified why
I've rejected (temporarily, I hope) hidepid=2:
http://www.openwall.com/lists/kernel-hardening/2011/06/18/2
Thanks,
--
Vasiliy
next prev parent reply other threads:[~2011-06-20 15:00 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <alpine.LRH.2.00.1106192154220.7503@taiga.selinuxproject.org>
2011-06-20 5:07 ` [kernel-hardening] Re: [RFC 2/5 v4] procfs: add hidepid= and gid= mount options James Morris
2011-06-20 10:39 ` Vasiliy Kulikov
2011-06-20 10:43 ` James Morris
2011-06-20 11:23 ` KOSAKI Motohiro
2011-06-20 17:06 ` Vasiliy Kulikov
2011-06-20 19:41 ` Eric W. Biederman
2011-06-20 23:19 ` James Morris
2011-06-21 18:28 ` Vasiliy Kulikov
2011-06-20 13:58 ` Alexey Dobriyan
2011-06-20 14:11 ` [kernel-hardening] " Solar Designer
2011-06-20 14:19 ` Vasiliy Kulikov
2011-06-20 14:25 ` Solar Designer
2011-06-20 14:35 ` Vasiliy Kulikov
2011-06-20 14:47 ` Solar Designer
2011-06-20 15:00 ` Vasiliy Kulikov [this message]
2011-06-20 13:31 ` [kernel-hardening] " Solar Designer
2011-06-15 18:51 [kernel-hardening] " Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110620150052.GA12077@albatros \
--to=segoon@openwall.com \
--cc=kernel-hardening@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox