public inbox for kernel-hardening@lists.openwall.com
 help / color / mirror / Atom feed
From: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
To: segoon@openwall.com
Cc: linux-kernel@vger.kernel.org,
	kernel-hardening@lists.openwall.com, akpm@linux-foundation.org,
	gregkh@suse.de, davem@davemloft.net, arnd@arndb.de,
	viro@zeniv.linux.org.uk, rientjes@google.com, wilsons@start.ca,
	daniel.lezcano@free.fr, ebiederm@xmission.com, serge@hallyn.com
Subject: [kernel-hardening] Re: [RFC 2/5 v4] procfs: add hidepid= and gid= mount options
Date: Thu, 16 Jun 2011 11:24:19 +0900	[thread overview]
Message-ID: <4DF96953.8090002@jp.fujitsu.com> (raw)
In-Reply-To: <1308163906-6054-1-git-send-email-segoon@openwall.com>

(2011/06/16 3:51), Vasiliy Kulikov wrote:
> This patch adds support of mount options to restrict access to
> /proc/PID/ directories.  The default backward-compatible 'relaxed'
> behaviour is left untouched.
> 
> The first mount option is called "hidepid" and its value defines how much
> info about processes we want to be available for non-owners:
> 
> hidepid=0 (default) means the current behaviour - anybody may read all
> world-readable /proc/PID/* files.
> 
> hidepid=1 means users may not access any /proc/<pid>/ directories, but their
> own.  Sensitive files like cmdline, io, sched*, status, wchan are now
> protected against other users.  As permission checking done in
> proc_pid_permission() and files' permissions are left untouched,
> programs expecting specific files' permissions are not confused.
> 
> hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to
> other users.  It doesn't mean that it hides a fact whether a process
> exists (it can be learned by other means, e.g. by sending signals), but
> it hides process' euid and egid.  It greatly compicates intruder's task of
> gathering info about running processes, whether some daemon runs with
> elevated privileges, whether other user runs some sensitive program,
> whether other users run any program at all, etc.
> 
> gid=XXX defines a group that will be able to gather all processes' info.

Hmm...

Maybe I missed patch [0/5] or I haven't got it. Anyway I haven't see it.
Can you please describe your use case? Why do we need two new hidepid mode?
Moreover, if we use hidepid=[12], it may break some procps tools. What do
you think about compatibility issue? And, why don't you use just pid namespace?

I'm sorry if you already answered.

  reply	other threads:[~2011-06-16  2:24 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-06-15 18:51 [kernel-hardening] [RFC 2/5 v4] procfs: add hidepid= and gid= mount options Vasiliy Kulikov
2011-06-16  2:24 ` KOSAKI Motohiro [this message]
2011-06-16  8:47   ` [kernel-hardening] " Vasiliy Kulikov
     [not found] <alpine.LRH.2.00.1106192154220.7503@taiga.selinuxproject.org>
2011-06-20  5:07 ` James Morris
2011-06-20 10:39   ` Vasiliy Kulikov
2011-06-20 10:43     ` James Morris
2011-06-20 11:23       ` KOSAKI Motohiro
2011-06-20 17:06       ` Vasiliy Kulikov
2011-06-20 19:41         ` Eric W. Biederman
2011-06-20 23:19         ` James Morris
2011-06-21 18:28       ` Vasiliy Kulikov
2011-06-20 13:58     ` Alexey Dobriyan
2011-06-20 13:31   ` Solar Designer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4DF96953.8090002@jp.fujitsu.com \
    --to=kosaki.motohiro@jp.fujitsu.com \
    --cc=akpm@linux-foundation.org \
    --cc=arnd@arndb.de \
    --cc=daniel.lezcano@free.fr \
    --cc=davem@davemloft.net \
    --cc=ebiederm@xmission.com \
    --cc=gregkh@suse.de \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rientjes@google.com \
    --cc=segoon@openwall.com \
    --cc=serge@hallyn.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=wilsons@start.ca \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox