Re: [PATCH] Allow restricting permissions in /proc/sys

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Topi Miettinen <toiwoton@gmail.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Luis Chamberlain <mcgrof@kernel.org>,
	Kees Cook <keescook@chromium.org>,
	Alexey Dobriyan <adobriyan@gmail.com>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"open list:FILESYSTEMS (VFS and infrastructure)" 
	<linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH] Allow restricting permissions in /proc/sys
Date: Tue, 5 Nov 2019 09:35:46 +0200	[thread overview]
Message-ID: <1b0f94ef-ab1c-cb79-dd52-954cf0438af1@gmail.com> (raw)
In-Reply-To: <87tv7jciq3.fsf@x220.int.ebiederm.org>

On 5.11.2019 1.41, Eric W. Biederman wrote:
> Topi Miettinen <toiwoton@gmail.com> writes:
> 
>> On 4.11.2019 17.44, Eric W. Biederman wrote:
>>> Do you have specific examples of the cases where you would like to
>>> change the permissions?
>>
>> Unprivileged applications typically do not need to access most items
>> in /proc/sys, so I'd like to gradually find out which are needed. So
>> far I've seen no problems with 0500 mode for directories abi, crypto,
>> debug, dev, fs, user or vm.
> 
> But if there is no problem in letting everyone access the information
> why reduce the permissions?

Because information could be useful to an attacker. If there is no 
problem in not letting everyone access the information why not allow 
reducing the permissions? There certainly is no need to know.

>> I'm also using systemd's InaccessiblePaths to limit access (which
>> mounts an inaccessible directory over the path), but that's a bit too
>> big hammer. For example there are over 100 files in /proc/sys/kernel,
>> perhaps there will be issues when creating a mount for each, and that
>> multiplied by a number of services.
> 
> My sense is that if there is any kind of compelling reason to make
> world-readable values not world-readable, and it doesn't break anything
> (except malicious applications) than a kernel patch is probably the way
> to go.

With kernel patch, do you propose to change individual sysctls to not 
world-readable? That surely would help everybody instead of just those 
who care enough to change /proc/sys permissions. I guess it would also 
be more effort by an order of magnitude or two to convince each owner of 
a sysctl to accept the change.

> Policy knobs like this on proc tend to break in normal maintenance
> because they are not used enough so I am not a big fan of adding policy
> knobs just because we can.

But the rest of the /proc (except PID tree) allows changing permissions 
(and also UID and GID), just /proc/sys doesn't. This doesn't seem very 
logical to me.

These code paths have not changed much or at all since the initial 
version in 2007, so I suppose the maintenance burden has not been 
overwhelming.

By the way, /proc/sys still allows changing the {a,c,m}time. I think 
those are not backed anywhere, so they probably suffer from same caching 
problems as my first version of the patch.

-Topi

next prev parent reply	other threads:[~2019-11-05  7:35 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-03 14:55 [PATCH] Allow restricting permissions in /proc/sys Topi Miettinen
2019-11-03 17:56 ` Theodore Y. Ts'o
2019-11-03 19:24   ` Topi Miettinen
2019-11-12 23:15   ` Kees Cook
2019-11-03 18:50 ` Eric W. Biederman
2019-11-03 19:38   ` Topi Miettinen
2019-11-04 15:44     ` Eric W. Biederman
2019-11-04 17:58       ` Topi Miettinen
2019-11-04 23:41         ` Eric W. Biederman
2019-11-05  7:35           ` Topi Miettinen [this message]
2019-11-12 23:19             ` Kees Cook
2019-11-13  1:04               ` Luis Chamberlain
2019-11-12 23:22 ` Christian Brauner
2019-11-13  4:50   ` Andy Lutomirski
2019-11-13 10:52     ` Topi Miettinen
2019-11-13 16:00   ` Jann Horn
2019-11-13 16:19     ` Topi Miettinen
2019-11-13 16:40       ` Jann Horn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1b0f94ef-ab1c-cb79-dd52-954cf0438af1@gmail.com \
    --to=toiwoton@gmail.com \
    --cc=adobriyan@gmail.com \
    --cc=ebiederm@xmission.com \
    --cc=keescook@chromium.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mcgrof@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).