From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ingo Molnar Subject: Re: [PATCH v2 0/9] procfs: protect /proc//* files with file->f_cred Date: Thu, 3 Oct 2013 08:22:56 +0200 Message-ID: <20131003062256.GD25345@gmail.com> References: <1380659178-28605-1-git-send-email-tixxdz@opendz.org> <524B7999.60806@amacapital.net> <20131002143759.GA2966@dztty> <20131002181257.GA2485@dztty> Reply-To: kernel-hardening@lists.openwall.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Andy Lutomirski , "Eric W. Biederman" , Kees Cook , Al Viro , Andrew Morton , Linus Torvalds , "Serge E. Hallyn" , Cyrill Gorcunov , David Rientjes , LKML , Linux FS Devel , kernel-hardening@lists.openwall.com, Djalal Harouni To: Djalal Harouni Return-path: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Sender: Ingo Molnar Content-Disposition: inline In-Reply-To: <20131002181257.GA2485@dztty> List-Id: linux-fsdevel.vger.kernel.org * Djalal Harouni wrote: > * You can't do it for /proc/*/stat otherwise you will break userspace > "ps"..., ps must access /proc/1/stat etc... so the proposed solution > will work without any side effect. The thing is, returning -EINVAL is not the only way to reject access to privileged information! In the /proc/1/stat case a compatibility quirk can solve the problem: create a special 'dummy' process inode for invalid accesses and give it to ps, with all fields present but zero. > And for /proc/*/maps you will perhaps break glibc under certain > situations... so just hold it for the moment and test it > later. There have been reports in the past about it. Same deal: just create a dummy compat-quirk maps inode with constant, zero information contents to placate old user-space: 00000000-00000000 ---p 00000000 00:00 0 [ Or whatever line is needed to minimally not break old userspace. ] But don't leak privileged information! ( Maybe add a CONFIG_PROC_FS_COMPAT_QUIRKS Kconfig option, default-y for now, that new/sane userspace can turn off. ) Thanks, Ingo