From: Topi Miettinen <toiwoton@gmail.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Luis Chamberlain <mcgrof@kernel.org>,
Kees Cook <keescook@chromium.org>,
Alexey Dobriyan <adobriyan@gmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"open list:FILESYSTEMS (VFS and infrastructure)"
<linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH] Allow restricting permissions in /proc/sys
Date: Sun, 3 Nov 2019 21:38:50 +0200 [thread overview]
Message-ID: <f272bdd3-526d-6737-c906-143d5e5fc478@gmail.com> (raw)
In-Reply-To: <87d0e8g5f4.fsf@x220.int.ebiederm.org>
On 3.11.2019 20.50, Eric W. Biederman wrote:
> Topi Miettinen <toiwoton@gmail.com> writes:
>
>> Several items in /proc/sys need not be accessible to unprivileged
>> tasks. Let the system administrator change the permissions, but only
>> to more restrictive modes than what the sysctl tables allow.
>
> This looks quite buggy. You neither update table->mode nor
> do you ever read from table->mode to initialize the inode.
> I am missing something in my quick reading of your patch?
inode->i_mode gets initialized in proc_sys_make_inode().
I didn't want to touch the table, so that the original permissions can
be used to restrict the changes made. In case the restrictions are
removed as suggested by Theodore Ts'o, table->mode could be changed.
Otherwise I'd rather add a new field to store the current mode and the
mode field can remain for reference. As the original author of the code
from 2007, would you let the administrator to chmod/chown the items in
/proc/sys without restrictions (e.g. 0400 -> 0777)?
> The not updating table->mode almost certainly means that as soon as the
> cached inode is invalidated the mode changes will disappear. Not to
> mention they will fail to propogate between different instances of
> proc.
>
> Loosing all of your changes at cache invalidation seems to make this a
> useless feature.
At least different proc instances seem to work just fine here (they show
the same changes), but I suppose you are right about cache invalidation.
-Topi
next prev parent reply other threads:[~2019-11-03 19:38 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-03 14:55 [PATCH] Allow restricting permissions in /proc/sys Topi Miettinen
2019-11-03 17:56 ` Theodore Y. Ts'o
2019-11-03 19:24 ` Topi Miettinen
2019-11-12 23:15 ` Kees Cook
2019-11-03 18:50 ` Eric W. Biederman
2019-11-03 19:38 ` Topi Miettinen [this message]
2019-11-04 15:44 ` Eric W. Biederman
2019-11-04 17:58 ` Topi Miettinen
2019-11-04 23:41 ` Eric W. Biederman
2019-11-05 7:35 ` Topi Miettinen
2019-11-12 23:19 ` Kees Cook
2019-11-13 1:04 ` Luis Chamberlain
2019-11-12 23:22 ` Christian Brauner
2019-11-13 4:50 ` Andy Lutomirski
2019-11-13 10:52 ` Topi Miettinen
2019-11-13 16:00 ` Jann Horn
2019-11-13 16:19 ` Topi Miettinen
2019-11-13 16:40 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f272bdd3-526d-6737-c906-143d5e5fc478@gmail.com \
--to=toiwoton@gmail.com \
--cc=adobriyan@gmail.com \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).