[PATCH v5 5/7] proc: instantiate only pids that we can ptrace on 'limit

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v5 5/7] proc: instantiate only pids that we can ptrace on 'limit_pids=1' mount option
@ 2018-05-11  9:36 Alexey Gladkov
  2018-05-11 16:09 ` Randy Dunlap
  2018-05-11 16:45 ` Linus Torvalds
  0 siblings, 2 replies; 5+ messages in thread
From: Alexey Gladkov @ 2018-05-11  9:36 UTC (permalink / raw)
  To: linux-security-module

From: Djalal Harouni <tixxdz@gmail.com>

If "limit_pids=1" mount option is set then do not instantiate pids that
we can not ptrace. "limit_pids=1" means that procfs should only contain
pids that the caller can ptrace.

Cc: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
---
 fs/proc/base.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 6f084344..31baeef 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -3187,6 +3187,7 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
 	unsigned tgid;
 	struct proc_fs_info *fs_info = proc_sb(dir->i_sb);
 	struct pid_namespace *ns = fs_info->pid_ns;
+	int limit_pids = proc_fs_limit_pids(fs_info);
 
 	tgid = name_to_int(&dentry->d_name);
 	if (tgid == ~0U)
@@ -3200,7 +3201,15 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
 	if (!task)
 		goto out;
 
+	/* Limit procfs to only ptracable tasks */
+	if (limit_pids == PROC_LIMIT_PIDS_PTRACE) {
+		cond_resched();
+		if (!has_pid_permissions(fs_info, task, HIDEPID_NO_ACCESS))
+			goto out_put_task;
+	}
+
 	result = proc_pid_instantiate(dir, dentry, task, NULL);
+out_put_task:
 	put_task_struct(task);
 out:
 	return ERR_PTR(result);
-- 
2.10.5

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH v5 5/7] proc: instantiate only pids that we can ptrace on 'limit_pids=1' mount option
  2018-05-11  9:36 [PATCH v5 5/7] proc: instantiate only pids that we can ptrace on 'limit_pids=1' mount option Alexey Gladkov
@ 2018-05-11 16:09 ` Randy Dunlap
  2018-05-14  8:34   ` Alexey Gladkov
  2018-05-11 16:45 ` Linus Torvalds
  1 sibling, 1 reply; 5+ messages in thread
From: Randy Dunlap @ 2018-05-11 16:09 UTC (permalink / raw)
  To: linux-security-module

On 05/11/2018 02:36 AM, Alexey Gladkov wrote:
> From: Djalal Harouni <tixxdz@gmail.com>
> 
> If "limit_pids=1" mount option is set then do not instantiate pids that
> we can not ptrace. "limit_pids=1" means that procfs should only contain
> pids that the caller can ptrace.

Where can I find documentation on these mount options (pidonly, limit_pids)?

Thanks.

> Cc: Kees Cook <keescook@chromium.org>
> Cc: Andy Lutomirski <luto@kernel.org>
> Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
> ---
>  fs/proc/base.c | 9 +++++++++
>  1 file changed, 9 insertions(+)


-- 
~Randy
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v5 5/7] proc: instantiate only pids that we can ptrace on 'limit_pids=1' mount option
  2018-05-11  9:36 [PATCH v5 5/7] proc: instantiate only pids that we can ptrace on 'limit_pids=1' mount option Alexey Gladkov
  2018-05-11 16:09 ` Randy Dunlap
@ 2018-05-11 16:45 ` Linus Torvalds
  2018-05-14  8:29   ` Alexey Gladkov
  1 sibling, 1 reply; 5+ messages in thread
From: Linus Torvalds @ 2018-05-11 16:45 UTC (permalink / raw)
  To: linux-security-module

On Fri, May 11, 2018 at 2:46 AM Alexey Gladkov <gladkov.alexey@gmail.com>
wrote:

> +       /* Limit procfs to only ptracable tasks */
> +       if (limit_pids == PROC_LIMIT_PIDS_PTRACE) {
> +               cond_resched();
> +               if (!has_pid_permissions(fs_info, task,
HIDEPID_NO_ACCESS))
> +                       goto out_put_task;
> +       }

Where did that "cond_resched()" come from? That doesn't seem to make a lot
of sense.

                    Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v5 5/7] proc: instantiate only pids that we can ptrace on 'limit_pids=1' mount option
  2018-05-11 16:45 ` Linus Torvalds
@ 2018-05-14  8:29   ` Alexey Gladkov
  0 siblings, 0 replies; 5+ messages in thread
From: Alexey Gladkov @ 2018-05-14  8:29 UTC (permalink / raw)
  To: linux-security-module

On Fri, May 11, 2018 at 09:45:33AM -0700, Linus Torvalds wrote:
> On Fri, May 11, 2018 at 2:46 AM Alexey Gladkov <gladkov.alexey@gmail.com>
> wrote:
> 
> > +       /* Limit procfs to only ptracable tasks */
> > +       if (limit_pids == PROC_LIMIT_PIDS_PTRACE) {
> > +               cond_resched();
> > +               if (!has_pid_permissions(fs_info, task,
> HIDEPID_NO_ACCESS))
> > +                       goto out_put_task;
> > +       }
> 
> Where did that "cond_resched()" come from? That doesn't seem to make a lot
> of sense.

This call came along with has_pid_permissions from proc_pid_readdir [1]. It
seems to me that proc_pid_readdir and proc_pid_lookup should act in a
similar way in this case.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3ba4bceef23206349d4130ddf140819b365de7c8

-- 
Rgrds, legion

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v5 5/7] proc: instantiate only pids that we can ptrace on 'limit_pids=1' mount option
  2018-05-11 16:09 ` Randy Dunlap
@ 2018-05-14  8:34   ` Alexey Gladkov
  0 siblings, 0 replies; 5+ messages in thread
From: Alexey Gladkov @ 2018-05-14  8:34 UTC (permalink / raw)
  To: linux-security-module

On Fri, May 11, 2018 at 09:09:04AM -0700, Randy Dunlap wrote:
> On 05/11/2018 02:36 AM, Alexey Gladkov wrote:
> > From: Djalal Harouni <tixxdz@gmail.com>
> > 
> > If "limit_pids=1" mount option is set then do not instantiate pids that
> > we can not ptrace. "limit_pids=1" means that procfs should only contain
> > pids that the caller can ptrace.
> 
> Where can I find documentation on these mount options (pidonly, limit_pids)?

The documentation is not ready yet. It will be added in the next version
of the patchset.

-- 
Rgrds, legion

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2018-05-14  8:34 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-05-11  9:36 [PATCH v5 5/7] proc: instantiate only pids that we can ptrace on 'limit_pids=1' mount option Alexey Gladkov
2018-05-11 16:09 ` Randy Dunlap
2018-05-14  8:34   ` Alexey Gladkov
2018-05-11 16:45 ` Linus Torvalds
2018-05-14  8:29   ` Alexey Gladkov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).