From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757289Ab1INSZh (ORCPT ); Wed, 14 Sep 2011 14:25:37 -0400 Received: from e6.ny.us.ibm.com ([32.97.182.146]:36604 "EHLO e6.ny.us.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757261Ab1INSZg (ORCPT ); Wed, 14 Sep 2011 14:25:36 -0400 Subject: Re: [kernel-hardening] Re: [RFC PATCH 2/2] mm: restrict access to /proc/slabinfo From: Dave Hansen To: Vasiliy Kulikov Cc: kernel-hardening@lists.openwall.com, Andrew Morton , Cyrill Gorcunov , Al Viro , Christoph Lameter , Pekka Enberg , Matt Mackall , linux-kernel@vger.kernel.org, linux-mm@kvack.org, Dan Rosenberg , Theodore Tso , Alan Cox , Jesper Juhl , Linus Torvalds In-Reply-To: <20110914154229.GA9776@albatros> References: <20110910164001.GA2342@albatros> <20110910164134.GA2442@albatros> <20110914131630.GA7001@albatros> <1316013505.4478.50.camel@nimitz> <20110914154229.GA9776@albatros> Content-Type: text/plain; charset="UTF-8" Date: Wed, 14 Sep 2011 11:24:40 -0700 Message-ID: <1316024680.4478.61.camel@nimitz> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2011-09-14 at 19:42 +0400, Vasiliy Kulikov wrote: > > In other words, I dunno. If we do this in the kernel, can we at least > > do something like CONFIG_INSECURE to both track these kinds of things > > and make it easy to get them out of a developer's way? > > What do you think about adding your user to the slabinfo's group or > chmod it - quite the opposite Ubuntu currently does? I think it is more > generic (e.g. you may chmod 0444 to allow all users to get debug > information or just 0440 and chgrp admin to allow only trusted users to > do it) and your local policy doesn't touch the kernel. That obviously _works_. I'd be happy to ack your patch. As I said, it's pretty minimally painful, even to folks who care about slabinfo like me. -- Dave