From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753736AbbLOIQr (ORCPT ); Tue, 15 Dec 2015 03:16:47 -0500 Received: from mx2.parallels.com ([199.115.105.18]:48905 "EHLO mx2.parallels.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753332AbbLOIQp (ORCPT ); Tue, 15 Dec 2015 03:16:45 -0500 To: Vasiliy Kulikov CC: LKML From: Evgenii Shatokhin Subject: hidepid=2 and dumpability Message-ID: <566FCC66.605@odin.com> Date: Tue, 15 Dec 2015 11:16:38 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 7bit X-ClientProxiedBy: US-EXCH2.sw.swsoft.com (10.255.249.46) To US-EXCH.sw.swsoft.com (10.255.249.47) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org (Sorry, forgot to CC LKML yesterday, resending.) Hi, Could you shed some light on the implementation of 'hidepid' option for procfs in the Linux kernel? As far as I can see, has_pid_permissions() eventually calls ptrace_may_access(task, PTRACE_MODE_READ). This way, if hidepid=2 is used, the ordinary users will see only those of their own processes, which are dumpable. For example, the processes that changed credentials or were marked as non-dumpable with prctl() will remain invisible to their owners. Isn't that an overkill? Or perhaps, there is a security risk if a user could read the contents of /proc/ for these processes? I stumbled upon this while experimenting with hidepid=2 in a Virtuozzo container. If I login to the container as an ordinary user via SSH, one of the sshd processes (owned by the user) in the container is not visible to that user. I checked in runtime that it is the dumpability check in the kernel that fails in __ptrace_may_access(). The kernel is based on the version 3.10.x, but it should not matter much in this case. Any ideas? Thanks in advance. Regards, Evgenii