From: Lafcadio Wluiki <wluikil@gmail.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Djalal Harouni <tixxdz@gmail.com>,
Linux API <linux-api@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH v4 2/2] procfs/tasks: add a simple per-task procfs hidepid= field
Date: Fri, 20 Jan 2017 16:56:24 +0100 [thread overview]
Message-ID: <CAOWbf6cF23UGugNGb4wc9KNK7Yb4BG=V7yTnOP61+h2q5dA-nQ@mail.gmail.com> (raw)
In-Reply-To: <CALCETrUp9CBWykRUQoJOXeLg9u45H+2VWyQ_BKAhwc9OpBYn+g@mail.gmail.com>
On Thu, Jan 19, 2017 at 8:52 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>> Sure, the hidepid mount option is old enough, and this per-task
>> hidepid is clearly defined only for procfs and per task, we can't add
>> another switch that's relate to both a filesystem and pid namespaces,
>> it will be a bit complicated and not really useful for cases that are
>> in *same* pidns where *each* one have to mount its procfs, it will
>> propagate. Also as noted by Lafcadio, the gid thing is a bit hard to
>> use now.
>
> What I'm trying to say is that I want to understand a complete,
> real-world use case. Adding a security-related per-task flag is can
> be quite messy and requires a lot of careful thought to get right, and
> I'd rather avoid it if at all possible.
>
> I'm imaging something like a new RestrictPidVisisbility= option in
> systemd. I agree that this is currently a mess to do. But maybe a
It's not just a "mess" to do, it's not possible afaics. The hidepid
thing is after all not really a mount option, but an option of the pid
namespace. Hence, if you want to restrict the visibility for one
service only, then you have to get your own PID namespace, but that
does a lot more than just hide visibility: it renumbers everything
after all...
> simpler solution would be to add a new mount option local_hidepid to
> procfs. If you set that option, then it overrides hidepid for that
> instance. Most of these semi-sandboxed daemon processes already have
> their own mount namespace, so the overhead should be minimal.
When I worked on the patches originally, I actually wanted to
implement this as true per-superblock procfs mount option. But this is
really hard to do, as the private superblock pointer of the procfs
instance currently points to the pid namespace, and breaking that up,
so that you can have multiple procfs superblocks per pid namespace is
a ton of work, and I doubt anyone would really like the complexity
this brings, just for adding a single 2bit option...
The per-process option is much simpler code-wise. It also has
semantical benefits: if the thing isn't a mount option it is
accessible with absolutely minimal privileges, as it does not imply
namespaces and mounting. This means, my Firefox can run with hidepid
turned on without my KDE Konsole instance also having to turn it on.
Or to say this differently: your suggested RestrictPidVisibility=
works nicely both for "systemd" as PID 1 and for "systemd --user" as
user "lafcadio", when it is per-process, but is much more complex to
implement if it was a true mount option.
L.
next prev parent reply other threads:[~2017-01-20 15:56 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-16 13:23 [PATCH v4 0/2] procfs/tasks: introduce per-task procfs hidepid= field Djalal Harouni
2017-01-16 13:23 ` [PATCH v4 1/2] procfs: use an enum for possible hidepid values Djalal Harouni
2017-02-13 22:16 ` Kees Cook
2017-02-15 0:34 ` Andrew Morton
2017-02-15 8:56 ` Djalal Harouni
2017-01-16 13:23 ` [PATCH v4 2/2] procfs/tasks: add a simple per-task procfs hidepid= field Djalal Harouni
2017-01-16 18:24 ` [kernel-hardening] " Daniel Micay
2017-01-17 9:54 ` Lafcadio Wluiki
[not found] ` <CAEiveUfDvSoW9Hy2Y_uxU2YQ+vR8OvXMqRhxAANTGG7QaQbJeg@mail.gmail.com>
[not found] ` <CALCETrWEGLhEHO_6sTXreVyWFVsEeYmZSrLNNXx-ma5gd+nTQQ@mail.gmail.com>
2017-01-18 22:50 ` Djalal Harouni
2017-01-18 23:35 ` Andy Lutomirski
2017-01-19 13:53 ` Djalal Harouni
2017-01-19 19:52 ` Andy Lutomirski
2017-01-20 15:56 ` Lafcadio Wluiki [this message]
2017-01-20 16:33 ` Djalal Harouni
2017-01-21 0:53 ` Andy Lutomirski
2017-01-23 11:46 ` Djalal Harouni
2017-01-23 20:07 ` Andy Lutomirski
2017-01-26 13:20 ` Djalal Harouni
2017-02-10 14:40 ` Lafcadio Wluiki
2017-02-10 16:18 ` Andy Lutomirski
2017-01-20 15:44 ` Lafcadio Wluiki
2017-02-10 23:44 ` Kees Cook
2017-02-13 19:01 ` Andy Lutomirski
2017-02-13 19:15 ` Kees Cook
2017-02-14 4:11 ` Christian Kujau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAOWbf6cF23UGugNGb4wc9KNK7Yb4BG=V7yTnOP61+h2q5dA-nQ@mail.gmail.com' \
--to=wluikil@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=tixxdz@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).