From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751080AbcJAKhh (ORCPT ); Sat, 1 Oct 2016 06:37:37 -0400 Received: from thejh.net ([37.221.195.125]:56164 "EHLO thejh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750800AbcJAKhc (ORCPT ); Sat, 1 Oct 2016 06:37:32 -0400 Date: Sat, 1 Oct 2016 12:37:28 +0200 From: Jann Horn To: Andy Lutomirski Cc: Peter Zijlstra , Andy Lutomirski , X86 ML , "linux-kernel@vger.kernel.org" , Brian Gerst , Borislav Petkov , Linux API , Linus Torvalds , Kees Cook , Tycho Andersen , Tetsuo Handa Subject: Re: [PATCH 1/3] proc: Stop reporting eip and esp in /proc/PID/stat Message-ID: <20161001103728.GM14666@pc.thejh.net> References: <20160930185642.GH14666@pc.thejh.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NqSa+Xr3J/G6Hhls" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --NqSa+Xr3J/G6Hhls Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 30, 2016 at 07:01:13PM -0700, Andy Lutomirski wrote: > On an unrelated note, can we please lock down all the silly historical > *userspace* info leaks in /proc? Nasty ones include: net, cmdline (at > the very least, only argv[0] should be visible if the reader lacks > ptrace access). >=20 > Less nasty ones include: limits, sched, autogroup, comm, wchan, > schedstat, cpuset, cgroup, oom_*, sessionid, coredump_filter If that doesn't break stuff, I'm very much in favor of it. > uid_map, gid_map, etc are just screwed up. They should be per > *namespace* somewhere, and they should require creds on the namespace. What do you have in mind? Something like /proc/namespaces/user:123456/{uid_map,gid_map,setgroups,parent_ns}, with jumped fake symlinks to the directory and its entries in /proc/$pid/? > timerslack is totally fscked up -- it allows ugo to write and it > checks the wrong creds. Jann, does your series fix that? Nope. Never noticed that thing so far, probably because it was only added a few months ago. :/ Will add it to my series. --NqSa+Xr3J/G6Hhls Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJX75HoAAoJED4KNFJOeCOo9w4QALI01llvm7z4+10o7W4F4cwV Go/YhaG6b8Jaw8eFzy46ywCpTC64mgr6Our69zF6pBc2eK60osaaQWSVgObO9tem unFWIbQUlraRjyAGbyawfC/VEsHmwPl7CyG3eZNjy63vRndat7LJwrG42D1Au8Md dMAX2MzklZ2gP4s1h7WoS6nai1ARS1U9eBC6AHDza4VGWe2JoNuU5iPKkJOfnmc7 fkpWX6AaWEFMsexJ779EyA1/9hv5ibr37PQTs0jKsdrUgm84HyPkfSQlU6i9XLZe +TTrw3vutfCqR7ID3A3/L+6s5rg6FputSKOkclo11S6HL3f31GkghldhgJmzVu4U Fhl+x2905f/Fz/C4Zr1ERRHLRYlrOuPhhEQEcCqfG7JPzX5w6NnDvCj5y6wgAwBH kiuoa8ETNgOZrWf0xyFFamuuwnP16Qv1m2u51ZpKl/JCIc+uiJd4N+RguC6iuAv0 4cd2OVkCHfMGmDoiyWZo8ORIEZ+6yupPafviAcyjZrtyj/NiKIq+/FuluuOd4Mbh SDnRRzAL56vqptcYx/9++M6j1cqSwWVNZ3ce/B1qJrZQm+Ug7iiQTNWzNJhKeaMR wDyz7ZinsWdXRk9xWlJweNr0ouXCNDFQRTzZJvb5JnG4GfADVkzpClvEH1fmjnfZ ecbMMCk/zXhcFTr0VevN =4vyQ -----END PGP SIGNATURE----- --NqSa+Xr3J/G6Hhls-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jann Horn Subject: Re: [PATCH 1/3] proc: Stop reporting eip and esp in /proc/PID/stat Date: Sat, 1 Oct 2016 12:37:28 +0200 Message-ID: <20161001103728.GM14666@pc.thejh.net> References: <20160930185642.GH14666@pc.thejh.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NqSa+Xr3J/G6Hhls" Return-path: Content-Disposition: inline In-Reply-To: Sender: linux-api-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Andy Lutomirski Cc: Peter Zijlstra , Andy Lutomirski , X86 ML , "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , Brian Gerst , Borislav Petkov , Linux API , Linus Torvalds , Kees Cook , Tycho Andersen , Tetsuo Handa List-Id: linux-api@vger.kernel.org --NqSa+Xr3J/G6Hhls Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 30, 2016 at 07:01:13PM -0700, Andy Lutomirski wrote: > On an unrelated note, can we please lock down all the silly historical > *userspace* info leaks in /proc? Nasty ones include: net, cmdline (at > the very least, only argv[0] should be visible if the reader lacks > ptrace access). >=20 > Less nasty ones include: limits, sched, autogroup, comm, wchan, > schedstat, cpuset, cgroup, oom_*, sessionid, coredump_filter If that doesn't break stuff, I'm very much in favor of it. > uid_map, gid_map, etc are just screwed up. They should be per > *namespace* somewhere, and they should require creds on the namespace. What do you have in mind? Something like /proc/namespaces/user:123456/{uid_map,gid_map,setgroups,parent_ns}, with jumped fake symlinks to the directory and its entries in /proc/$pid/? > timerslack is totally fscked up -- it allows ugo to write and it > checks the wrong creds. Jann, does your series fix that? Nope. Never noticed that thing so far, probably because it was only added a few months ago. :/ Will add it to my series. --NqSa+Xr3J/G6Hhls Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJX75HoAAoJED4KNFJOeCOo9w4QALI01llvm7z4+10o7W4F4cwV Go/YhaG6b8Jaw8eFzy46ywCpTC64mgr6Our69zF6pBc2eK60osaaQWSVgObO9tem unFWIbQUlraRjyAGbyawfC/VEsHmwPl7CyG3eZNjy63vRndat7LJwrG42D1Au8Md dMAX2MzklZ2gP4s1h7WoS6nai1ARS1U9eBC6AHDza4VGWe2JoNuU5iPKkJOfnmc7 fkpWX6AaWEFMsexJ779EyA1/9hv5ibr37PQTs0jKsdrUgm84HyPkfSQlU6i9XLZe +TTrw3vutfCqR7ID3A3/L+6s5rg6FputSKOkclo11S6HL3f31GkghldhgJmzVu4U Fhl+x2905f/Fz/C4Zr1ERRHLRYlrOuPhhEQEcCqfG7JPzX5w6NnDvCj5y6wgAwBH kiuoa8ETNgOZrWf0xyFFamuuwnP16Qv1m2u51ZpKl/JCIc+uiJd4N+RguC6iuAv0 4cd2OVkCHfMGmDoiyWZo8ORIEZ+6yupPafviAcyjZrtyj/NiKIq+/FuluuOd4Mbh SDnRRzAL56vqptcYx/9++M6j1cqSwWVNZ3ce/B1qJrZQm+Ug7iiQTNWzNJhKeaMR wDyz7ZinsWdXRk9xWlJweNr0ouXCNDFQRTzZJvb5JnG4GfADVkzpClvEH1fmjnfZ ecbMMCk/zXhcFTr0VevN =4vyQ -----END PGP SIGNATURE----- --NqSa+Xr3J/G6Hhls--