* mount /proc at boot as read-only
@ 2019-01-06 18:13 Lev Olshvang
2019-01-06 22:45 ` valdis.kletnieks
2019-01-07 8:35 ` Greg KH
0 siblings, 2 replies; 3+ messages in thread
From: Lev Olshvang @ 2019-01-06 18:13 UTC (permalink / raw)
To: kernelnewbies
Hello all,
I am trying to harden the embedded system.
Is it possible and safe to mount /proc file system in a read-only mode and how to do this?
I have embedded system with systemd where /proc is mounted rw.
I suspect that systemd mounts it when it bebgns to bootsrtap user space.
On my currently idle and small embedded board and on QEMU I was able to remount /proc read-only.
But when I changed fstab to mount it as a read-only it is still mounted
rw,relatime after reboot.
So who mounts it first ?
Is it hardcoded in systemd when it starts process of PID 1 or in a kernel?
Regards,
Lev
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: mount /proc at boot as read-only
2019-01-06 18:13 mount /proc at boot as read-only Lev Olshvang
@ 2019-01-06 22:45 ` valdis.kletnieks
2019-01-07 8:35 ` Greg KH
1 sibling, 0 replies; 3+ messages in thread
From: valdis.kletnieks @ 2019-01-06 22:45 UTC (permalink / raw)
To: Lev Olshvang; +Cc: kernelnewbies
On Sun, 06 Jan 2019 21:13:26 +0300, Lev Olshvang said:
> I am trying to harden the embedded system.
> I have embedded system with systemd .....
OK, you've already got a problem right there.
It's an embedded system. Therefor, you know everything that should be running,
and what order it should start in. If you don't already know that, you have bigger
design issues.
So you probably want to reduce system complexity and save both RAM and flash
memory space by heaving systemd over the side and using something simpler
(sysvinit, or upstart, or even use '/bin/make' if you want to guarantee that
certain tasks don't start till others have actually launched successfully, or
use a custom-written system launcher).
That's going to do more to reduce the attack surface than any amount of monkeying
around with the permissions in /proc will do.
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: mount /proc at boot as read-only
2019-01-06 18:13 mount /proc at boot as read-only Lev Olshvang
2019-01-06 22:45 ` valdis.kletnieks
@ 2019-01-07 8:35 ` Greg KH
1 sibling, 0 replies; 3+ messages in thread
From: Greg KH @ 2019-01-07 8:35 UTC (permalink / raw)
To: Lev Olshvang; +Cc: kernelnewbies
On Sun, Jan 06, 2019 at 09:13:26PM +0300, Lev Olshvang wrote:
>
> Hello all,
>
> I am trying to harden the embedded system.
Please define exactly what you mean by "harden".
> Is it possible and safe to mount /proc file system in a read-only mode and how to do this?
Why would you want /proc to be read-only? What is that going to protect
you from? What is insecure in there as-is?
> I have embedded system with systemd where /proc is mounted rw.
Odds are your system needs this that way. If not, then why mount proc
at all? Why not just disable the proc filesystem from your kernel
entirely and not even worry about it at all?
thanks,
greg k-h
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-01-07 8:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-06 18:13 mount /proc at boot as read-only Lev Olshvang
2019-01-06 22:45 ` valdis.kletnieks
2019-01-07 8:35 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).