From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=3.0 tests=DKIM_ADSP_CUSTOM_MED, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C60BC2BA83 for ; Wed, 12 Feb 2020 16:03:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id DA00520873 for ; Wed, 12 Feb 2020 16:03:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727716AbgBLQDo (ORCPT ); Wed, 12 Feb 2020 11:03:44 -0500 Received: from monster.unsafe.ru ([5.9.28.80]:58634 "EHLO mail.unsafe.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726728AbgBLQDn (ORCPT ); Wed, 12 Feb 2020 11:03:43 -0500 Received: from comp-core-i7-2640m-0182e6 (nat-pool-brq-t.redhat.com [213.175.37.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.unsafe.ru (Postfix) with ESMTPSA id DC5BFC61AB0; Wed, 12 Feb 2020 16:03:40 +0000 (UTC) Date: Wed, 12 Feb 2020 17:03:39 +0100 From: Alexey Gladkov To: Andy Lutomirski Cc: LKML , Kernel Hardening , Linux API , Linux FS Devel , Linux Security Module , Akinobu Mita , Alexander Viro , Alexey Dobriyan , Andrew Morton , Daniel Micay , Djalal Harouni , "Dmitry V . Levin" , "Eric W . Biederman" , Greg Kroah-Hartman , Ingo Molnar , "J . Bruce Fields" , Jeff Layton , Jonathan Corbet , Kees Cook , Linus Torvalds , Oleg Nesterov , Solar Designer Subject: Re: [PATCH v8 10/11] docs: proc: add documentation for "hidepid=4" and "subset=pidfs" options and new mount behavior Message-ID: <20200212160339.q6pm5zmjy5mfnvcr@comp-core-i7-2640m-0182e6> Mail-Followup-To: Andy Lutomirski , LKML , Kernel Hardening , Linux API , Linux FS Devel , Linux Security Module , Akinobu Mita , Alexander Viro , Alexey Dobriyan , Andrew Morton , Daniel Micay , Djalal Harouni , "Dmitry V . Levin" , "Eric W . Biederman" , Greg Kroah-Hartman , Ingo Molnar , "J . Bruce Fields" , Jeff Layton , Jonathan Corbet , Kees Cook , Linus Torvalds , Oleg Nesterov , Solar Designer References: <20200210150519.538333-1-gladkov.alexey@gmail.com> <20200210150519.538333-11-gladkov.alexey@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org On Mon, Feb 10, 2020 at 10:29:23AM -0800, Andy Lutomirski wrote: > On Mon, Feb 10, 2020 at 7:06 AM Alexey Gladkov wrote: > > > > Signed-off-by: Alexey Gladkov > > --- > > Documentation/filesystems/proc.txt | 53 ++++++++++++++++++++++++++++++ > > 1 file changed, 53 insertions(+) > > > > diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt > > index 99ca040e3f90..4741fd092f36 100644 > > --- a/Documentation/filesystems/proc.txt > > +++ b/Documentation/filesystems/proc.txt > > @@ -50,6 +50,8 @@ Table of Contents > > 4 Configuring procfs > > 4.1 Mount options > > > > + 5 Filesystem behavior > > + > > ------------------------------------------------------------------------------ > > Preface > > ------------------------------------------------------------------------------ > > @@ -2021,6 +2023,7 @@ The following mount options are supported: > > > > hidepid= Set /proc// access mode. > > gid= Set the group authorized to learn processes information. > > + subset= Show only the specified subset of procfs. > > > > hidepid=0 means classic mode - everybody may access all /proc// directories > > (default). > > @@ -2042,6 +2045,56 @@ information about running processes, whether some daemon runs with elevated > > privileges, whether other user runs some sensitive program, whether other users > > run any program at all, etc. > > > > +hidepid=4 means that procfs should only contain /proc// directories > > +that the caller can ptrace. > > I have a couple of minor nits here. > > First, perhaps we could stop using magic numbers and use words. > hidepid=ptraceable is actually comprehensible, whereas hidepid=4 > requires looking up what '4' means. Do you mean to add string aliases for the values? hidepid=0 == hidepid=default hidepid=1 == hidepid=restrict hidepid=2 == hidepid=ownonly hidepid=4 == hidepid=ptraceable Something like that ? > Second, there is PTRACE_MODE_ATTACH and PTRACE_MODE_READ. Which is it? This is PTRACE_MODE_READ. > > + > > gid= defines a group authorized to learn processes information otherwise > > prohibited by hidepid=. If you use some daemon like identd which needs to learn > > information about processes information, just add identd to this group. > > How is this better than just creating an entirely separate mount a > different hidepid and a different gid owning it? I'm not sure I understand the question. Now you cannot have two proc with different hidepid in the same pid_namespace. > In any event, > usually gid= means that this gid is the group owner of inodes. Let's > call it something different. gid_override_hidepid might be credible. > But it's also really weird -- do different groups really see different > contents when they read a directory? If you use hidepid=2,gid=wheel options then the user is not in the wheel group will see only their processes and the user in the wheel group will see whole tree. The gid= is a kind of whitelist for hidepid=1|2. -- Rgrds, legion