From: Andy Lutomirski <luto@amacapital.net>
To: Djalal Harouni <tixxdz@gmail.com>
Cc: Linux API <linux-api@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
Lafcadio Wluiki <wluikil@gmail.com>
Subject: Re: [PATCH v4 2/2] procfs/tasks: add a simple per-task procfs hidepid= field
Date: Fri, 20 Jan 2017 16:53:08 -0800 [thread overview]
Message-ID: <CALCETrX_K7XdyCRo1RSLySRu-2uySaR2+3J7qcw4O+JOepTwag@mail.gmail.com> (raw)
In-Reply-To: <CAEiveUdOdMr=gJZsi=Fx-CNeC8jkyi8XxC+qSG-LXWj3o2t=_A@mail.gmail.com>
On Fri, Jan 20, 2017 at 8:33 AM, Djalal Harouni <tixxdz@gmail.com> wrote:
> On Thu, Jan 19, 2017 at 8:52 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>> On Thu, Jan 19, 2017 at 5:53 AM, Djalal Harouni <tixxdz@gmail.com> wrote:
> [...]
>>> Sure, the hidepid mount option is old enough, and this per-task
>>> hidepid is clearly defined only for procfs and per task, we can't add
>>> another switch that's relate to both a filesystem and pid namespaces,
>>> it will be a bit complicated and not really useful for cases that are
>>> in *same* pidns where *each* one have to mount its procfs, it will
>>> propagate. Also as noted by Lafcadio, the gid thing is a bit hard to
>>> use now.
>>
>> What I'm trying to say is that I want to understand a complete,
>> real-world use case. Adding a security-related per-task flag is can
>> be quite messy and requires a lot of careful thought to get right, and
>> I'd rather avoid it if at all possible.
>
> I do agree, but that's not what we are proposing here. This use case
> is limited we do not manipulate the creds of the task, there are no
> security transitions. The task does not change, its only related to
> procfs and pid entries there. Also the flag applies only to current
> task and not on remote ones... Nothing new here it's an extension of
> procfs hidepid.
>
>> I'm imaging something like a new RestrictPidVisisbility= option in
>> systemd. I agree that this is currently a mess to do. But maybe a
>
> Yes that's one use case, If we manage to land this I'll follow up with
> it... plus there is, I've a use case related to kubernetes where I do
> want to reduce the number of processes inside containers per pod to
> minimal. Some other cases are: lock down children where being
> unprivileged. Also as noted in other replies on today's desktop
> systems, under a normal user session, the user should see all
> processes of the system where the media player, browser etc have no
> business to see the process tree. This can be easily implemented when
> launching apps without the need to regain privileges...
>
>> simpler solution would be to add a new mount option local_hidepid to
>> procfs. If you set that option, then it overrides hidepid for that
>> instance. Most of these semi-sandboxed daemon processes already have
>> their own mount namespace, so the overhead should be minimal.
>
> Andy If that could work :-/ we have to re-write or adapt lot of
> things inside procfs... plus:
> Procfs is a miror to the current pid namespace. Mount options are not
> procfs but rather pid namespace. That would not work.
I agree that the kernel change to do it per task is very simple. But
this is an unfortunate slippery slope. What if you want to block off
everything in /proc that isn't associated with a PID? What if you
want to suppress /sys access? What if you want ot block *all*
non-current PIDs from being revealed in /proc? What if you want to
hide /proc/PID/cmdline?
I think that the right solution here is to fix procfs to understand
per-superblock mount options.
--Andy
next prev parent reply other threads:[~2017-01-21 0:53 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-16 13:23 [PATCH v4 0/2] procfs/tasks: introduce per-task procfs hidepid= field Djalal Harouni
2017-01-16 13:23 ` [PATCH v4 1/2] procfs: use an enum for possible hidepid values Djalal Harouni
2017-02-13 22:16 ` Kees Cook
2017-02-15 0:34 ` Andrew Morton
2017-02-15 8:56 ` Djalal Harouni
2017-01-16 13:23 ` [PATCH v4 2/2] procfs/tasks: add a simple per-task procfs hidepid= field Djalal Harouni
2017-01-16 18:24 ` [kernel-hardening] " Daniel Micay
2017-01-17 9:54 ` Lafcadio Wluiki
[not found] ` <CAEiveUfDvSoW9Hy2Y_uxU2YQ+vR8OvXMqRhxAANTGG7QaQbJeg@mail.gmail.com>
[not found] ` <CALCETrWEGLhEHO_6sTXreVyWFVsEeYmZSrLNNXx-ma5gd+nTQQ@mail.gmail.com>
2017-01-18 22:50 ` Djalal Harouni
2017-01-18 23:35 ` Andy Lutomirski
2017-01-19 13:53 ` Djalal Harouni
2017-01-19 19:52 ` Andy Lutomirski
2017-01-20 15:56 ` Lafcadio Wluiki
2017-01-20 16:33 ` Djalal Harouni
2017-01-21 0:53 ` Andy Lutomirski [this message]
2017-01-23 11:46 ` Djalal Harouni
2017-01-23 20:07 ` Andy Lutomirski
2017-01-26 13:20 ` Djalal Harouni
2017-02-10 14:40 ` Lafcadio Wluiki
2017-02-10 16:18 ` Andy Lutomirski
2017-01-20 15:44 ` Lafcadio Wluiki
2017-02-10 23:44 ` Kees Cook
2017-02-13 19:01 ` Andy Lutomirski
2017-02-13 19:15 ` Kees Cook
2017-02-14 4:11 ` Christian Kujau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALCETrX_K7XdyCRo1RSLySRu-2uySaR2+3J7qcw4O+JOepTwag@mail.gmail.com \
--to=luto@amacapital.net \
--cc=akpm@linux-foundation.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tixxdz@gmail.com \
--cc=wluikil@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).