Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 27 Mar 2011 23:45:52 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: sysfs facility

Vasiliy,

On Sun, Mar 27, 2011 at 07:05:46PM +0400, Vasiliy Kulikov wrote:
> I've wrote a draft version of sysfs facility for owl-control to restrict
> access to contents of sysfs mount point.  It has only 2 modes - public
> (currently implemented in every distro) and restricted.  It lacks
> a group restriction.
> 
> The same works for procfs (e.g. to fix numerous ASLR infoleaks,
> prevent exploitation of CVE-2011-1020, or just to restrict ps(1)).

Although we had discussed this approach, I never liked it much.  I did
not seriously consider it for Owl.  I think it is better for us to get
support for different sysfs and procfs permission settings into the
kernel.  It could be in the form of sysctl's or maybe mount options -
mode, gid, umask.  Something like:

mount sysfs /sys -t sysfs -omode=700
mount proc /proc -t proc -ogid=110,umask=007

could be our default.  The procfs umask would apply to user-related
entries in /proc only (most importantly, the /proc/<pid> directories),
whereas system-wide things like /proc/cpuinfo would stay world-readable.
If one wants to restrict access to those, they'd use mode=... instead,
which would apply to the procfs root directory entry.  Well, OK, that's
confusing, and then we'd want umask to apply to /proc/net as well...
So maybe a differently named mount option or a sysctl will be better.

I think we should decide on this and propose it upstream.

Even if rejected upstream, we need something like this in our kernel
anyway.  Restricting access to the mount point won't cut it - no
equivalent to restricting /proc/<pid> directories, which is a must for
being able to let ps see the current user's processes only.

So if you asked me whether to create such a control facility or not,
I would reply "no".  Now that you've already spent time on it, I'm not
sure.  What do others think?

Thanks,

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ