Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 May 2011 19:12:46 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: owl-dev@...ts.openwall.com
Cc: Eugene Teo <eugeneteo@...il.com>
Subject: Re: segoon's status report - #1 of 15

Solar,

On Tue, May 24, 2011 at 06:34 +0400, Solar Designer wrote:
> On Wed, May 18, 2011 at 07:06:01PM +0400, Vasiliy Kulikov wrote:
> > Accomplishments:
> > 
> >   * Studied VFS and sysfs subsystems.
> >   * Implemented a basic version of gid and pmode options for procfs (via
> >     sysctl, no mount option yet).
> 
> IIRC, there was partial support for gid= on procfs in stock 2.4 kernels,
> and -ow patches completed that.  Is this somehow gone in 2.6?  (I did
> not look into this at all.)

Currently procfs doesn't parse mount options at all.  I didn't know
about gid= parsing in 2.4, will look at it.

> >   * Implemented sysfs' mount options parsing and a basic version of
> >     sysfs "mode" option.
> 
> Where is this code (your changes)?  Just on your computer?
> 
> > Priorities:
> > 
> >   * More tests the patch for sysfs, send RFC to LKML.
> 
> Not done yet?  (At least, I was not CC'ed on a message like that.)

I've posted an initial patch to LKML:

https://lkml.org/lkml/2011/5/18/272

Here I just posted the patch to LKML CC'ing relevant upstream people
(here GregKH only) and CC'ing my mentor, Eugene - people on LKML are
annoyed by long CC list sometimes.  Should I CC you and/or owl-dev?

> >   * Rethink and discuss the usefullness of hiding /proc pid directories.
> 
> What exactly do you mean by "hiding /proc pid directories"?  Restricting
> the perms on them (like in -ow patches and grsecurity) or actually
> hiding the directories themselves (not revealing the PIDs and their
> corresponding owner UIDs)?

I've implemented restricted perms, but didn't do actual hiding
directories.  In grsecurity it is implemented by hiding directories from
processes that cannot access them.

I think it may be defective by design because there are many other ways
to identify whether there is a process with a specific pid.  However, it
might really hide process UID (/proc/PID/ owner).

Eugene also noted that directories hiding might confuse antirootkits, etc.


Thanks,

-- 
Vasiliy

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ