Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Nov 2011 21:50:17 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: procfs and tty timing infoleaks

Solar, all -

Given latest LKML discussions about scheduler and timestamp infoleaks,
I think we can break backward compatibility via patching procps in Owl.
In details, I propose:

1) restrict access to /proc/$PID/{stat,sched,schedstat}.  Patch procps
to gracefully handle -EPERM as if all stats are zeroes.

2) chmod /proc/{interrupts,stat} to 0400.

3) fill zeroes in tty mtime/atime fields on stat() family syscalls.


Alternative - not to patch these ourselves too and propose procfs patch
upstream; after we get ACK/NACK, backport it to RHEL5 kernel and to RHEL6
after we move to it.  But it still has a major issue - as all procfs
files should check permissions on read/write, all 0444 procfs files
currently missing ptrace check will need it too (which is quite messy
with runtime configurabe approach).

Thanks,

-- 
Vasiliy

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ