Date: Sat, 4 Jun 2011 09:47:58 +0400 From: Vasiliy Kulikov <segoon@...nwall.com> To: kernel-hardening@...ts.openwall.com Cc: Eugene Teo <eugeneteo@...il.com> Subject: Re: procfs mount options Solar, On Fri, Jun 03, 2011 at 23:11 +0400, Solar Designer wrote: > I welcome suggestions on how to achieve the desired functionality for > procfs in a non-confusing and generic way. It should support the > following reasonable configuration: > > /proc/PID directories restricted to group proc (except for owners and > root, indeed). However, /proc/cpuinfo and the like unrestricted. > Here's what this looks like on Linux 2.4.x-ow: > > dr-xr-x--- 3 root proc 0 Jun 3 22:59 1 > ... > dr-xr-x--- 3 syslogd proc 0 Jun 3 22:59 205 > dr-xr-x--- 3 klogd proc 0 Jun 3 22:59 211 > ... > -r--r--r-- 1 root proc 0 Jun 3 23:00 cpuinfo > ... > -r-------- 1 root proc 536743936 Jun 3 23:00 kcore > -r-------- 1 root proc 0 May 5 20:36 kmsg > ... > dr-xr-x--- 5 root proc 0 Jun 3 23:00 net > ... > -r--r--r-- 1 root proc 0 Jun 3 23:00 uptime > -r--r--r-- 1 root proc 0 Jun 3 23:00 version > > Perhaps gid=proc,umask=007 should result in the above for /proc/PID, but > how do we justify it not affecting /proc/cpuinfo, uptime, version (and > many others)? How do we justify it nevertheless affecting /proc/net (or > should another option do that)? I think it should be done with separate mount options for /proc/self/net (/proc/net is a symlink to /proc/self/net since net namespaces introduction) and for /proc/PID. All other files should be e.g. chmod'ed go= and then some white list should be chmod'ed to the relaxed perms. > Indeed, we could set some of these perms with chmod post-mount, but as > discussed this has drawbacks. Where its drawbacks were discussed? I cannot find anything on owl-dev. Do you mean some possible diffirences between procfs files among different kernel versions? If so, white list instead of black list should partly solve it. > So ideally our preferred configuration > (which will be the default on Owl) should be achievable with mount > options alone. At least for sysfs it is unreachable if we go in the current direction - umask doesn't change perms of already created files, and additional "chmod -R" is needed anyway. Thanks, -- Vasiliy Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.