Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 5 Jun 2011 01:03:15 +0400
From: Solar Designer <solar@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Cc: Pavel Labushev <p.labushev@...il.com>
Subject: Re: /proc/PID directory hiding (was: [owl-dev] segoon's status report - #1 of 15)

On Sun, Jun 05, 2011 at 12:20:47AM +0400, Vasiliy Kulikov wrote:
> On Sat, Jun 04, 2011 at 22:19 +0400, Solar Designer wrote:
> > As to probing for PIDs with syscalls such as kill(2), we may deal with
> > that as well
> 
> I'd not do this.  There are too many paths using pids, I don't think
> there is some universal way (read: a bottleneck) to filter all accesses.

Something like this is done for containers, but I agree with you.

> And the award is not too high to bother.

Yes, perhaps, and it'd be difficult to avoid timing leaks.

Anyhow, this would be a separate task.  Let's deal with the filesystems
first, and then proceed with other hardening measures already
implemented in patches and needing proper submission upstream.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.