Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Jun 2011 23:20:01 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Subject: Re: [RFC v1] procfs mount options

On Mon, Jun 06, 2011 at 00:10 +0400, Solar Designer wrote:
> On Sun, Jun 05, 2011 at 11:47:46PM +0400, Vasiliy Kulikov wrote:
> > On Sun, Jun 05, 2011 at 23:26 +0400, Solar Designer wrote:
> > > On Sun, Jun 05, 2011 at 10:24:31PM +0400, Vasiliy Kulikov wrote:
> > > > TODO/thoughs:
> > > >   - /proc/pid/net/ currently doesn't show ANYTHING, even "." and "..".
> > > >     This is confusing :)
> > > 
> > > Ouch.  Can't you simply restrict its perms such that this directory
> > > can't be listed unless you have privs?
...
> > Another solution - create a fake net namespace and process this
> > namespace if not enough permissions :)  It also removes weird netstat
> > errors like "seems like networking was disabled for this kernel".

A fake net namespace works perfect:

$ LANG=C netstat -nlp4
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address State       PID/Program name

No warning from netstat.  I remember brctl didn't properly handle
missing sysfs files, so fake files make sense.


Will repost the patch after I'm sure that changing hidepid works well
with inode caching (I see a bug in my current implementation).


Thanks,

-- 
Vasiliy

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.