Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 12 Jun 2011 14:12:23 +0300
From: Alexey Dobriyan <>
To: Vasiliy Kulikov <>
Cc:, "David S. Miller" <>,
	Andrew Morton <>,
	Linus Torvalds <>,
	Nikanth Karthikesan <>,
	David Rientjes <>,
	Greg Kroah-Hartman <>,
	Al Viro <>,
	Eric Dumazet <>,,
Subject: Re: [RFC] procfs: add hidepid and hidenet modes

On Sun, Jun 12, 2011 at 11:51:01AM +0400, Vasiliy Kulikov wrote:
> hidenet means /proc/PID/net will be accessible to processes with
> CAP_NET_ADMIN capability or to members of a special group.
> gid=XXX defines a group that will be able to gather all processes' info
> and network connections info.
> Similar features are implemented for old kernels in -ow patches (for
> Linux 2.2 and 2.4) and for Linux 2.6 in -grsecurity (but both of them
> are implemented as configure options, not cofigurable in runtime).
> In current version hidenet works for CONFIG_NET_NS=y via creating a
> "fake" net namespace and slipping it to nonauthorized users, resulting
> in users observing blank net files (like nobody use the network).  If
> CONFIG_NET_NS=n I don't see anything better than just fully denying
> access to /proc/<pid>/net.  More elegant ideas are welcome.

This fake netns concept is ugly.
If you wan't deny something, why don't you return -E?

Regardless, these should be separate patch from PID stuff.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.