Date: Mon, 16 Jan 2017 13:24:28 -0500 From: Daniel Micay <danielmicay@...il.com> To: kernel-hardening@...ts.openwall.com, linux-kernel@...r.kernel.org Cc: Andrew Morton <akpm@...ux-foundation.org>, Kees Cook <keescook@...omium.org>, Lafcadio Wluiki <wluikil@...il.com>, Djalal Harouni <tixxdz@...il.com> Subject: Re: [PATCH v4 2/2] procfs/tasks: add a simple per-task procfs hidepid= field > This should permit Linux distributions to more comprehensively lock > down > their services, as it allows an isolated opt-in for hidepid= for > specific services. Previously hidepid= could only be set system-wide, > and then specific services had to be excluded by group membership, > essentially a more complex concept of opt-out. I think it's a lot easier for them to introduce a proc group and then figure out the very few exceptions that are needed vs. requiring a huge number of opt-ins. I don't think the issue is difficulty in deploying it, it's lack of interest. Android deployed it in 7.x without any major issues. A good way to get people to use it would be adding proc groups to major distributions and getting systemd to expose a simple toggle for this, instead of requiring users to add /proc to fstab (not there by default with systemd) and hard-wired the correct proc gid for that distribution. Can then file bugs for packages needing the proc group. For systemd itself, logind needs it since it drops the capability that allows bypassing it. Other than that, it's mostly just polkit. Download attachment "signature.asc" of type "application/pgp-signature" (867 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.