Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 14 May 2018 11:01:17 +0200
From: Alexey Gladkov <>
To: Jann Horn <>
Cc: Kees Cook <>, Andy Lutomirski <>,
	Andrew Morton <>,,
	kernel list <>,
	Kernel Hardening <>,
	linux-security-module <>,
	Linux API <>,
	Greg Kroah-Hartman <>,
	Alexander Viro <>,
	Akinobu Mita <>,
	Oleg Nesterov <>,
	Jeff Layton <>,
	Ingo Molnar <>,
	Alexey Dobriyan <>,
	"Eric W. Biederman" <>,
	Linus Torvalds <>,
	aniel Micay <>,
	Jonathan Corbet <>,,
	Stephen Rothwell <>,
	Solar Designer <>,
	"Dmitry V. Levin" <>,
	Djalal Harouni <>
Subject: Re: [PATCH v5 7/7] proc: add option to mount only a pids subset

On Fri, May 11, 2018 at 03:58:39PM +0200, Jann Horn wrote:
> On Fri, May 11, 2018 at 11:37 AM, Alexey Gladkov
> <> wrote:
> > This allows to hide all files and directories in the procfs that are not
> > related to tasks.
> /proc/$pid/net and /proc/$pid/task/$tid/net aren't in scope for this
> protection, even though they contain information about the whole
> network namespace of the task, right?

Yes. The pidonly makes visible only pids subset. You can still access the
process namespaces via /proc/$pid/ns.

We can think of additional constraints since the parameters are not
stored in the pid namespace anymore.

Rgrds, legion

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.