Date: Sun, 27 Mar 2011 23:45:52 +0400 From: Solar Designer <solar@...nwall.com> To: owl-dev@...ts.openwall.com Subject: Re: sysfs facility Vasiliy, On Sun, Mar 27, 2011 at 07:05:46PM +0400, Vasiliy Kulikov wrote: > I've wrote a draft version of sysfs facility for owl-control to restrict > access to contents of sysfs mount point. It has only 2 modes - public > (currently implemented in every distro) and restricted. It lacks > a group restriction. > > The same works for procfs (e.g. to fix numerous ASLR infoleaks, > prevent exploitation of CVE-2011-1020, or just to restrict ps(1)). Although we had discussed this approach, I never liked it much. I did not seriously consider it for Owl. I think it is better for us to get support for different sysfs and procfs permission settings into the kernel. It could be in the form of sysctl's or maybe mount options - mode, gid, umask. Something like: mount sysfs /sys -t sysfs -omode=700 mount proc /proc -t proc -ogid=110,umask=007 could be our default. The procfs umask would apply to user-related entries in /proc only (most importantly, the /proc/<pid> directories), whereas system-wide things like /proc/cpuinfo would stay world-readable. If one wants to restrict access to those, they'd use mode=... instead, which would apply to the procfs root directory entry. Well, OK, that's confusing, and then we'd want umask to apply to /proc/net as well... So maybe a differently named mount option or a sysctl will be better. I think we should decide on this and propose it upstream. Even if rejected upstream, we need something like this in our kernel anyway. Restricting access to the mount point won't cut it - no equivalent to restricting /proc/<pid> directories, which is a must for being able to let ps see the current user's processes only. So if you asked me whether to create such a control facility or not, I would reply "no". Now that you've already spent time on it, I'm not sure. What do others think? Thanks, Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.