Date: Tue, 24 May 2011 19:12:46 +0400 From: Vasiliy Kulikov <segoon@...nwall.com> To: owl-dev@...ts.openwall.com Cc: Eugene Teo <eugeneteo@...il.com> Subject: Re: segoon's status report - #1 of 15 Solar, On Tue, May 24, 2011 at 06:34 +0400, Solar Designer wrote: > On Wed, May 18, 2011 at 07:06:01PM +0400, Vasiliy Kulikov wrote: > > Accomplishments: > > > > * Studied VFS and sysfs subsystems. > > * Implemented a basic version of gid and pmode options for procfs (via > > sysctl, no mount option yet). > > IIRC, there was partial support for gid= on procfs in stock 2.4 kernels, > and -ow patches completed that. Is this somehow gone in 2.6? (I did > not look into this at all.) Currently procfs doesn't parse mount options at all. I didn't know about gid= parsing in 2.4, will look at it. > > * Implemented sysfs' mount options parsing and a basic version of > > sysfs "mode" option. > > Where is this code (your changes)? Just on your computer? > > > Priorities: > > > > * More tests the patch for sysfs, send RFC to LKML. > > Not done yet? (At least, I was not CC'ed on a message like that.) I've posted an initial patch to LKML: https://lkml.org/lkml/2011/5/18/272 Here I just posted the patch to LKML CC'ing relevant upstream people (here GregKH only) and CC'ing my mentor, Eugene - people on LKML are annoyed by long CC list sometimes. Should I CC you and/or owl-dev? > > * Rethink and discuss the usefullness of hiding /proc pid directories. > > What exactly do you mean by "hiding /proc pid directories"? Restricting > the perms on them (like in -ow patches and grsecurity) or actually > hiding the directories themselves (not revealing the PIDs and their > corresponding owner UIDs)? I've implemented restricted perms, but didn't do actual hiding directories. In grsecurity it is implemented by hiding directories from processes that cannot access them. I think it may be defective by design because there are many other ways to identify whether there is a process with a specific pid. However, it might really hide process UID (/proc/PID/ owner). Eugene also noted that directories hiding might confuse antirootkits, etc. Thanks, -- Vasiliy Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.