|
Message-ID: <20110620150052.GA12077@albatros> Date: Mon, 20 Jun 2011 19:00:52 +0400 From: Vasiliy Kulikov <segoon@...nwall.com> To: kernel-hardening@...ts.openwall.com Subject: Re: [RFC 2/5 v4] procfs: add hidepid= and gid= mount options Solar, On Mon, Jun 20, 2011 at 18:47 +0400, Solar Designer wrote: > On Mon, Jun 20, 2011 at 06:35:50PM +0400, Vasiliy Kulikov wrote: > > I didn't post a patch with taskstats and sysctl variables to LKML yet > > (only the changes in ptrace/capabilities code). > > I don't understand the rationale behind the latter. I can try to guess, > but I'd prefer to see a simple explanation from you. (Maybe I missed > one.) It sounds like you're going to spend considerable time on those > changes, but it is not clear to me whether they're needed or not. > > So please explain (maybe in a more proper thread than this one). > > Unfortunately, I won't have time to participate in a discussion on this > today (nor in the following few days), but I'd like to be informed > anyway and maybe others will comment. The thing is that taskstats' way of gathering process' information includes registering a "hook" via netlink socket. When any process exits, taskstats code enumerates registered hookers and sends all information about exited process via the sockets. It is handled in the context of exiting task. So, to know whether the hooker may gather process' information or no (whether exiting task should send info via the socket), I need a function answering whether *another task* may ptrace *current task* (ptrace_may_access does the reverse) as the last check in procinfo_task_may_stat_current() (reversed proc_may_access() in the past). The changes are relatively simple (the patch look huge, though) as the patch touches many functions (including LSM and user namespaces) adding new explicit "task" argument instead of implicit "current" without important functional changes. Without ptrace changes HARDEN_PROC is unlikely to be consistently working because of taskstats. Also you might want to read my another mail where I've clarified why I've rejected (temporarily, I hope) hidepid=2: http://www.openwall.com/lists/kernel-hardening/2011/06/18/2 Thanks, -- Vasiliy
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.