Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20111107201120.GA5775@albatros>
Date: Tue, 8 Nov 2011 00:11:20 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: "H. Peter Anvin" <hpa@...or.com>
Cc: Eric Paris <eparis@...isplace.org>, kernel-hardening@...ts.openwall.com,
	Valdis.Kletnieks@...edu, linux-kernel@...r.kernel.org,
	Alexey Dobriyan <adobriyan@...il.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-security-module@...r.kernel.org,
	Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: Re: [PATCH] proc: restrict access to
 /proc/interrupts

On Mon, Nov 07, 2011 at 11:50 -0800, H. Peter Anvin wrote:
> On 11/07/2011 11:48 AM, Eric Paris wrote:
> > On Mon, Nov 7, 2011 at 2:29 PM, Vasiliy Kulikov <segoon@...nwall.com> wrote:
> >> On Mon, Nov 07, 2011 at 11:18 -0800, H. Peter Anvin wrote:
> > 
> >> As to procfs, I see no real need of adding mode/group mount option for
> >> global procfs files (/proc/interrupts, /proc/stat, etc.) - it can be
> >> done by distro specific init scripts (chown+chmod).  I don't mind
> >> against such an option for the convenience, though.
> > 
> > While possible, the chmod+chown 'solutions' just aren't as simple as
> > you pretend.  Every time one creates a chroot environment and mounts
> > /proc it has be manually fixed there as well.  Same thing with a
> > container.  Sure if /proc were something that was only ever mounted
> > one time on a box it wouldn't be so bad, but that's not the case.....
> 
> Yes, for a filesystem that dynamically creates nodes, a static script
> just doesn't work well.  Control options do, like we have for devpts for
> example.

My statement was about static files - /proc/{interrupts,meminfo,stat,cpuinfo}.
They don't change during the system life.  /proc/$PID/* files are indeed
dymanic and the first link in my quoted email was about addition of such
mount options.

Thanks,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.