Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20161103204239.GN8196@pc.thejh.net>
Date: Thu, 3 Nov 2016 21:42:39 +0100
From: Jann Horn <jann@...jh.net>
To: Kees Cook <keescook@...omium.org>
Cc: Lafcadio Wluiki <wluikil@...il.com>,
	LKML <linux-kernel@...r.kernel.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: Re: [2/2] procfs/tasks: add a simple per-task
 procfs hidepid= field

On Thu, Nov 03, 2016 at 02:34:16PM -0600, Kees Cook wrote:
> On Thu, Nov 3, 2016 at 12:24 PM, Jann Horn <jann@...jh.net> wrote:
> > On Thu, Nov 03, 2016 at 09:30:38AM -0600, Lafcadio Wluiki wrote:
> >> This adds a new per-task hidepid= flag that is honored by procfs when
> >> presenting /proc to the user, in addition to the existing hidepid= mount
> >> option. So far, hidepid= was exclusively a per-pidns setting. Locking
> >> down a set of processes so that they cannot see other user's processes
> >> without affecting the rest of the system thus currently requires
> >> creation of a private PID namespace, with all the complexity it brings,
> >> including maintaining a stub init process as PID 1 and losing the
> >> ability to see processes of the same user on the rest of the system.
> > [...]
> >> diff --git a/kernel/sys.c b/kernel/sys.c
> >> index 89d5be4..c0a1d3e 100644
> >> --- a/kernel/sys.c
> >> +++ b/kernel/sys.c
> >> @@ -2270,6 +2270,16 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
> >>       case PR_GET_FP_MODE:
> >>               error = GET_FP_MODE(me);
> >>               break;
> >> +     case PR_SET_HIDEPID:
> >> +             if (arg2 < HIDEPID_OFF || arg2 > HIDEPID_INVISIBLE)
> >> +                     return -EINVAL;
> >> +             if (arg2 < me->hide_pid)
> >> +                     return -EPERM;
> >> +             me->hide_pid = arg2;
> >> +             break;
> >
> > Should we test for ns_capable(CAP_SYS_ADMIN)||no_new_privs here?
> > I think it wouldn't hurt, and I'd like to avoid adding new ways in which
> > the execution of setuid programs can be influenced. OTOH, people already
> > use hidepid now, and it's not an issue... I'm not sure. Opinions?
> 
> Hrrm, I'm really on the fence. I don't feel like having things in
> /proc go invisible for a setuid would be bad, but I wouldn't be
> surprised to eat my words. :) On the other hand, I can't think of a
> place where this requirement would create a problem.
> 
> e.g. init launching a web server as root could set nnp and this, and
> it would still be able to switch down to www-data, etc. If someone has
> www-data in their /etc/sudoers file, I already fear for their sanity.
> ;)

(and init launching a web server as root could also set hidepid without
setting nnp if it really wants to)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.