Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180227210625.GA2646@eros>
Date: Wed, 28 Feb 2018 08:06:25 +1100
From: "Tobin C. Harding" <me@...in.cc>
To: Alexander Kapshuk <alexander.kapshuk@...il.com>
Cc: Kernel Hardening <kernel-hardening@...ts.openwall.com>,
	Tycho Andersen <tycho@...ho.ws>,
	LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 1/3] leaking_addresses: skip all /proc/PID except /proc/1

On Tue, Feb 27, 2018 at 09:15:03AM +0200, Alexander Kapshuk wrote:
> On Tue, Feb 27, 2018 at 6:45 AM, Tobin C. Harding <me@...in.cc> wrote:
> > When the system is idle it is likely that most files under /proc/PID
> > will be identical for various processes.  Scanning _all_ the PIDs under
> > /proc is unnecessary and implies that we are thoroughly scanning /proc.
> > This is _not_ the case because there may be ways userspace can trigger
> > creation of /proc files that leak addresses but were not present during
> > a scan.  For these two reasons we should exclude all PID directories
> > under /proc except '1/'
> >
> > Exclude all /proc/PID except /proc/1.
> >
> > Signed-off-by: Tobin C. Harding <me@...in.cc>
> > ---
> >  scripts/leaking_addresses.pl | 11 +++++++++++
> >  1 file changed, 11 insertions(+)
> >
> > diff --git a/scripts/leaking_addresses.pl b/scripts/leaking_addresses.pl
> > index 6e5bc57caeaa..fb40e2828f43 100755
> > --- a/scripts/leaking_addresses.pl
> > +++ b/scripts/leaking_addresses.pl
> > @@ -10,6 +10,14 @@
> >  # Use --debug to output path before parsing, this is useful to find files that
> >  # cause the script to choke.
> >
> > +#
> > +# When the system is idle it is likely that most files under /proc/PID will be
> > +# identical for various processes.  Scanning _all_ the PIDs under /proc is
> > +# unnecessary and implies that we are thoroughly scanning /proc.  This is _not_
> > +# the case because there may be ways userspace can trigger creation of /proc
> > +# files that leak addresses but were not present during a scan.  For these two
> > +# reasons we exclude all PID directories under /proc except '1/'
> > +
> >  use warnings;
> >  use strict;
> >  use POSIX;
> > @@ -472,6 +480,9 @@ sub walk
> >                         my $path = "$pwd/$file";
> >                         next if (-l $path);
> >
> > +                       # skip /proc/PID except /proc/1
> > +                       next if ($path =~ /\/proc\/(?:[2-9][0-9]*|1[0-9]+)/);
> > +
> >                         next if (skip($path));
> >
> >                         if (-d $path) {
> > --
> > 2.7.4
> >
> 
> Would something like this do the trick?
> perl -e 'foreach my $dir (`ls -d /proc/[0-9]*`){next if($dir !~
> "/proc/1\$"); print $dir}'
> /proc/1

thanks for the suggestion Alexander.  Here is Tycho's suggestion (from
other email, copied here for reference:

	> substr($path, 0, len("/proc/1/")) eq "/proc/1/"

I originally thought Tycho's suggestion was correct until I read yours
and realized that they both find '/proc/1'.  You filter on the numbered
directories for '/proc/1' (missing the other directories) and Tycho
finds only directories with '/proc/1' as the leading characters.  Both
of these differ to the original regex in that the original skips
numbered directories (under '/proc') that are _not_ '/proc/1' i.e it
allows parsing of all the non-numbered directories and parsing of '/proc/1'.

If my reasoning is correct, perhaps we have at least shown that that the
regex should have a comment :)

Happy to be corrected.

thanks,
Tobin.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.