[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20111109175017.GA31883@albatros>
Date: Wed, 9 Nov 2011 21:50:17 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: procfs and tty timing infoleaks
Solar, all -
Given latest LKML discussions about scheduler and timestamp infoleaks,
I think we can break backward compatibility via patching procps in Owl.
In details, I propose:
1) restrict access to /proc/$PID/{stat,sched,schedstat}. Patch procps
to gracefully handle -EPERM as if all stats are zeroes.
2) chmod /proc/{interrupts,stat} to 0400.
3) fill zeroes in tty mtime/atime fields on stat() family syscalls.
Alternative - not to patch these ourselves too and propose procfs patch
upstream; after we get ACK/NACK, backport it to RHEL5 kernel and to RHEL6
after we move to it. But it still has a major issue - as all procfs
files should check permissions on read/write, all 0444 procfs files
currently missing ptrace check will need it too (which is quite messy
with runtime configurabe approach).
Thanks,
--
Vasiliy
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
