This patch series adds support of procfs mount options and adds
mount options to restrict /proc/<pid>/ directories to owners and
/proc/<pid>/net/* to root. Additional group may be defined via
gid=, and this group will be privileged to study others /proc/<pid>/
and networking information.
Similar features are implemented for old kernels in -ow patches (for
Linux 2.2 and 2.4) and for Linux 2.6 in -grsecurity, but both of them
are implemented as configure options, not cofigurable in runtime, with
changes of gid of /proc/<pid>/, and without backward-compatible
/proc/<pid>/net/* handling.
The first patch introduces mount option parsing without any new options.
The second patch adds options of /proc/<pid>/ restrictions.
The third patch makes net_create() globally visible.
The fourth patch adds options of /proc/<pid>/net/ restrictions.
The fifth patch adds documentations for options above.
Vasiliy Kulikov (5):
procfs: parse mount options
procfs: add hidepid= and gid= mount options
net: restore net_create and make it globally visible
procfs: Add hidenet/nohidenet procfs mount options.
procfs: add documentation for procfs mount options
Documentation/filesystems/proc.txt | 51 ++++++++++++++++++++++
fs/proc/base.c | 62 ++++++++++++++++++++++++++-
fs/proc/inode.c | 20 +++++++++
fs/proc/internal.h | 1 +
fs/proc/proc_net.c | 26 +++++++++++
fs/proc/root.c | 83 +++++++++++++++++++++++++++++++++++-
include/linux/pid_namespace.h | 3 +
include/net/net_namespace.h | 2 +
net/core/net_namespace.c | 12 +++--
9 files changed, 253 insertions(+), 7 deletions(-)
On Wednesday 15 June 2011, Vasiliy Kulikov wrote:
>
> This patch series adds support of procfs mount options and adds
> mount options to restrict /proc/<pid>/ directories to owners and
> /proc/<pid>/net/* to root. Additional group may be defined via
> gid=, and this group will be privileged to study others /proc/<pid>/
> and networking information.
>
> Similar features are implemented for old kernels in -ow patches (for
> Linux 2.2 and 2.4) and for Linux 2.6 in -grsecurity, but both of them
> are implemented as configure options, not cofigurable in runtime, with
> changes of gid of /proc/<pid>/, and without backward-compatible
> /proc/<pid>/net/* handling.
The patches all look good to me implementation-wise.
I have no opinion on whether it's a good idea to include the feature or not.
Arnd
Hi Arnd,
On Thu, Jun 16, 2011 at 10:50 +0200, Arnd Bergmann wrote:
> The patches all look good to me implementation-wise.
Thanks for the review!
> I have no opinion on whether it's a good idea to include the feature or not.
Why not? Have you some specific complains where it can be perhaps too
strong/insufficient/non-configurable?
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
On Thursday 16 June 2011, Vasiliy Kulikov wrote:
> > I have no opinion on whether it's a good idea to include the feature or not.
>
> Why not? Have you some specific complains where it can be perhaps too
> strong/insufficient/non-configurable?
No, not at all. I just haven't had the need for this myself, and I'm not
enough of a security person to judge whether the vulnerability addressed
by the patch is a relevant one. E.g. if all the sensitive information
you are hiding in procfs is still available through netlink, your patch
is pointless. Similarly if there is no recorded case of an attack that
relies on any of the information in procfs.
Arnd
Arnd,
On Thu, Jun 16, 2011 at 13:40 +0200, Arnd Bergmann wrote:
> E.g. if all the sensitive information
> you are hiding in procfs is still available through netlink, your patch
> is pointless.
Ah, I've complitely missed this piece of a puzzle! :( With procfs, proc
connector and taskstats (probably, something else) should be restricted
too.
Thank you very much for this notice!
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
Plese cc Alexey on procfs things.
On Wed, 15 Jun 2011 22:51:35 +0400
Vasiliy Kulikov <[email protected]> wrote:
> This patch series adds support of procfs mount options and adds
> mount options to restrict /proc/<pid>/ directories to owners and
> /proc/<pid>/net/* to root. Additional group may be defined via
> gid=, and this group will be privileged to study others /proc/<pid>/
> and networking information.
>
> Similar features are implemented for old kernels in -ow patches (for
> Linux 2.2 and 2.4) and for Linux 2.6 in -grsecurity, but both of them
> are implemented as configure options, not cofigurable in runtime, with
> changes of gid of /proc/<pid>/, and without backward-compatible
> /proc/<pid>/net/* handling.
This all seems highly specific to one particular set of requirements.
We have one set of access permission rules and then dive into procfs
and hard-wire those rules into the implementation? What happens if
someone else has a similar but slightly different set of requirements?
More kernel patches?
IOW is there some more general way of doing all this? <handwaving>Like
better permissions/chmod support in procfs and an inherited-across-fork
per-process procfs permissions mask.</handwaving>
Does all this code support `mount -o remount' as expected?
Hi,
First of all, to make it clear, this specific patch is not proposed
anymore because it doesn't restrict taskstats which can be used to
gather similar information. The patch working with taskstats (and
without hidepid=2) was not yet posted on LKML, but is available here:
http://www.openwall.com/lists/kernel-hardening/2011/06/19/3
On Tue, Jun 21, 2011 at 15:31 -0700, Andrew Morton wrote:
> > This patch series adds support of procfs mount options and adds
> > mount options to restrict /proc/<pid>/ directories to owners and
> > /proc/<pid>/net/* to root. Additional group may be defined via
> > gid=, and this group will be privileged to study others /proc/<pid>/
> > and networking information.
> >
> > Similar features are implemented for old kernels in -ow patches (for
> > Linux 2.2 and 2.4) and for Linux 2.6 in -grsecurity, but both of them
> > are implemented as configure options, not cofigurable in runtime, with
> > changes of gid of /proc/<pid>/, and without backward-compatible
> > /proc/<pid>/net/* handling.
>
> This all seems highly specific to one particular set of requirements.
Yes, I admit this. The problem with procfs is that it's possible to
chmod/chown some procfs files, but not /proc/PID/*. Even if make it
possible to chmod/chown them (and introducing an inodes revalidation on
execve() setuid and similar binaries) it is still racy - new processes
would have /proc/PID/ and some files inside with perms=0555. So, for
more generic mechanism something like umask is needed. The patch in
question implements 2 border cases:
1) relaxed. umask=0555.
2) restricted. umask=0550 (with tricky gid) and files are still not
chmod'able.
More generic solution (I'm not suggesting it, but merely discussing)
would use some user-supplied set of files to restrict access to (or,
better, the set of allowed files because white list is almost always
better than black list). Maybe this one:
mount -t proc -o "pid_allow=exe,status,comm,oom_*" proc /proc
And without pid_allow it would behave like pid_allow=*. "pid_allow=."
would deny access to the whole /proc/PID.
This would be a bit inconsistent with current permissions because e.g.
if use pid_allow=environ then environ file would not be accessible
because of posix permissions. Hierarchical mode (pid_allow=fd/1) is not
allowed too.
But it wouldn't work with taskstats. It needs its own set of allowed
fields or field sets like delayacct,csw,bacct,xacct.
> IOW is there some more general way of doing all this? <handwaving>Like
> better permissions/chmod support in procfs and an inherited-across-fork
> per-process procfs permissions mask.</handwaving>
I don't know such way, but it would ease procfs logic.
> Does all this code support `mount -o remount' as expected?
Yes.
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
On Wed, Jun 22, 2011 at 10:45 +0400, Vasiliy Kulikov wrote:
> More generic solution (I'm not suggesting it, but merely discussing)
> would use some user-supplied set of files to restrict access to (or,
> better, the set of allowed files because white list is almost always
> better than black list). Maybe this one:
>
> mount -t proc -o "pid_allow=exe,status,comm,oom_*" proc /proc
>
> And without pid_allow it would behave like pid_allow=*.
> "pid_allow=."
> would deny access to the whole /proc/PID.
I mean "pid_allow=", of course.
> This would be a bit inconsistent with current permissions because e.g.
> if use pid_allow=environ then environ file would not be accessible
> because of posix permissions. Hierarchical mode (pid_allow=fd/1) is not
> allowed too.
For hierarchical mode: attr_allowed, tgid_allowed, tid_allowed.
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
On Wed, Jun 22, 2011 at 10:45 +0400, Vasiliy Kulikov wrote:
> > This all seems highly specific to one particular set of requirements.
>
> Yes, I admit this. The problem with procfs is that it's possible to
> chmod/chown some procfs files, but not /proc/PID/*. Even if make it
> possible to chmod/chown them (and introducing an inodes revalidation on
> execve() setuid and similar binaries) it is still racy - new processes
> would have /proc/PID/ and some files inside with perms=0555. So, for
> more generic mechanism something like umask is needed. The patch in
> question implements 2 border cases:
>
> 1) relaxed. umask=0555.
>
> 2) restricted. umask=0550 (with tricky gid) and files are still not
> chmod'able.
>
>
> More generic solution (I'm not suggesting it, but merely discussing)
> would use some user-supplied set of files to restrict access to (or,
> better, the set of allowed files because white list is almost always
> better than black list). Maybe this one:
>
> mount -t proc -o "pid_allow=exe,status,comm,oom_*" proc /proc
Does this scheme make sense? Should I rensend the patch with these
architecture?
pid_allow=, tid_allow=, attr_allow= and watch_gid= or smth like that.
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments