Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756645Ab3JCGXF (ORCPT ); Thu, 3 Oct 2013 02:23:05 -0400 Received: from mail-ee0-f44.google.com ([74.125.83.44]:45122 "EHLO mail-ee0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755513Ab3JCGXA (ORCPT ); Thu, 3 Oct 2013 02:23:00 -0400 Date: Thu, 3 Oct 2013 08:22:56 +0200 From: Ingo Molnar To: Djalal Harouni Cc: Andy Lutomirski , "Eric W. Biederman" , Kees Cook , Al Viro , Andrew Morton , Linus Torvalds , "Serge E. Hallyn" , Cyrill Gorcunov , David Rientjes , LKML , Linux FS Devel , kernel-hardening@lists.openwall.com, Djalal Harouni Subject: Re: [PATCH v2 0/9] procfs: protect /proc//* files with file->f_cred Message-ID: <20131003062256.GD25345@gmail.com> References: <1380659178-28605-1-git-send-email-tixxdz@opendz.org> <524B7999.60806@amacapital.net> <20131002143759.GA2966@dztty> <20131002181257.GA2485@dztty> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20131002181257.GA2485@dztty> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1362 Lines: 38 * Djalal Harouni wrote: > * You can't do it for /proc/*/stat otherwise you will break userspace > "ps"..., ps must access /proc/1/stat etc... so the proposed solution > will work without any side effect. The thing is, returning -EINVAL is not the only way to reject access to privileged information! In the /proc/1/stat case a compatibility quirk can solve the problem: create a special 'dummy' process inode for invalid accesses and give it to ps, with all fields present but zero. > And for /proc/*/maps you will perhaps break glibc under certain > situations... so just hold it for the moment and test it > later. There have been reports in the past about it. Same deal: just create a dummy compat-quirk maps inode with constant, zero information contents to placate old user-space: 00000000-00000000 ---p 00000000 00:00 0 [ Or whatever line is needed to minimally not break old userspace. ] But don't leak privileged information! ( Maybe add a CONFIG_PROC_FS_COMPAT_QUIRKS Kconfig option, default-y for now, that new/sane userspace can turn off. ) Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/