Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp824446imm; Fri, 11 May 2018 07:00:40 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoa1ll8phNArpPBFvDxGlS7KcYIbqwMpvgM+zNJsNOYL+lOlQCwmfKuVsl+IGeWAigqbKvU X-Received: by 2002:a17:902:145:: with SMTP id 63-v6mr5686256plb.332.1526047240091; Fri, 11 May 2018 07:00:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526047240; cv=none; d=google.com; s=arc-20160816; b=Mg3WhVJrIEovKHJ5ifyJQLDwtzflZXvfL96UqNQKQEEkNgazHsQUK1BT+r2kC/VBcb jFtZIe6R6+RYNZBeJYVwZsf+FfzbH/wdbAZSGTvH3ltZLkAjf8hnpzK+uxJDada/+2Zx KbESth8hKvPzJZs0vKiDM7sFk/0MEedOqjLEAja5L1K7I4OyyFffUou9eZa4+TEhZV5z hSf5JO9aTLHxf2OFwM961n4McNdJRui+xcbt2KER3PubvW0jFWWJ9BGcUcbrf2+PG3iY OWVcDDXfG/Pvp+pBcjPk8redqmqzpj1I/btw0E6FK6163U9gOAV8+56yN/wSYKELqFCG ZkFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=y2aEfJF0AKUrPnnqFqECnKFMYxALQ8hKNJvu6oHprr8=; b=SaSmK+4HvuPEzAWBzp1KQ5Id0/VEs8+kDJsc6486JIXpJMO3DFjtwOo3MCejDvwvme 1k14/5gBmlLL/xTvrQzjEdQ5Sanhx9IWFVXbtM6d+AJdwZQPze4Zn0QH93MgJD5B+sFJ SyrYHQ0NOJRk79VYJASeGC4lgUqpGH2A6P80NmwYSj3HHNPwm8Gdh/3My2sX5sqnepTN bcQXONYJdPd9On2tq+WYaWnXqF4y5fjjZBH8/K+PHfQOvIzW0BNX5QJq3GdRpVHKxwR4 3j1kafGDtZliR/pZsDDknZgffFOsX8/DzolcCEnKds2E1gWerwx7tYDbn4KCdsv/+fGw K8lw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=BY4tH93L; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x22-v6si2569805pge.220.2018.05.11.07.00.24; Fri, 11 May 2018 07:00:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=BY4tH93L; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753126AbeEKN7D (ORCPT + 99 others); Fri, 11 May 2018 09:59:03 -0400 Received: from mail-ot0-f182.google.com ([74.125.82.182]:43429 "EHLO mail-ot0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753019AbeEKN7B (ORCPT ); Fri, 11 May 2018 09:59:01 -0400 Received: by mail-ot0-f182.google.com with SMTP id y10-v6so6312849otg.10 for ; Fri, 11 May 2018 06:59:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=y2aEfJF0AKUrPnnqFqECnKFMYxALQ8hKNJvu6oHprr8=; b=BY4tH93LsWAkWTtamnxpjSVDC3bTLP+T9zvW9XhqwPiXJkz0/6fiRLvpEg0ExCq6gM E085p2zOIUYRSKO180cmWUZZzWHeGwlLccfKDCXgVic2zJnbi1yz4/vPcHMwADGjWLGk 62QHcVsKZREc7C9cC2CV1Ia1k0WW/lOb6IwAQzaxMCjShVYIRQjgbMYiAXdlOV05Dkyo a7/D+FKmECjgefz2jdmoPSjeSz/NeMHxYrlAFBOTRsbBfiJiHukcBQsXz6QBVx1qA2x3 kCRP21UjnxxXEMcsWju8tVi9+w64wvGhG4KAW0d8l+ggqQK0PtpiSHGMJI8dI52NXIXm urfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=y2aEfJF0AKUrPnnqFqECnKFMYxALQ8hKNJvu6oHprr8=; b=rPqinvU6LvfpAudJWZjafn7FrhXJ2fbrKCkOpPPwJ+GcpZGwS8A1LOdt/t1C/89sM6 VCbV0r0zcW+f5jopEDlmxA3QbwC9QX2u6APUq/cRGZt47TDU1MNoX3mt9La8USs4yqsL QZcGmzumtusssjK97PYkbagzKRnVhPcgCzu7PJrVzCfqXdmuR+JjoLCztY4GAVyc9dko 78CeE565PLOsqBiK2rSMFlyIg99qkzGYVQaJsFri6y0/gUu5xxeKt5R1Xbqx8beyahiy OGHe82g8UoQKL+sVPFpNMKi7tamsyYUfGny2UpKyB7FTTHMvYRFNT9G1n3/zTbAY6yNj 5Kdw== X-Gm-Message-State: ALKqPwdJFAG43o5ZuE2RDgPf0NXsJplIavvWnh+CJhVd7I8PivogKAmF 5Bog2bJcgagixJn33nlbAjAuorg3MC00NqlP+R9Zpw== X-Received: by 2002:a9d:514a:: with SMTP id u10-v6mr4138012oti.297.1526047140248; Fri, 11 May 2018 06:59:00 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.145.144 with HTTP; Fri, 11 May 2018 06:58:39 -0700 (PDT) In-Reply-To: <20180511093707.GA1403@comp-core-i7-2640m-0182e6> References: <20180511093707.GA1403@comp-core-i7-2640m-0182e6> From: Jann Horn Date: Fri, 11 May 2018 15:58:39 +0200 Message-ID: Subject: Re: [PATCH v5 7/7] proc: add option to mount only a pids subset To: Alexey Gladkov Cc: Kees Cook , Andy Lutomirski , Andrew Morton , linux-fsdevel@vger.kernel.org, kernel list , Kernel Hardening , linux-security-module , Linux API , Greg Kroah-Hartman , Alexander Viro , Akinobu Mita , Oleg Nesterov , Jeff Layton , Ingo Molnar , Alexey Dobriyan , "Eric W. Biederman" , Linus Torvalds , aniel Micay , Jonathan Corbet , bfields@fieldses.org, Stephen Rothwell , Solar Designer , "Dmitry V. Levin" , Djalal Harouni Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 11, 2018 at 11:37 AM, Alexey Gladkov wrote: > This allows to hide all files and directories in the procfs that are not > related to tasks. /proc/$pid/net and /proc/$pid/task/$tid/net aren't in scope for this protection, even though they contain information about the whole network namespace of the task, right?