Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp978853imm; Fri, 11 May 2018 09:12:35 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqE6vV9MjjbWV7ogQJXrJiVPTXXocnqCg+WqdlBHPdvIn7bpuEqnYYnwqgBeJGSkHQ115ev X-Received: by 2002:a17:902:a714:: with SMTP id w20-v6mr5922945plq.374.1526055155232; Fri, 11 May 2018 09:12:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526055155; cv=none; d=google.com; s=arc-20160816; b=lorfn7295uRcUINaPpCdJlzE5THXMBF4UZXPEmNaw3ND1N3E+Wgp15FM7BwccmpL2S r2Sx7qZ0xF7YWhGbWrUMvNM8nqwCG5Sh3gTy5eUD5RK38ClPFuBTMpbNLeqD3NQYHO1B XMsuKm8Z6P/CjrFs5KwrigjPxRChSzIAvrG6A9FsEORVaamzFChw7MlecoXfEn6aLvfl 7dl8grYVfdnpkuQ/m1QPfJXYMP2QNQTWVf2fTVoeYxm3qaEOUQwpRQ81QCYpWBoUScPv akOhKleutTTHWnobZeBOy1Q55N9kLgLwWylxP17J6XpvCYWKuukTN/gR2xu5DtILNnRq 1aMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=u0roL1AYuIrA84f7PfbcurharhvJnLawyPtqvEvc2wY=; b=uJtVchX+XIH8oi14WPjiuETLBQDJTSr9/Q6Ehwe1T5vaftM+ogEugD0uzPedNfuHHW 1KPfIPPoK78uSH9LN7pl4lN4wMcbJLb39pzhO/texn4bY7OZ0JKmrsOuKp3ZWJ5T8nJX n3isxfyBVFmwjVRj829FkMVB2VxmwzV/qhJnDdW3EoTbdeKGXT9kcCgeh01JnEbGotTs DFiM5dxZm/juTuC6jdeFUJBIEtySjI/4SykcsDMWr/M0N+lIu+W3HYG6rLQtvJrRM5/j ooHOYxJg0Wh/tpGuwv3ucwRoWb+x8koWiaFuQa5sXURrObMW1aCBMN/uxjIgBo+QZ53t Ly3A== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=uPkWOCGL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a15-v6si2749498pgd.531.2018.05.11.09.12.18; Fri, 11 May 2018 09:12:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=uPkWOCGL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752005AbeEKQLq (ORCPT + 99 others); Fri, 11 May 2018 12:11:46 -0400 Received: from merlin.infradead.org ([205.233.59.134]:60346 "EHLO merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750746AbeEKQLo (ORCPT ); Fri, 11 May 2018 12:11:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=u0roL1AYuIrA84f7PfbcurharhvJnLawyPtqvEvc2wY=; b=uPkWOCGL/CU9KkksUzmZsrWII7 XFargOMsNhswjbqIqxDLOOdzilguuDJwrp0DZZjn/VOQMqb6P5UN+Uof82hkiwkM9UTu/CeGRg9Dx JXY868u2e7EEminZNX2kLWy9N+DbJoFdi+FDtBgD9pBSQb+eA+3jvNUIsr5sbcifZfJb8jV/8GX/8 Lfy/x5RVJ3KlDNChEv9oJ+IiDVEJdXjvhcDxdcyT5Ww/9Gsei8FHeWJiLbYPfXwrS/bMxEVn/O9+b jmqx5CQfu+cXDfh7LyhKssdNz5iaK00FGVkCgIV972+7NlrFh9DDs5U8qoWGWXAnZvUw50PhnlGqs rJ/6TzJQ==; Received: from static-50-53-52-16.bvtn.or.frontiernet.net ([50.53.52.16] helo=midway.dunlab) by merlin.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1fHAbW-0006WT-QI; Fri, 11 May 2018 16:09:11 +0000 Subject: Re: [PATCH v5 5/7] proc: instantiate only pids that we can ptrace on 'limit_pids=1' mount option To: Alexey Gladkov , Kees Cook , Andy Lutomirski , Andrew Morton , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-security-module@vger.kernel.org, linux-api@vger.kernel.org Cc: Greg Kroah-Hartman , Alexander Viro , Akinobu Mita , Oleg Nesterov , Jeff Layton , Ingo Molnar , Alexey Dobriyan , "Eric W. Biederman" , Linus Torvalds , aniel Micay , Jonathan Corbet , bfields@fieldses.org, Stephen Rothwell , solar@openwall.com, "Dmitry V. Levin" , Djalal Harouni References: <20180511093613.GA1330@comp-core-i7-2640m-0182e6> From: Randy Dunlap Message-ID: <7c638a92-8c40-fa15-8c63-777232588137@infradead.org> Date: Fri, 11 May 2018 09:09:04 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <20180511093613.GA1330@comp-core-i7-2640m-0182e6> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/11/2018 02:36 AM, Alexey Gladkov wrote: > From: Djalal Harouni > > If "limit_pids=1" mount option is set then do not instantiate pids that > we can not ptrace. "limit_pids=1" means that procfs should only contain > pids that the caller can ptrace. Where can I find documentation on these mount options (pidonly, limit_pids)? Thanks. > Cc: Kees Cook > Cc: Andy Lutomirski > Signed-off-by: Djalal Harouni > --- > fs/proc/base.c | 9 +++++++++ > 1 file changed, 9 insertions(+) -- ~Randy