Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp4093693ybx; Mon, 4 Nov 2019 07:45:23 -0800 (PST) X-Google-Smtp-Source: APXvYqx+wZ490zpupXYItoSBML0zIAW1ZvBSSUPrcGeciKcaC4GytW/E7aRI+NJRGZWE33WuMho2 X-Received: by 2002:a05:6402:1acd:: with SMTP id ba13mr29469488edb.141.1572882323354; Mon, 04 Nov 2019 07:45:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572882323; cv=none; d=google.com; s=arc-20160816; b=yNLhTsYqqpUpNaVI1KvTBU9bASVMRlNLtBLCJGauT6HDIG0LAy67QHU+i9+RbAOaLM JF7xTSYQhdtg4ke5r/yAPNEtHbRWbhv4d4Q+LG5ODQmBNomH8ado4KyTBDlm3p/ZP1zR yN7IT5AZHZmDETpDqMbEzrZvTMatr6fWD3+mopUd2E72TsW0M2hQytMoQQ7wN2qIq1zA Yd1ap3/NYF/xHJ7zvOo9+cB0MX/OS0R2+3SA/KDYS9K4kFKiSOvS319K4Jpau6+MchJX p1vdRjeQ6CinHQnouH4FAawTRA2qQy27ocnEOCMB00BCd58WRO97GBAAxYNmJIiwmpgf uVmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from; bh=Yoyl8QBHu81XJu+H4IMYbcKQjEHyKMCDHQKvVbsStOo=; b=NZx3TytyRZpcYiapNL7Vw+7iMferAgKAPwxKA6ArWPCrlLfzpKqvXpqVTP6KiXt0/O 5es5vEfQtKqMh8K8y+1q0np/KWEzc+TaE5S3H9LTtU+aiNWrOebBlHyGpt/Z2idUr6l9 mbu7OdYIngzFc+LdL8FCe6mIRAegeuP/PFM1tm297HOs0GB0Vy/zX94XsDKmwSlN2Hbb 77YHH4e/1M22y8WKg/2Ok9KuvETwNbtwLunE/N9En6D9bPnNjeqTIs/Rbg0IoJ1z+hD6 KojGrI9xKS5GPMllZYIF/ZHE+e76Kh53VaE//czeI7vYKEF8280/hwHkUKh/N9pvyO3x I4ig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f5si7652794edf.232.2019.11.04.07.45.00; Mon, 04 Nov 2019 07:45:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728321AbfKDPoU (ORCPT + 99 others); Mon, 4 Nov 2019 10:44:20 -0500 Received: from out01.mta.xmission.com ([166.70.13.231]:58238 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727796AbfKDPoT (ORCPT ); Mon, 4 Nov 2019 10:44:19 -0500 Received: from in02.mta.xmission.com ([166.70.13.52]) by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1iReWg-0001fq-Dd; Mon, 04 Nov 2019 08:44:18 -0700 Received: from ip68-227-160-95.om.om.cox.net ([68.227.160.95] helo=x220.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from ) id 1iReWf-000835-Ge; Mon, 04 Nov 2019 08:44:18 -0700 From: ebiederm@xmission.com (Eric W. Biederman) To: Topi Miettinen Cc: Luis Chamberlain , Kees Cook , Alexey Dobriyan , "linux-kernel\@vger.kernel.org" , "open list\:FILESYSTEMS \(VFS and infrastructure\)" References: <74a91362-247c-c749-5200-7bdce704ed9e@gmail.com> <87d0e8g5f4.fsf@x220.int.ebiederm.org> Date: Mon, 04 Nov 2019 09:44:05 -0600 In-Reply-To: (Topi Miettinen's message of "Sun, 3 Nov 2019 21:38:50 +0200") Message-ID: <87h83jejei.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1iReWf-000835-Ge;;;mid=<87h83jejei.fsf@x220.int.ebiederm.org>;;;hst=in02.mta.xmission.com;;;ip=68.227.160.95;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1+/SMoGN16q2hVm978SNtdL3kX2YwA8k1Q= X-SA-Exim-Connect-IP: 68.227.160.95 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on sa08.xmission.com X-Spam-Level: X-Spam-Status: No, score=-0.2 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG autolearn=disabled version=3.4.2 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4946] * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa08 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa08 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Topi Miettinen X-Spam-Relay-Country: X-Spam-Timing: total 487 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 4.6 (0.9%), b_tie_ro: 3.3 (0.7%), parse: 1.08 (0.2%), extract_message_metadata: 4.3 (0.9%), get_uri_detail_list: 1.84 (0.4%), tests_pri_-1000: 3.9 (0.8%), tests_pri_-950: 1.62 (0.3%), tests_pri_-900: 1.43 (0.3%), tests_pri_-90: 25 (5.1%), check_bayes: 23 (4.7%), b_tokenize: 5 (1.1%), b_tok_get_all: 8 (1.7%), b_comp_prob: 2.8 (0.6%), b_tok_touch_all: 3.3 (0.7%), b_finish: 0.85 (0.2%), tests_pri_0: 428 (88.0%), check_dkim_signature: 0.45 (0.1%), check_dkim_adsp: 2.7 (0.6%), poll_dns_idle: 1.11 (0.2%), tests_pri_10: 2.2 (0.5%), tests_pri_500: 6 (1.2%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH] Allow restricting permissions in /proc/sys X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Topi Miettinen writes: > On 3.11.2019 20.50, Eric W. Biederman wrote: >> Topi Miettinen writes: >> >>> Several items in /proc/sys need not be accessible to unprivileged >>> tasks. Let the system administrator change the permissions, but only >>> to more restrictive modes than what the sysctl tables allow. >> >> This looks quite buggy. You neither update table->mode nor >> do you ever read from table->mode to initialize the inode. >> I am missing something in my quick reading of your patch? > > inode->i_mode gets initialized in proc_sys_make_inode(). > > I didn't want to touch the table, so that the original permissions can > be used to restrict the changes made. In case the restrictions are > removed as suggested by Theodore Ts'o, table->mode could be > changed. Otherwise I'd rather add a new field to store the current > mode and the mode field can remain for reference. As the original > author of the code from 2007, would you let the administrator to > chmod/chown the items in /proc/sys without restrictions (e.g. 0400 -> > 0777)? At an architectural level I think we need to do this carefully and have a compelling reason. The code has survived nearly the entire life of linux without this capability. I think right now the common solution is to mount another file over the file you are trying to hide/limit. Changing the permissions might be better but that is not at all clear. Do you have specific examples of the cases where you would like to change the permissions? >> The not updating table->mode almost certainly means that as soon as the >> cached inode is invalidated the mode changes will disappear. Not to >> mention they will fail to propogate between different instances of >> proc. >> >> Loosing all of your changes at cache invalidation seems to make this a >> useless feature. > > At least different proc instances seem to work just fine here (they > show the same changes), but I suppose you are right about cache > invalidation. It is going to take the creation of a pid namespace to see different proc instances. All mounts of the proc within the same pid_namespace return the same instance. Eric