Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp1999858ybc; Wed, 13 Nov 2019 07:32:25 -0800 (PST) X-Google-Smtp-Source: APXvYqxJrCValRKnrLxxCiIlNCLl+Ix0l/Ar5UGAy5ddwIYu/dYK9d9Wllovid35Bp6YJHOnFQyU X-Received: by 2002:a17:906:85c8:: with SMTP id i8mr3403788ejy.46.1573659145317; Wed, 13 Nov 2019 07:32:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573659145; cv=none; d=google.com; s=arc-20160816; b=HbC9nJOmc4JO3KMWkW7//4JytV1Uv3T6Vfl4kUiimOZAv6Oz3zh1BBDAB8YutCSZoB iV8LCIerv59qPQCW12rImVrNa/Z98KhI+tizGq3Y6a6ILv9LImMEwUZEMOiOwtpbTaLE lSs0tBIIalh2qC+iKrNyVZLgZzIpdY/Y3AazVbWPeQzZht9soWbNhEjflF6/QAlJAmNc pF7ETaanoWuz0HOvWWvlmFoUDourjrhiTUJCNsiRQIplPTIvY7W6Z6B9KYYxPr2u2sf5 WmUUydPLNB3oajr01sRiA0x9Ig/bm+2+fcbr+E4pzUmsilCuVDb0OMEzMycFPvBavMqj gl2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject:dkim-signature; bh=eHN3oJvzngOstWucvggCQJs1qVsjrYE0aT79wNfZxF0=; b=0sLSF7fnlMjbOKY7oVVgbHM2LoYbokC+KgVWpZ0mwS3AfvTuh8pf0+j2n60lFyXwn3 J0w/oPcIQLI5FmvZWMKF6cpxzK82vRTmilsjxu7wsBGiyDx03yAkpZDoSaJGCXdIjylg /DK21kjNU0E3iQgvQy5n21swcUv039Dq9pHUStB3t8X49+mMyeNRrT93dHtGCdsV+87e ZQVMWBVS8g2ky5yCJTFx1i6ltqjWgtW0xwXht3tNbV9loayWR2kxOHvvohYoHFTAixKw Zrk6/fqOD72jMo36UwB/rp2rGTOwL3RpecDNYJCcSwL9LazDEFR3qtG+hUb1mJfZ6kod aeOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PiT6v1oF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id qk28si1353060ejb.292.2019.11.13.07.31.59; Wed, 13 Nov 2019 07:32:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PiT6v1oF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727862AbfKMP25 (ORCPT + 99 others); Wed, 13 Nov 2019 10:28:57 -0500 Received: from mail-lj1-f195.google.com ([209.85.208.195]:45288 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727640AbfKMP25 (ORCPT ); Wed, 13 Nov 2019 10:28:57 -0500 Received: by mail-lj1-f195.google.com with SMTP id n21so3010080ljg.12; Wed, 13 Nov 2019 07:28:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=eHN3oJvzngOstWucvggCQJs1qVsjrYE0aT79wNfZxF0=; b=PiT6v1oF/z8ndRDu3IQtqwt0ZdFOMuDJOjQ+lQB72WcqYjuNuQt0UMCAe7d5Hof1PX U4c1VBSlM+hCFIR4cLnofV+c6dBtiWBwts3PReuIXYKKFTYUgzMKMmdyjEaKIlsJ4qHb OfgOOsw4WwXuGX5g5llS/V0Cmz4kdA8YGntyO9mZ2FuK0TEZJ6D0gLPbrN3Oqp5R8e3r wG6aDCatmrm4IiZjQiwa+MKQKex+NoncYNQqIxnr9TwfnyDkGhtq/7fvZdg6HmzWRMdK ESy1m8TK+1asOnj9PB+17tscXlzbCHRp6J2xUreitjqYJ+pw42Sls4sS3FCtM6pHzVBA ngDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=eHN3oJvzngOstWucvggCQJs1qVsjrYE0aT79wNfZxF0=; b=cxvmHnjYkfGNnhno/5eMN0FiGGWNV5zcFm7QUWsXy8ACV9y+1h10BGra/X8hM2j7s1 bhGzoYxYmlrYbcMbJGnmMryIDlhUZnlerMqcsXlzPOdgrhLBcqVKdGuMeT+vrxKDV3GE IuWxvIUJ/3MQmdQPyucyGDcXmP8fd7wEh5wKLvBns0t64orVYogEk+XJY4iwKkgJD0XJ CEaINT6ixE8xnycBm20h7sbWadntUWGRFQ/FSh1Ov3Ot/Jluw3ViRQjEzEoQNlMNClPq HitnVU+Bb7YCO2ir/MC4HZ+JJANlm0hQcZ3m0pclbRI9IZF3CcBW3VxaXV/G50VvAIge pmBg== X-Gm-Message-State: APjAAAUNfkKOzLdJXAcjjdQHByfhaDnP3tLnC9Q1cHMLIaXdTuW0Rnym NN2F8eRo2Z8iIvouwQBL94TfNeR1 X-Received: by 2002:a05:651c:38f:: with SMTP id e15mr3030692ljp.107.1573658934687; Wed, 13 Nov 2019 07:28:54 -0800 (PST) Received: from [192.168.1.36] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id a1sm1261762lfg.11.2019.11.13.07.28.53 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Nov 2019 07:28:54 -0800 (PST) Subject: Re: [PATCH] proc: Allow restricting permissions in /proc/sys To: "Eric W. Biederman" , Kees Cook Cc: Luis Chamberlain , Alexey Dobriyan , "linux-kernel@vger.kernel.org" , "open list:FILESYSTEMS (VFS and infrastructure)" References: <201911121523.9C097E7D2C@keescook> <87ftir7rrw.fsf@x220.int.ebiederm.org> From: Topi Miettinen Message-ID: <128e6282-8fa5-0d4b-62f2-0d7408b0d184@gmail.com> Date: Wed, 13 Nov 2019 17:28:52 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 MIME-Version: 1.0 In-Reply-To: <87ftir7rrw.fsf@x220.int.ebiederm.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 13.11.2019 16.52, Eric W. Biederman wrote: > Kees Cook writes: > >> Ah! I see the v2 here now. :) Can you please include that in your >> Subject next time, as "[PATCH v2] proc: Allow restricting permissions >> in /proc/sys"? Also, can you adjust your MUA to not send a duplicate >> attachment? The patch inline is fine. >> >> Please CC akpm as well, since I think this should likely go through the >> -mm tree. >> >> Eric, do you have any other thoughts on this? > > This works seems to be a cousin of having a proc that is safe for > containers. > > Which leads to the whole mess that hide_pid is broken in proc last I > looked. > > So my sense is that what we want to do is not allow changing the > permissions but to sort through what it will take to provide actual > mount options to proc (that are per mount). Thus removing the sharing > that is (currently?) breaking the hide_pid option. > > With such an infrastructure in place we can provide a mount option > (possibly default on when mounted by non-root) that keeps anything that > unprivileged users don't need out of proc. Which is likely to be most > things except the pid files. > > It is something I probably should be working on, but I got derailed > by the disaster that has that happened with mounting. Even after > I gave code review and showed them how to avoid it the new mount api > is still not possible to use safely. Are you perhaps referring to proc modernization patch set: https://lkml.org/lkml/2018/5/11/155 Getting that reviewed and committed would be awesome! -Topi