Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp1469275lqd; Thu, 25 Apr 2024 17:31:02 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUL8cxYmneQczMV9Hde0OlCrefdnhNstwCLYq/1PcTd0SK/bagKR/G5X6FOrtBc1Yf0NdnYG/sig6SGVE4gBPXbBVRmGJGDv85kzLom7g== X-Google-Smtp-Source: AGHT+IFWq8/Lya1RApn/P3FnDS/0ug4XVKZv3eReSQOrbP7eaXiOx4eaRJfvBe7H4i+L7EERmdpj X-Received: by 2002:a05:6870:56a3:b0:22e:a686:a940 with SMTP id p35-20020a05687056a300b0022ea686a940mr1094798oao.43.1714091462321; Thu, 25 Apr 2024 17:31:02 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714091462; cv=pass; d=google.com; s=arc-20160816; b=mOohfFYVK9bfVhqSoKX6NRVxk+Vc0pOsl9KXi2heqzGNXVEQQAtyyiEIxOuphf/s3Q 9X1HrYe7qP+H5vQsqpZlCMfFhjutKG7GSe1IeFtd+Z5NqIOFfmf/o3vQbFJ5/gRQeO1a ChSBFUrbwf7tRZyRVpRsKt5zaN4jZPSB9wfJnh0fx9Xsv++9Ye+SCQKoSkCEl8Yahrnb mV9wBk5XD/jcB9J91E7nJwUYdIMauUPS8k/gSyUmnYYUmhal6qbtTI0kQm5HGweUlmBQ 5PE7AiESz6PT6kO/dH7vtz/ibqM9UWfimVbYthiJ0AJnoFc9LKGx/CLwFoNYtTzDJSP8 AaFA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:dkim-signature:date; bh=74Ca9TZVZ4/9yXxdfEPPZI3l3hqJoOs9XFtaW+2gklw=; fh=oHE8YIKnsfUrrdbC0JWtoGcROAqY19CXTYzHeBJfqxg=; b=c3IjSqtuNO6yfF6IZfLS975wD11iIgsRFTkSOPMNHMc76KS5fPz8qOe+/Ctb6i6XY/ 7eSCHazDJoIXRg+XpnMIbIHyjR8s5LN2sG3H5NDS7A31xvRlsG2VV0aQ36AmL61sv9Yo gJLiqmzPpngzWsqSp+CHQJbw6Dfwsj5b0wMNrg8Pwv+faPLXNDkqk6kSmMjxAPNhTLA3 +vfPxAM05G+eMQrAIsRAOuoJYfSyx4PFlpqwtoqaraC1fjgWWKeyMUAxYAmWL5IE6UCa REdKffKYybqfdZAcsrKJe947bIgekKDdowRxDbe6eyCaIonToW3BYI0zmcrA9QsuiDER kQcw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=YbVIVPPf; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-kernel+bounces-159385-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-159385-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id r28-20020a635d1c000000b005f759a077bbsi14341016pgb.490.2024.04.25.17.31.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Apr 2024 17:31:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-159385-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=YbVIVPPf; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-kernel+bounces-159385-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-159385-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 10564B23B79 for ; Fri, 26 Apr 2024 00:27:28 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 257D2EAD8; Fri, 26 Apr 2024 00:27:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="YbVIVPPf" Received: from out-183.mta0.migadu.com (out-183.mta0.migadu.com [91.218.175.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B3954BE48 for ; Fri, 26 Apr 2024 00:27:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.183 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714091233; cv=none; b=LVV7WE7+iPKbXafc9t6q2N8RXF5Ubkk7l3NPUqHWdO7V33oio4gWtdVX5FX+0Gx3aH348I+35+q4awdOWqgxvJU07/JpIqZYOIxOizwkvIL+Q5KI0jG6vAtyvGjwOnLnt/40W3mzHTjSeBVfvCtznRHAf+QrE+hdpyWIl6A0id4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714091233; c=relaxed/simple; bh=6ZLqPJ79OAvK4ZDl5r7ixlLIkaymNFETzEUzOahTaPI=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=RiXCCc2d+oMWo5x20wyo+LGnX1LEEoJBqVOmqrWxuDWbpA5PG+WRAvzHuxX4tUkUZOtz5e4UFMUxORBPEEQu47jxzopIUr7/Sf5YddfatgQ8IKsF6n4J2ODXjQuh3SRWhG48mYnP/sgppxr2puEJlr+tABx05fYdqNgttv9xbiA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=YbVIVPPf; arc=none smtp.client-ip=91.218.175.183 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Date: Thu, 25 Apr 2024 20:27:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1714091229; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=74Ca9TZVZ4/9yXxdfEPPZI3l3hqJoOs9XFtaW+2gklw=; b=YbVIVPPfrA9evtJHL9Kb27hMnM/D5KQXgqK2yL2TjLglDiYQ0s3g6Zyg5BvbmmlAqKHuRM QgJ3Q02N6bdLd9v1QOOGZI29SDfgpLOvstNSblhQs5p6PCD6yfn0qLMDVk959d359YG2iv NdLCI0oqjuEqK7nzss6HT/bndZI4Aew= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Kent Overstreet To: Andrew Morton Cc: Kees Cook , Matthew Wilcox , Suren Baghdasaryan , linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] alloc_tag: Tighten file permissions on /proc/allocinfo Message-ID: References: <20240425200844.work.184-kees@kernel.org> <64cngpnwyav4odustofs6hgsh7htpc5nu23tx4lb3vxaltmqf2@sxn63f2gg4gu> <202404251532.F8860056AE@keescook> <20240425164718.e8e187dd0c5b0a87371d8316@linux-foundation.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240425164718.e8e187dd0c5b0a87371d8316@linux-foundation.org> X-Migadu-Flow: FLOW_OUT On Thu, Apr 25, 2024 at 04:47:18PM -0700, Andrew Morton wrote: > On Thu, 25 Apr 2024 15:42:30 -0700 Kees Cook wrote: > > > > The concern about leaking image layout could be addressed by sorting the > > > output before returning to userspace. > > > > It's trivial to change permissions from the default 0400 at boot time. > > It can even have groups and ownership changed, etc. This is why we have > > per-mount-namespace /proc instances: > > > > # chgrp sysmonitor /proc/allocinfo > > # chmod 0440 /proc/allocinfo > > > > Poof, instant role-based access control. :) > > Conversely, the paranoid could set it to 0400 at boot also. > > > I'm just trying to make the _default_ safe. > > Agree with this. > > Semi-seriously, how about we set the permissions to 0000 and force > distributors/users to make a decision. I'm ok with 0400 for now since it's consistent with slabinfo, but I'd really like to see a sysctl for debug info paranoia. We shouldn't be leaving this to the distros; we're the ones with the expertise to say what would be covered by that sysctl.