From: ebiederm@xmission.com (Eric W. Biederman)
To: Andy Lutomirski <luto@amacapital.net>
Cc: Josh Armour <jarmour@google.com>,
Greg KH <gregkh@linuxfoundation.org>,
Djalal Harouni <tixxdz@gmail.com>,
"ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>
Subject: Re: [Ksummit-discuss] security-related TODO items?
Date: Tue, 24 Jan 2017 23:03:29 +1300 [thread overview]
Message-ID: <87tw8oojv2.fsf@xmission.com> (raw)
In-Reply-To: <CALCETrWOedzSo02GWr6KoGDg6FeyymGH=B-0JLOG9QZuoFap_Q@mail.gmail.com> (Andy Lutomirski's message of "Mon, 23 Jan 2017 18:38:04 -0800")
Andy Lutomirski <luto@amacapital.net> writes:
> On Fri, Jan 20, 2017 at 2:38 PM, Kees Cook <keescook@chromium.org> wrote:
>> Hi,
>>
>> I've already got various Kernel Self-Protection Project TODO items
>> collected[1] (of varying size and complexity), but recently Google's
>> Patch Reward Program[2] is trying to expand by helping create a bounty
>> program for security-related TODOs. KSPP is just one corner of
>> interest in the kernel, and I'd love to know if any other maintainers
>> have TODO items that they'd like to see get done (and Google would
>> potentially provide bounty money for).
>>
>> Let me know your security wish-lists, and I'll collect them all into a
>> single place. And if there is a better place than ksummit-discuss to
>> reach maintainers, I'm all ears. LKML tends to mostly just serve as a
>> public archive. :)
>>
>
> Here's another one: split up and modernize /proc.
>
> I'm imagining a whole series of changes:
>
> - Make a sysctlfs. You could mount it and get all the sysctls if you
> have global privilege. If you only have privilege relative to some
> namespace, you could pass a mount option like -o scope=net to get just
> sysctls that belong to the mounting process' netns. If done
> carefully, this should be safe for unprivileged mounting without the
> fs_fully_visible() checks.
Nope. Because the fs_fully_visible checks are there to support a root
policy of what can be used. Any filesystem with content needs
fs_fully_visible or another way for root to say no you can't access
these files.
cgroupfs gets a pass from me because we can set the number of cgroup
namespaces to 0, and because changing it will break userspace.
Besides bind if you split up proc into pieces bind mounts should be
sufficient and you should not need to allow unprivileged users to mount
any of the pieces of proc.
> - Teach procfs to understand mount options for real (per-superblock).
> Shouldn't be that hard.
>
> - Make it possible to control hidepid per mount. systemd and such
> could use this to tighten up daemons.
How about we come up with a better answer than hidepid and kill the
hidepid option?
> - Make it possible to make /proc/PID/cmdline only show argv[0] via
> per-mount option or perhaps sysctl.
>
> - Make it possible to mount a mini-proc that doesn't have all the
> non-PID stuff. Presumably it would still have an empty directory
> called sys and maybe some other minimal contents for compatibility
That would certainly be something if done carefully that could be
mounted without fs_fully_visible checks.
Eric
next prev parent reply other threads:[~2017-01-24 10:07 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-20 22:38 Kees Cook
2017-01-21 0:14 ` Andy Lutomirski
2017-01-21 0:26 ` Kees Cook
2017-01-21 1:10 ` Matthew Wilcox
2017-01-21 1:47 ` Josh Triplett
2017-01-23 10:02 ` Alexey Dobriyan
2017-01-23 10:48 ` David Howells
2017-01-23 20:10 ` Andy Lutomirski
[not found] ` <c1822e5b-9352-c1ab-ee98-e492ef6e156a@I-love.SAKURA.ne.jp>
2017-01-24 20:58 ` Andy Lutomirski
2017-01-23 20:36 ` David Howells
2017-01-23 20:59 ` Matthew Wilcox
2017-01-23 21:53 ` Andy Lutomirski
2017-01-23 23:26 ` Greg Ungerer
2017-01-23 20:15 ` Christoph Hellwig
2017-01-24 2:38 ` Andy Lutomirski
2017-01-24 10:03 ` Eric W. Biederman [this message]
2017-01-24 21:00 ` Andy Lutomirski
2017-01-24 21:55 ` Eric W. Biederman
2017-01-24 10:38 ` Alexey Dobriyan
[not found] ` <CAEiveUcTQK84qFNpYoET-cpSXJe0KYtnYQtp0uTPz=z0tc3W9A@mail.gmail.com>
2017-03-07 16:25 ` Andy Lutomirski
2017-02-02 21:12 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tw8oojv2.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=gregkh@linuxfoundation.org \
--cc=jarmour@google.com \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=luto@amacapital.net \
--cc=tixxdz@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox