From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id CADF7A58 for ; Tue, 24 Jan 2017 10:07:49 +0000 (UTC) Received: from out03.mta.xmission.com (out03.mta.xmission.com [166.70.13.233]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 3F06FF3 for ; Tue, 24 Jan 2017 10:07:49 +0000 (UTC) From: ebiederm@xmission.com (Eric W. Biederman) To: Andy Lutomirski References: Date: Tue, 24 Jan 2017 23:03:29 +1300 In-Reply-To: (Andy Lutomirski's message of "Mon, 23 Jan 2017 18:38:04 -0800") Message-ID: <87tw8oojv2.fsf@xmission.com> MIME-Version: 1.0 Content-Type: text/plain Cc: Josh Armour , Greg KH , Djalal Harouni , "ksummit-discuss@lists.linuxfoundation.org" Subject: Re: [Ksummit-discuss] security-related TODO items? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Andy Lutomirski writes: > On Fri, Jan 20, 2017 at 2:38 PM, Kees Cook wrote: >> Hi, >> >> I've already got various Kernel Self-Protection Project TODO items >> collected[1] (of varying size and complexity), but recently Google's >> Patch Reward Program[2] is trying to expand by helping create a bounty >> program for security-related TODOs. KSPP is just one corner of >> interest in the kernel, and I'd love to know if any other maintainers >> have TODO items that they'd like to see get done (and Google would >> potentially provide bounty money for). >> >> Let me know your security wish-lists, and I'll collect them all into a >> single place. And if there is a better place than ksummit-discuss to >> reach maintainers, I'm all ears. LKML tends to mostly just serve as a >> public archive. :) >> > > Here's another one: split up and modernize /proc. > > I'm imagining a whole series of changes: > > - Make a sysctlfs. You could mount it and get all the sysctls if you > have global privilege. If you only have privilege relative to some > namespace, you could pass a mount option like -o scope=net to get just > sysctls that belong to the mounting process' netns. If done > carefully, this should be safe for unprivileged mounting without the > fs_fully_visible() checks. Nope. Because the fs_fully_visible checks are there to support a root policy of what can be used. Any filesystem with content needs fs_fully_visible or another way for root to say no you can't access these files. cgroupfs gets a pass from me because we can set the number of cgroup namespaces to 0, and because changing it will break userspace. Besides bind if you split up proc into pieces bind mounts should be sufficient and you should not need to allow unprivileged users to mount any of the pieces of proc. > - Teach procfs to understand mount options for real (per-superblock). > Shouldn't be that hard. > > - Make it possible to control hidepid per mount. systemd and such > could use this to tighten up daemons. How about we come up with a better answer than hidepid and kill the hidepid option? > - Make it possible to make /proc/PID/cmdline only show argv[0] via > per-mount option or perhaps sysctl. > > - Make it possible to mount a mini-proc that doesn't have all the > non-PID stuff. Presumably it would still have an empty directory > called sys and maybe some other minimal contents for compatibility That would certainly be something if done carefully that could be mounted without fs_fully_visible checks. Eric