From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4BB8C4345F for ; Fri, 26 Apr 2024 00:27:14 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 33ADD6B0085; Thu, 25 Apr 2024 20:27:14 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2EAC26B0088; Thu, 25 Apr 2024 20:27:14 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1D9D06B0089; Thu, 25 Apr 2024 20:27:14 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id F0DA06B0085 for ; Thu, 25 Apr 2024 20:27:13 -0400 (EDT) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id B49C21A031D for ; Fri, 26 Apr 2024 00:27:13 +0000 (UTC) X-FDA: 82049793546.04.F37F922 Received: from out-188.mta0.migadu.com (out-188.mta0.migadu.com [91.218.175.188]) by imf05.hostedemail.com (Postfix) with ESMTP id D0E0910000F for ; Fri, 26 Apr 2024 00:27:11 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=YbVIVPPf; spf=pass (imf05.hostedemail.com: domain of kent.overstreet@linux.dev designates 91.218.175.188 as permitted sender) smtp.mailfrom=kent.overstreet@linux.dev; dmarc=pass (policy=none) header.from=linux.dev ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1714091232; a=rsa-sha256; cv=none; b=XI2FOMXbtPmzx89Bm6vMvOEMyNJ7/RvXrAziSLTxVKOoQAriYhJYz6Ktyozgam+BSHolOW 1+lHoDecHm90j7TNA1AZm8Wpij32Mg4uIkQk4Tz/e9xOENtUyZz97+pEYGELRpMqgwOs4I 3cfjSJ79jSEhrVN99MtaJ69Pu1N+8Gc= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=YbVIVPPf; spf=pass (imf05.hostedemail.com: domain of kent.overstreet@linux.dev designates 91.218.175.188 as permitted sender) smtp.mailfrom=kent.overstreet@linux.dev; dmarc=pass (policy=none) header.from=linux.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1714091232; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=74Ca9TZVZ4/9yXxdfEPPZI3l3hqJoOs9XFtaW+2gklw=; b=8d8Q6LouehOkGUrVrE6GkPBj57tAsLR3F2xAlfk+3aAG+SwvRlltpngqrf62Gj2Bbh2dPd c/iZEk950VXEihMW1GH8A8yz4gx9HzYq39AHMqqz3PmkqASv4sdE/+57qG++jZXZqaGSlO gccQF9jvjFuhVJPz1m79Hn9Mg1tG3/o= Date: Thu, 25 Apr 2024 20:27:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1714091229; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=74Ca9TZVZ4/9yXxdfEPPZI3l3hqJoOs9XFtaW+2gklw=; b=YbVIVPPfrA9evtJHL9Kb27hMnM/D5KQXgqK2yL2TjLglDiYQ0s3g6Zyg5BvbmmlAqKHuRM QgJ3Q02N6bdLd9v1QOOGZI29SDfgpLOvstNSblhQs5p6PCD6yfn0qLMDVk959d359YG2iv NdLCI0oqjuEqK7nzss6HT/bndZI4Aew= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Kent Overstreet To: Andrew Morton Cc: Kees Cook , Matthew Wilcox , Suren Baghdasaryan , linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] alloc_tag: Tighten file permissions on /proc/allocinfo Message-ID: References: <20240425200844.work.184-kees@kernel.org> <64cngpnwyav4odustofs6hgsh7htpc5nu23tx4lb3vxaltmqf2@sxn63f2gg4gu> <202404251532.F8860056AE@keescook> <20240425164718.e8e187dd0c5b0a87371d8316@linux-foundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240425164718.e8e187dd0c5b0a87371d8316@linux-foundation.org> X-Migadu-Flow: FLOW_OUT X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: D0E0910000F X-Stat-Signature: dor4b3ahtuxeo8ntgj4p3tf78wtunzmg X-Rspam-User: X-HE-Tag: 1714091231-745834 X-HE-Meta: U2FsdGVkX1/hPYBovF1LtmBZ73ksNRFQoLLm2gpMvQggqpV0W2J+iZADeiN4TPadq9gNMxvDLUmmfL5nVDAv5JARnudFqdkkQDq78zeSvDWYaxjWHXX4JBJR4Iz/2fK1fI+LFAeMcDg37OSxfDoSnC7lpYeH3Razd0D3gKDAfpo8NP1hBHSep/QPGOulpML9S2MpmRIKobVUc80WIBDGHO66beK9C/4joVMXBEBIvRd5mkOQd1Yj2E6+1kdUcGbzhwuTaitWJ2HTmGBAiiC1NaGilfPD43w8qE5wxW8GCiX3V1UxZYXj+kgc+oNtgYBXH+15GmkL6eyzcuMEXjea3uDsFcwpAvQyZN6lnaGU3RKfZhC6BHW1pC0hUq3X3cnKIpPzPh8yZTM8zPEAiEO6Je5qQnIMApbXNh8WACFXFMohEd98iUqI7ydz6PQHYaRT05mOQ+/IUWPs98mJQVnPvpvmH9jWLuPbPYL3YZDV+7zU6q4F6H3VPToqr9fDYxQUBlhZeM4J0YFzjYbA91/8xKFw/QW9StOZJ1xXGOY/tRzGyG+QlSKUkKDIhklrwflDyIm0j/caz2YajT3xvqOb/ZHYry0a60xHiF0jg0+62vi3NRGau9sNLwkf6+IWiy7QlcR7OnVEHvM/NgVzYQZU2yG7VNMAIu3UBi9fcV23jf6dhS2AfUn9KJkfNI0el2/ZCww3fGe6xxY3aPfZ7zX6WWXaEpQ9wFrgN10NsT73H8Uho8M1BPwnC4GCE9c4q7Dujk1ggxDMYDVnsnLFdZaK85NkzbVmnqC3+Zk4V0iGqpD5pJEjaGAJ2QfmNOvfqrRghAPuPPlIVlMPAWMopGYKmAhw4yYzHaXeOvoXgcCHbresSwEH2GeZuuMEXVVVM6PSkDlFQ1vf7RPdPZHICWcFCG8SAQj6P1G2Fvwk3Yki3aYszm2yBFXMy6GMtTXuZR/hWWoMo8RjU8cMely88VK Pi9v0xAN 7GZN7JEIjCCcQ43Lsu62ytLJMN53a6A//X1pgV900dEm+PuJpEHcfCptJ794fzTGnfE87076WeMt0n8Oa/cG+PscKoy/zZxQJS3Vk17vXkzHDA26bWr1HoGl1ycTL52AgAF6AiteA5FQxhukloTZllp/Hs2hTlNZYMwUxpKu85ceVbMsD6AklwDBAQ49PlaBRo4zt X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Apr 25, 2024 at 04:47:18PM -0700, Andrew Morton wrote: > On Thu, 25 Apr 2024 15:42:30 -0700 Kees Cook wrote: > > > > The concern about leaking image layout could be addressed by sorting the > > > output before returning to userspace. > > > > It's trivial to change permissions from the default 0400 at boot time. > > It can even have groups and ownership changed, etc. This is why we have > > per-mount-namespace /proc instances: > > > > # chgrp sysmonitor /proc/allocinfo > > # chmod 0440 /proc/allocinfo > > > > Poof, instant role-based access control. :) > > Conversely, the paranoid could set it to 0400 at boot also. > > > I'm just trying to make the _default_ safe. > > Agree with this. > > Semi-seriously, how about we set the permissions to 0000 and force > distributors/users to make a decision. I'm ok with 0400 for now since it's consistent with slabinfo, but I'd really like to see a sysctl for debug info paranoia. We shouldn't be leaving this to the distros; we're the ones with the expertise to say what would be covered by that sysctl.