Re: [RFC] procfs: add hidepid and hidenet modes

From: Vasiliy Kulikov
Date: Sun Jun 12 2011 - 08:46:22 EST

Next message: Vasiliy Kulikov: "RLIMIT_NPROC check in set_user()"
Previous message: Evgeni Golov: "[PATCH] iwlagn: fix *_UCODE_API_MAX output in the firmware field"
In reply to: Alexey Dobriyan: "Re: [RFC] procfs: add hidepid and hidenet modes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Jun 12, 2011 at 14:12 +0300, Alexey Dobriyan wrote:
> On Sun, Jun 12, 2011 at 11:51:01AM +0400, Vasiliy Kulikov wrote:
> > hidenet means /proc/PID/net will be accessible to processes with
> > CAP_NET_ADMIN capability or to members of a special group.
> >
> > gid=XXX defines a group that will be able to gather all processes' info
> > and network connections info.
> >
> > Similar features are implemented for old kernels in -ow patches (for
> > Linux 2.2 and 2.4) and for Linux 2.6 in -grsecurity (but both of them
> > are implemented as configure options, not cofigurable in runtime).
> >
> >
> > In current version hidenet works for CONFIG_NET_NS=y via creating a
> > "fake" net namespace and slipping it to nonauthorized users, resulting
> > in users observing blank net files (like nobody use the network). If
> > CONFIG_NET_NS=n I don't see anything better than just fully denying
> > access to /proc/<pid>/net. More elegant ideas are welcome.
>
> This fake netns concept is ugly.
> If you wan't deny something, why don't you return -E?

Sorry, I should have mentioned it. It's a workaround. The thing is
that /proc/net/* is so core and existed for a long time that some
programs might be confused if these files are missing or if open()
returns -EXXX. netstat handles this and outputs smth like "Networking
was disabled in your kernel", which is a bit confusing. Also I saw some
programs didn't handle missing files at all, I recall brctl sigfaulted
when he couldn't access some sysfs file.

As fake_net doesn't break something, but instead keeps some
compatibility with old programs, why don't use it?

BTW, there is no fake_net in -ow or -grsecurity. I thought it might be
helpful for upstream in sense of compatibility.

> Regardless, these should be separate patch from PID stuff.

No problem.

Thanks,

--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Vasiliy Kulikov: "RLIMIT_NPROC check in set_user()"
Previous message: Evgeni Golov: "[PATCH] iwlagn: fix *_UCODE_API_MAX output in the firmware field"
In reply to: Alexey Dobriyan: "Re: [RFC] procfs: add hidepid and hidenet modes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]