Re: [RFC][PATCH 2/2] proc: config options for making privileged /proc the default

Mon, 09 Mar 2015 14:38:38 -0700 

On Mon, Mar 9, 2015 at 1:43 PM, Dave Hansen <d...@sr71.net> wrote:
>
> From: Dave Hansen <dave.han...@linux.intel.com>
>
> This is for folks where /proc is mounted very early or where it
> is not convenient to go changing fstab everywhere.
>
> Signed-off-by: Dave Hansen <dave.han...@linux.intel.com>

It'd be nice to have a way to do this in a more arbitrary fashion. For
example, select a CONFIG to also add things like hidepid=2, paranoid,
etc.

-Kees

> ---
>
>  b/fs/proc/Kconfig        |   17 +++++++++++++++++
>  b/kernel/pid_namespace.c |    1 +
>  2 files changed, 18 insertions(+)
>
> diff -puN fs/proc/Kconfig~privileged-pagemap-default-config fs/proc/Kconfig
> --- a/fs/proc/Kconfig~privileged-pagemap-default-config 2015-03-09 
> 13:32:23.628610423 -0700
> +++ b/fs/proc/Kconfig   2015-03-09 13:32:23.633610649 -0700
> @@ -71,3 +71,20 @@ config PROC_PAGE_MONITOR
>           /proc/pid/smaps, /proc/pid/clear_refs, /proc/pid/pagemap,
>           /proc/kpagecount, and /proc/kpageflags. Disabling these
>            interfaces will reduce the size of the kernel by approximately 4kb.
> +
> +config PROC_PARANOID_DEFAULT
> +       default y
> +       depends on PROC_FS
> +       bool "Enable paranoid /proc mount option by default"
> +       help
> +         Access to some sensitive /proc files is restricted when the
> +         "paranoid" mount option is specified:
> +
> +               mount -o paranoid -t proc none /proc
> +
> +         Enabling this config option will set the "paranoid" option
> +         by default on all /proc mounts.  It may still be disabled at
> +         mount or remount time:
> +
> +               mount -o remount,notparanoid -/proc
> +
> diff -puN kernel/pid_namespace.c~privileged-pagemap-default-config 
> kernel/pid_namespace.c
> --- a/kernel/pid_namespace.c~privileged-pagemap-default-config  2015-03-09 
> 13:32:23.630610514 -0700
> +++ b/kernel/pid_namespace.c    2015-03-09 13:32:23.633610649 -0700
> @@ -115,6 +115,7 @@ static struct pid_namespace *create_pid_
>         ns->parent = get_pid_ns(parent_pid_ns);
>         ns->user_ns = get_user_ns(user_ns);
>         ns->nr_hashed = PIDNS_HASH_ADDING;
> +       ns->paranoid = IS_ENABLED(CONFIG_PROC_PARANOID_DEFAULT);
>         INIT_WORK(&ns->proc_work, proc_cleanup_work);
>
>         set_bit(0, ns->pidmap[0].page);
> _



-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to