lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 27 Sep 2011 13:33:24 -0700 (PDT)
From:	David Rientjes <rientjes@...gle.com>
To:	Christoph Lameter <cl@...two.org>
cc:	Vasiliy Kulikov <segoon@...nwall.com>,
	kernel-hardening@...ts.openwall.com,
	Pekka Enberg <penberg@...nel.org>,
	Matt Mackall <mpm@...enic.com>,
	Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org,
	Kees Cook <kees@...ntu.com>,
	Dave Hansen <dave@...ux.vnet.ibm.com>, Valdis.Kletnieks@...edu,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Alan Cox <alan@...ux.intel.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] mm: restrict access to /proc/meminfo

On Tue, 27 Sep 2011, Christoph Lameter wrote:

> Viewing free memory is usually necessary to check on reclaim activities
> (things otherwise operating normally). "free" memory (in the sense of the
> memory that an application can still allocate) is not really displayed by
> free. Wish we had a new free that avoids all the misinterpretations.
> 
> Meminfo is also requires by vmstat.
> 

Even with the patch, you could still get all this information by summing 
up the per-node meminfo in /sys/devices/system/node/nodeX/meminfo.  
Non-root users certainly need to be able to use things like numactl and be 
able to specify their own mempolicies for NUMA machines, so limiting basic 
memory state information isn't going to work.

I'd much rather just convert everything to use MB rather than KB so you 
can't determine things at a page level.  I think that gets us much closer 
to what the patch is intending to restrict.  But I also expect some 
breakage from things that just expect meminfo to be in KB units without 
parsing what the kernel is exporting.

> If we want to go down this route then we need some sort of diagnostic
> group that a user must be part of in order to allow viewing of basic
> memory statistics.
> 

It'll turn into another one of our infinite number of capabilities.  Does 
anything actually care about statistics at KB granularity these days?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ