lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 29 Nov 2018 12:30:12 -0800
From:   Andrew Morton <akpm@...ux-foundation.org>
To:     d17103513@...il.com
Cc:     Alexey Dobriyan <adobriyan@...il.com>,
        David Howells <dhowells@...hat.com>,
        "Peter Zijlstra (Intel)" <peterz@...radead.org>,
        Al Viro <viro@...iv.linux.org.uk>,
        Johannes Weiner <hannes@...xchg.org>,
        Davidlohr Bueso <dbueso@...e.de>,
        Cheng Yang <chengyang@...omi.com>,
        linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH] Security: Handle hidepid option correctly


> [PATCH] Security: Handle hidepid option correctly

Why is this considered to be security sensitive?  I can guess, but I'd
like to know your reasoning.

On Thu, 29 Nov 2018 19:08:21 +0800 d17103513@...il.com wrote:

> From: Cheng Yang <chengyang@...omi.com>
> 
> The proc_parse_options() call from proc_mount() runs only once at boot
> time.  So on any later mount attempt, any mount options are ignored
> because ->s_root is already initialized.
> As a consequence, "mount -o <options>" will ignore the options.  The
> only way to change mount options is "mount -o remount,<options>".
> To fix this, parse the mount options unconditionally.
> 
> --- a/fs/proc/inode.c
> +++ b/fs/proc/inode.c
> @@ -493,13 +493,9 @@ struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de)
>  
>  int proc_fill_super(struct super_block *s, void *data, int silent)
>  {
> -	struct pid_namespace *ns = get_pid_ns(s->s_fs_info);
>  	struct inode *root_inode;
>  	int ret;
>  
> -	if (!proc_parse_options(data, ns))
> -		return -EINVAL;
> -
>  	/* User space would break if executables or devices appear on proc */
>  	s->s_iflags |= SB_I_USERNS_VISIBLE | SB_I_NOEXEC | SB_I_NODEV;
>  	s->s_flags |= SB_NODIRATIME | SB_NOSUID | SB_NOEXEC;
> diff --git a/fs/proc/root.c b/fs/proc/root.c
> index f4b1a9d..f5f3bf3 100644
> --- a/fs/proc/root.c
> +++ b/fs/proc/root.c
> @@ -98,6 +98,9 @@ static struct dentry *proc_mount(struct file_system_type *fs_type,
>  		ns = task_active_pid_ns(current);
>  	}
>  
> +	if (!proc_parse_options(data, ns))
> +		return ERR_PTR(-EINVAL);
> +
>  	return mount_ns(fs_type, flags, data, ns, ns->user_ns, proc_fill_super);
>  }

Other filesystems parse the options from fill_super().  Is proc special
in some fashion?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ