lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YelU89iAjQF07bW+@localhost.localdomain>
Date:   Thu, 20 Jan 2022 15:26:27 +0300
From:   Alexey Dobriyan <adobriyan@...il.com>
To:     Alexey Gladkov <legion@...nel.org>
Cc:     viro@...iv.linux.org.uk, ebiederm@...ssion.com,
        akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
        linux-fsdevel@...r.kernel.org, stephen.s.brennan@...cle.com
Subject: Re: [PATCH v2] proc: "mount -o lookup=" support

On Wed, Jan 19, 2022 at 06:04:32PM +0100, Alexey Gladkov wrote:
> On Wed, Jan 19, 2022 at 06:48:03PM +0300, Alexey Dobriyan wrote:
> > >From 61376c85daab50afb343ce50b5a97e562bc1c8d3 Mon Sep 17 00:00:00 2001
> > From: Alexey Dobriyan <adobriyan@...il.com>
> > Date: Mon, 22 Nov 2021 20:41:06 +0300
> > Subject: [PATCH 1/1] proc: "mount -o lookup=..." support
> > 
> > Docker implements MaskedPaths configuration option
> > 
> > 	https://github.com/estesp/docker/blob/9c15e82f19b0ad3c5fe8617a8ec2dddc6639f40a/oci/defaults.go#L97
> > 
> > to disable certain /proc files. It overmounts them with /dev/null.
> > 
> > Implement proper mount option which selectively disables lookup/readdir
> > in the top level /proc directory so that MaskedPaths doesn't need
> > to be updated as time goes on.
> > 
> > Syntax is
> > 
> > 			Filter everything
> > 	# mount -t proc -o lookup=/ proc /proc
> > 	# ls /proc
> > 	dr-xr-xr-x   8 root       root          0 Nov 22 21:12 995
> > 	lrwxrwxrwx   1 root       root          0 Nov 22 21:12 self -> 1163
> > 	lrwxrwxrwx   1 root       root          0 Nov 22 21:12 thread-self -> 1163/task/1163
> > 
> > 			Allow /proc/cpuinfo and /proc/uptime
> > 	# mount -t proc proc -o lookup=cpuinfo/uptime /proc
> > 
> > 	# ls /proc
> > 				...
> > 	dr-xr-xr-x   8 root       root          0 Nov 22 21:12 995
> > 	-r--r--r--   1 root       root          0 Nov 22 21:12 cpuinfo
> > 	lrwxrwxrwx   1 root       root          0 Nov 22 21:12 self -> 1163
> > 	lrwxrwxrwx   1 root       root          0 Nov 22 21:12 thread-self -> 1163/task/1163
> > 	-r--r--r--   1 root       root          0 Nov 22 21:12 uptime
> > 
> > Trailing slash is optional but saves 1 allocation.
> > Trailing slash is mandatory for "filter everything".
> > 
> > Remounting with lookup= is disabled so that files and dcache entries
> > don't stay active while filter list is changed. Users are supposed
> > to unmount and mount again with different lookup= set.
> > Remount rules may change in the future. (Eric W. Biederman)
> > 
> > Re: speed
> > This is the price for filtering, given that lookup= is whitelist it is
> > not supposed to be very long. Second, it is one linear memory scan per
> > lookup, there are no linked lists. It may be faster than rbtree in fact.
> > It consumes 1 allocation per superblock which is list of names itself.
> > 
> > Signed-off-by: Alexey Dobriyan <adobriyan@...il.com>
> > ---
> > 
> > 	v2
> > 	documentation!
> > 	descriptive comments!
> > 	disable remount
> > 
> >  Documentation/filesystems/proc.rst |   8 ++
> >  fs/proc/generic.c                  |  18 ++--
> >  fs/proc/internal.h                 |  31 ++++++-
> >  fs/proc/proc_net.c                 |   2 +-
> >  fs/proc/root.c                     | 127 ++++++++++++++++++++++++++++-
> >  include/linux/proc_fs.h            |   2 +
> >  6 files changed, 178 insertions(+), 10 deletions(-)
> > 
> > diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst
> > index 8d7f141c6fc7..9a328f0b4346 100644
> > --- a/Documentation/filesystems/proc.rst
> > +++ b/Documentation/filesystems/proc.rst
> > @@ -2186,6 +2186,7 @@ The following mount options are supported:
> >  	hidepid=	Set /proc/<pid>/ access mode.
> >  	gid=		Set the group authorized to learn processes information.
> >  	subset=		Show only the specified subset of procfs.
> > +        lookup=         Top-level /proc filter, independent of subset=
> 
> Will it be possible to combine lookup= and subset= options when mounting?

Currently only subset=pid is implemented, which is equivalent to

	mount -t proc -o lookup=/ proc /proc

In the future subset= might expand and lookup= could filter whatever
exposed.

> > +lookup= mount option makes available only listed files/directories in
> > +the top-level /proc directory. Individual names are separated
> > +by slash. Empty list is equivalent to subset=pid. lookup= filters before
> > +subset= if both options are supplied. lookup= doesn't affect /proc/${pid}
> > +directories availability as well as /proc/self and /proc/thread-self
> > +symlinks. More fine-grained filtering is not supported at the moment.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ