Re: [Ksummit-discuss] security-related TODO items?

From: Alexey Dobriyan
Date: Tue Jan 24 2017 - 05:38:38 EST


[add linux-kernel]

On Tue, Jan 24, 2017 at 5:38 AM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> Here's another one: split up and modernize /proc.
>
> I'm imagining a whole series of changes:
>
> - Make a sysctlfs. You could mount it and get all the sysctls if you
> have global privilege. If you only have privilege relative to some
> namespace, you could pass a mount option like -o scope=net to get just
> sysctls that belong to the mounting process' netns. If done
> carefully, this should be safe for unprivileged mounting without the
> fs_fully_visible() checks.
>
> - Teach procfs to understand mount options for real (per-superblock).
> Shouldn't be that hard.
>
> - Make it possible to control hidepid per mount. systemd and such
> could use this to tighten up daemons.
>
> - Make it possible to make /proc/PID/cmdline only show argv[0] via
> per-mount option or perhaps sysctl.
>
> - Make it possible to mount a mini-proc that doesn't have all the
> non-PID stuff. Presumably it would still have an empty directory
> called sys and maybe some other minimal contents for compatibility

Yes, please!

mount -t sysctl ...
mount -t proc-pid ...
mount -t proc-kitchen-sink ...