Re: [PATCH] alloc_tag: Tighten file permissions on /proc/allocinfo

From: Andrew Morton
Date: Thu Apr 25 2024 - 17:41:15 EST

Next message: Eddie James: "[PATCH v3 11/14] dt-bindings: arm: aspeed: add IBM P11 BMC boards"
Previous message: Eddie James: "[PATCH v3 02/14] dt-bindings: fsi: fsi2spi: Document SPI controller child nodes"
In reply to: Kent Overstreet: "Re: [PATCH] alloc_tag: Tighten file permissions on /proc/allocinfo"
Next in thread: Kent Overstreet: "Re: [PATCH] alloc_tag: Tighten file permissions on /proc/allocinfo"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 25 Apr 2024 14:21:39 -0700 Suren Baghdasaryan <surenb@xxxxxxxxxx> wrote:

> > > > The side effect of locking down more and more reporting interfaces is
> > > > that programs that consume those interfaces now have to run as root.
> > >
> > > sudo cat /proc/allocinfo | analyse-that-fie
> >
> > Even that is still an annoyance, but I'm thinking more about a future
> > daemon to collect this every n seconds - that really shouldn't need to
> > be root.
>
> Yeah, that would preclude some nice usecases. Could we maybe use
> CAP_SYS_ADMIN checks instead? That way we can still use it from a
> non-root process?

I'm inclined to keep Kees's 0400. Yes it's a hassle but security is
always a hassle. Let's not make Linux less secure, especially for
people who aren't even using /proc/allocinfo.

If someone really wants 0666 then they can chmod the thing from
initscripts, can't they?

Next message: Eddie James: "[PATCH v3 11/14] dt-bindings: arm: aspeed: add IBM P11 BMC boards"
Previous message: Eddie James: "[PATCH v3 02/14] dt-bindings: fsi: fsi2spi: Document SPI controller child nodes"
In reply to: Kent Overstreet: "Re: [PATCH] alloc_tag: Tighten file permissions on /proc/allocinfo"
Next in thread: Kent Overstreet: "Re: [PATCH] alloc_tag: Tighten file permissions on /proc/allocinfo"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]