hidepid=2 and dumpability

From: Evgenii Shatokhin
Date: Tue Dec 15 2015 - 03:16:50 EST

Next message: Milan Broz: "Re: [PATCH 2/2] md: dm-crypt: Optimize the dm-crypt for XTS mode"
Previous message: Jiri Olsa: "Re: [PATCH] perf record: Add record.build-id config option"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

(Sorry, forgot to CC LKML yesterday, resending.)

Hi,

Could you shed some light on the implementation of 'hidepid' option for procfs in the Linux kernel?

As far as I can see, has_pid_permissions() eventually calls ptrace_may_access(task, PTRACE_MODE_READ). This way, if hidepid=2 is used, the ordinary users will see only those of their own processes, which are dumpable.

For example, the processes that changed credentials or were marked as non-dumpable with prctl() will remain invisible to their owners. Isn't that an overkill?

Or perhaps, there is a security risk if a user could read the contents of /proc/<pid> for these processes?

I stumbled upon this while experimenting with hidepid=2 in a Virtuozzo container. If I login to the container as an ordinary user via SSH, one of the sshd processes (owned by the user) in the container is not visible to that user. I checked in runtime that it is the dumpability check in the kernel that fails in __ptrace_may_access().

The kernel is based on the version 3.10.x, but it should not matter much in this case.

Any ideas?

Thanks in advance.

Regards,
Evgenii

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Milan Broz: "Re: [PATCH 2/2] md: dm-crypt: Optimize the dm-crypt for XTS mode"
Previous message: Jiri Olsa: "Re: [PATCH] perf record: Add record.build-id config option"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]