Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible
From: Alexey Dobriyan
Date: Wed Apr 04 2018 - 13:45:19 EST
> Instead, it introduces new options in proc to disable some proc entries (TBD).
No, no, no, no.
Blacklists are bad, mmkay.
The reason is that quite dangerous new /proc entries get added
(think /proc/kpageflags) and suddenly they are enabled inside container.
> The granularity does not need to be per proc entry.
I think it does. Grouping always becomes either too fine or too coarse.
> Granularity can be improved later if use cases exist.
Granularity can not be tightened as it may break existing users.
So new granularity options are going to be invented until finally it is
per file.
> "maskedPaths": [
> "/proc/kcore",
> "/proc/latency_stats",
> "/proc/timer_list",
> "/proc/timer_stats",
> "/proc/sched_debug",
> "/sys/firmware",
> "/proc/scsi"
> ],
Just say no to drugs.
> /proc/kcore
As a side note:
/proc/kcore should be more or less safe because it is under CAP_SYS_RAWIO.