RE: [PATCH] Fix /proc/[pid]/ns permissions
From: Banerjee, Debabrata
Date: Mon Apr 09 2018 - 18:33:54 EST
> From: Eric W. Biederman [mailto:ebiederm@xxxxxxxxxxxx]
>
> I agree there is an inconsistency on the directory permissions for the ns
> directory that could reasonably be fixed.
So you'd recommend taking this patch as-is?
> prctl(PR_SET_DUMPABLE, 0) is an interesting. Fundamentally it is about not
> letting unprivileged tasks poke about with the process, and it is the
> mechanism used by setuid/setgid exec. If you are root in the user
> namespace of the task or your uid created the user namespace or an
> ancestor user namespace you should be able to inspect the process.
>
> What happens with dumpable is also going to vary a little bit depending on
> how recent your kernel is. The dumpable status was not really namespaced
> until recently.
>
> There might also be some issues from yama or other lsms that love to limit
> ptrace. Though it sounds like your issue is the dumpability.
>
> The check "ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)" is the
> standard check for accessing anything even a little bit sensitive of a process,
> and that seems appropriate here.
Why is the namespace inode # secret? If it is because it's an inode, perhaps there is a better way to represent the namespace that is not secret? What we are trying to do is check if link points to the same place as our namespace, the contents don't matter. On the other hand it would be very convenient if pid's not in your namespace, even from a parent namespace, did not appear. That would make user tools work properly without workarounds, i.e. killall, pgrep, ps, top.