Re: [PATCH] Security: Handle hidepid option correctly
From: Andrew Morton
Date: Thu Nov 29 2018 - 15:30:16 EST
> [PATCH] Security: Handle hidepid option correctly
Why is this considered to be security sensitive? I can guess, but I'd
like to know your reasoning.
On Thu, 29 Nov 2018 19:08:21 +0800 d17103513@xxxxxxxxx wrote:
> From: Cheng Yang <chengyang@xxxxxxxxxx>
>
> The proc_parse_options() call from proc_mount() runs only once at boot
> time. So on any later mount attempt, any mount options are ignored
> because ->s_root is already initialized.
> As a consequence, "mount -o <options>" will ignore the options. The
> only way to change mount options is "mount -o remount,<options>".
> To fix this, parse the mount options unconditionally.
>
> --- a/fs/proc/inode.c
> +++ b/fs/proc/inode.c
> @@ -493,13 +493,9 @@ struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de)
>
> int proc_fill_super(struct super_block *s, void *data, int silent)
> {
> - struct pid_namespace *ns = get_pid_ns(s->s_fs_info);
> struct inode *root_inode;
> int ret;
>
> - if (!proc_parse_options(data, ns))
> - return -EINVAL;
> -
> /* User space would break if executables or devices appear on proc */
> s->s_iflags |= SB_I_USERNS_VISIBLE | SB_I_NOEXEC | SB_I_NODEV;
> s->s_flags |= SB_NODIRATIME | SB_NOSUID | SB_NOEXEC;
> diff --git a/fs/proc/root.c b/fs/proc/root.c
> index f4b1a9d..f5f3bf3 100644
> --- a/fs/proc/root.c
> +++ b/fs/proc/root.c
> @@ -98,6 +98,9 @@ static struct dentry *proc_mount(struct file_system_type *fs_type,
> ns = task_active_pid_ns(current);
> }
>
> + if (!proc_parse_options(data, ns))
> + return ERR_PTR(-EINVAL);
> +
> return mount_ns(fs_type, flags, data, ns, ns->user_ns, proc_fill_super);
> }
Other filesystems parse the options from fill_super(). Is proc special
in some fashion?