| Message ID | 20200210150519.538333-11-gladkov.alexey@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | proc: modernize proc to support multiple private instances | expand |
On Mon, Feb 10, 2020 at 7:06 AM Alexey Gladkov <gladkov.alexey@gmail.com> wrote: > > Signed-off-by: Alexey Gladkov <gladkov.alexey@gmail.com> > --- > Documentation/filesystems/proc.txt | 53 ++++++++++++++++++++++++++++++ > 1 file changed, 53 insertions(+) > > diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt > index 99ca040e3f90..4741fd092f36 100644 > --- a/Documentation/filesystems/proc.txt > +++ b/Documentation/filesystems/proc.txt > @@ -50,6 +50,8 @@ Table of Contents > 4 Configuring procfs > 4.1 Mount options > > + 5 Filesystem behavior > + > ------------------------------------------------------------------------------ > Preface > ------------------------------------------------------------------------------ > @@ -2021,6 +2023,7 @@ The following mount options are supported: > > hidepid= Set /proc/<pid>/ access mode. > gid= Set the group authorized to learn processes information. > + subset= Show only the specified subset of procfs. > > hidepid=0 means classic mode - everybody may access all /proc/<pid>/ directories > (default). > @@ -2042,6 +2045,56 @@ information about running processes, whether some daemon runs with elevated > privileges, whether other user runs some sensitive program, whether other users > run any program at all, etc. > > +hidepid=4 means that procfs should only contain /proc/<pid>/ directories > +that the caller can ptrace. I have a couple of minor nits here. First, perhaps we could stop using magic numbers and use words. hidepid=ptraceable is actually comprehensible, whereas hidepid=4 requires looking up what '4' means. Second, there is PTRACE_MODE_ATTACH and PTRACE_MODE_READ. Which is it? > + > gid= defines a group authorized to learn processes information otherwise > prohibited by hidepid=. If you use some daemon like identd which needs to learn > information about processes information, just add identd to this group. How is this better than just creating an entirely separate mount a different hidepid and a different gid owning it? In any event, usually gid= means that this gid is the group owner of inodes. Let's call it something different. gid_override_hidepid might be credible. But it's also really weird -- do different groups really see different contents when they read a directory?
On Mon, Feb 10, 2020 at 10:29:23AM -0800, Andy Lutomirski wrote: > On Mon, Feb 10, 2020 at 7:06 AM Alexey Gladkov <gladkov.alexey@gmail.com> wrote: > > > > Signed-off-by: Alexey Gladkov <gladkov.alexey@gmail.com> > > --- > > Documentation/filesystems/proc.txt | 53 ++++++++++++++++++++++++++++++ > > 1 file changed, 53 insertions(+) > > > > diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt > > index 99ca040e3f90..4741fd092f36 100644 > > --- a/Documentation/filesystems/proc.txt > > +++ b/Documentation/filesystems/proc.txt > > @@ -50,6 +50,8 @@ Table of Contents > > 4 Configuring procfs > > 4.1 Mount options > > > > + 5 Filesystem behavior > > + > > ------------------------------------------------------------------------------ > > Preface > > ------------------------------------------------------------------------------ > > @@ -2021,6 +2023,7 @@ The following mount options are supported: > > > > hidepid= Set /proc/<pid>/ access mode. > > gid= Set the group authorized to learn processes information. > > + subset= Show only the specified subset of procfs. > > > > hidepid=0 means classic mode - everybody may access all /proc/<pid>/ directories > > (default). > > @@ -2042,6 +2045,56 @@ information about running processes, whether some daemon runs with elevated > > privileges, whether other user runs some sensitive program, whether other users > > run any program at all, etc. > > > > +hidepid=4 means that procfs should only contain /proc/<pid>/ directories > > +that the caller can ptrace. > > I have a couple of minor nits here. > > First, perhaps we could stop using magic numbers and use words. > hidepid=ptraceable is actually comprehensible, whereas hidepid=4 > requires looking up what '4' means. Do you mean to add string aliases for the values? hidepid=0 == hidepid=default hidepid=1 == hidepid=restrict hidepid=2 == hidepid=ownonly hidepid=4 == hidepid=ptraceable Something like that ? > Second, there is PTRACE_MODE_ATTACH and PTRACE_MODE_READ. Which is it? This is PTRACE_MODE_READ. > > + > > gid= defines a group authorized to learn processes information otherwise > > prohibited by hidepid=. If you use some daemon like identd which needs to learn > > information about processes information, just add identd to this group. > > How is this better than just creating an entirely separate mount a > different hidepid and a different gid owning it? I'm not sure I understand the question. Now you cannot have two proc with different hidepid in the same pid_namespace. > In any event, > usually gid= means that this gid is the group owner of inodes. Let's > call it something different. gid_override_hidepid might be credible. > But it's also really weird -- do different groups really see different > contents when they read a directory? If you use hidepid=2,gid=wheel options then the user is not in the wheel group will see only their processes and the user in the wheel group will see whole tree. The gid= is a kind of whitelist for hidepid=1|2.
diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt index 99ca040e3f90..4741fd092f36 100644 --- a/Documentation/filesystems/proc.txt +++ b/Documentation/filesystems/proc.txt @@ -50,6 +50,8 @@ Table of Contents 4 Configuring procfs 4.1 Mount options + 5 Filesystem behavior + ------------------------------------------------------------------------------ Preface ------------------------------------------------------------------------------ @@ -2021,6 +2023,7 @@ The following mount options are supported: hidepid= Set /proc/<pid>/ access mode. gid= Set the group authorized to learn processes information. + subset= Show only the specified subset of procfs. hidepid=0 means classic mode - everybody may access all /proc/<pid>/ directories (default). @@ -2042,6 +2045,56 @@ information about running processes, whether some daemon runs with elevated privileges, whether other user runs some sensitive program, whether other users run any program at all, etc. +hidepid=4 means that procfs should only contain /proc/<pid>/ directories +that the caller can ptrace. + gid= defines a group authorized to learn processes information otherwise prohibited by hidepid=. If you use some daemon like identd which needs to learn information about processes information, just add identd to this group. + +subset=pidfs hides all top level files and directories in the procfs that +are not related to tasks. + +------------------------------------------------------------------------------ +5 Filesystem behavior +------------------------------------------------------------------------------ + +Originally, before the advent of pid namepsace, procfs was a global file +system. It means that there was only one procfs instance in the system. + +When pid namespace was added, a separate procfs instance was mounted in +each pid namespace. So, procfs mount options are global among all +mountpoints within the same namespace. + +# grep ^proc /proc/mounts +proc /proc proc rw,relatime,hidepid=2 0 0 + +# strace -e mount mount -o hidepid=1 -t proc proc /tmp/proc +mount("proc", "/tmp/proc", "proc", 0, "hidepid=1") = 0 ++++ exited with 0 +++ + +# grep ^proc /proc/mounts +proc /proc proc rw,relatime,hidepid=2 0 0 +proc /tmp/proc proc rw,relatime,hidepid=2 0 0 + +and only after remounting procfs mount options will change at all +mountpoints. + +# mount -o remount,hidepid=1 -t proc proc /tmp/proc + +# grep ^proc /proc/mounts +proc /proc proc rw,relatime,hidepid=1 0 0 +proc /tmp/proc proc rw,relatime,hidepid=1 0 0 + +This behavior is different from the behavior of other filesystems. + +The new procfs behavior is more like other filesystems. Each procfs mount +creates a new procfs instance. Mount options affect own procfs instance. +It means that it became possible to have several procfs instances +displaying tasks with different filtering options in one pid namespace. + +# mount -o hidepid=2 -t proc proc /proc +# mount -o hidepid=1 -t proc proc /tmp/proc +# grep ^proc /proc/mounts +proc /proc proc rw,relatime,hidepid=2 0 0 +proc /tmp/proc proc rw,relatime,hidepid=1 0 0
Signed-off-by: Alexey Gladkov <gladkov.alexey@gmail.com> --- Documentation/filesystems/proc.txt | 53 ++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+)