Re: [PATCH RFC v2 5/6] proc: instantiate only pids that we can ptrace on... | linux-api

[PATCH RFC v2 0/6] proc: support private proc instances per pidnamespace · Djalal Harouni <hidden> · 2017-04-25
[PATCH RFC v2 1/6] proc: add proc_fs_info struct to store proc information · Djalal Harouni <hidden> · 2017-04-25
[PATCH RFC v2 2/6] proc: move /proc/{self|thread-self} dentries to proc_fs_info · Djalal Harouni <hidden> · 2017-04-25
[PATCH RFC v2 3/6] proc: add helpers to set and get proc hidepid and gid mount options · Djalal Harouni <hidden> · 2017-04-25
[PATCH RFC v2 4/6] proc: support mounting private procfs instances inside same pid namespace · Djalal Harouni <hidden> · 2017-04-25
Re: [PATCH RFC v2 4/6] proc: support mounting private procfs instances inside same pid namespace · Andy Lutomirski <luto@kernel.org> · 2017-04-26
Re: [PATCH RFC v2 4/6] proc: support mounting private procfs instances inside same pid namespace · Djalal Harouni <hidden> · 2017-05-02
Re: [PATCH RFC v2 4/6] proc: support mounting private procfs instances inside same pid namespace · Andy Lutomirski <luto@kernel.org> · 2017-05-02
Re: [PATCH RFC v2 4/6] proc: support mounting private procfs instances inside same pid namespace · Djalal Harouni <hidden> · 2017-05-03
[PATCH RFC v2 5/6] proc: instantiate only pids that we can ptrace on 'limit_pids=1' mount option · Djalal Harouni <hidden> · 2017-04-25
Re: [PATCH RFC v2 5/6] proc: instantiate only pids that we can ptrace on 'limit_pids=1' mount option · Andy Lutomirski <luto@kernel.org> · 2017-04-26
Re: [PATCH RFC v2 5/6] proc: instantiate only pids that we can ptrace on 'limit_pids=1' mount option · Djalal Harouni <hidden> · 2017-05-02
[PATCH RFC v2 6/6] proc: flush task dcache entries from all procfs instances · Djalal Harouni <hidden> · 2017-04-25

Re: [PATCH RFC v2 5/6] proc: instantiate only pids that we can ptrace on 'limit_pids=1' mount option

From: Andy Lutomirski <luto@kernel.org>
Date: 2017-04-26 22:09:09
Also in: linux-fsdevel, linux-security-module, lkml

On Tue, Apr 25, 2017 at 5:23 AM, Djalal Harouni [off-list ref] wrote:

quoted hunk ↗ jump to hunk

If "limit_pids=1" mount option is set then do not instantiate pids that
we can not ptrace. "limit_pids=1" means that procfs should only contain
pids that the caller can ptrace.

Cc: Kees Cook <redacted>
Cc: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Djalal Harouni <redacted>
---
 fs/proc/base.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 2e0f661..a663284 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c

@@ -3149,6 +3149,7 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
        unsigned tgid;
        struct proc_fs_info *fs_info = proc_sb(dir->i_sb);
        struct pid_namespace *ns = fs_info->pid_ns;
+       int limit_pids = proc_fs_limit_pids(fs_info);

Shouldn't the addition of proc_fs_limit_pids() be in this patch?

Also, can we name it something self-documented?
"ptraceable_pids_only=1", perhaps?  Or even pids=ptraceable (as
opposed to pids=all or maybe other choices in the future)?

--Andy

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help