Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Command to mount /proc with subset=pid #6491

Open
rusty-snake opened this issue Sep 27, 2024 · 3 comments
Open

Command to mount /proc with subset=pid #6491

rusty-snake opened this issue Sep 27, 2024 · 3 comments
Labels
enhancement New feature request

Comments

@rusty-snake
Copy link
Collaborator

rusty-snake commented Sep 27, 2024
edited by kmk3
Loading

Is your feature request related to a problem? Please describe.

System information exposed in various proc files such as cmdline, kallsyms, ... can contain sensitive information. A lot of programs work w/o them.

Describe the solution you'd like

Mount proc with subset=pid. On older kernels were subset=pid isn't supported we should ignore it if it was requested in a profile an proceed without it; if it was requested on the cli, we should harderror.

This need to be opt-in so suggestions for the command name are welcome (for crabjail I currently use the bulky fs._proc-exposes-system-information to turn it off and --mount-proc-subset=pid in crablock to turn it on, systemd uses ProcSubset=pid to turn it on).

Describe alternatives you've considered

We have disable-proc.inc, but enumerating badness does not work as good as subset=pid does.
Also some programs fail on EACCES but have fallback for ENOENT.

Downside: subset=pid is all or nothing. You can not mkdir/mknod in proc and bind something on it.

Additional context

Previous discussions:
@rusty-snake rusty-snake added the enhancement New feature request label Sep 27, 2024
@rusty-snake
Copy link
Collaborator Author 

$ crablock --mount-proc --mount-proc-subset= -- ls /proc
1	    diskstats	   keys		  mounts	swaps
2	    dma		   key-users	  mtd		sys
acpi	    driver	   kmsg		  mtrr		sysrq-trigger
asound	    dynamic_debug  kpagecgroup	  net		sysvipc
bootconfig  execdomains    kpagecount	  pagetypeinfo	thread-self
buddyinfo   filesystems    kpageflags	  partitions	timer_list
bus	    fs		   latency_stats  pressure	tty
cgroups     interrupts	   loadavg	  schedstat	uptime
cmdline     iomem	   locks	  scsi		version
consoles    ioports	   mdstat	  self		vmallocinfo
cpuinfo     irq		   meminfo	  slabinfo	vmstat
crypto	    kallsyms	   misc		  softirqs	zoneinfo
devices     kcore	   modules	  stat
$ crablock --mount-proc --mount-proc-subset=pid -- ls /proc
1  2  self  thread-self

@kmk3
Copy link
Collaborator

kmk3 commented Sep 27, 2024

+1

It would be nice to have a command for hidepid=n as well.

@rusty-snake
Copy link
Collaborator Author

While it would be a nice to have, it us not very useful because of the unshared pid namespace. So you need processes with different uids running in the sandbox.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kmk3 @rusty-snake