[PATCH v6 00/10] proc: modernize proc to support multiple private instances
Alexey Dobriyan
adobriyan at gmail.com
Mon Jan 6 15:15:14 UTC 2020
> hidepid= Set /proc/<pid>/ access mode.
> gid= Set the group authorized to learn processes information.
> + pidonly= Show only task related subset of procfs.
I'd rather have
mount -t proc -o set=pid
so that is can be naturally extended to
mount -t proc -o set=pid,sysctl,misc
> +static int proc_dir_open(struct inode *inode, struct file *file)
> +{
> + struct proc_fs_info *fs_info = proc_sb_info(inode->i_sb);
> +
> + if (proc_fs_pidonly(fs_info) == PROC_PIDONLY_ON)
> + return -ENOENT;
> +
> + return 0;
> +}
> +
> /*
> * These are the generic /proc directory operations. They
> * use the in-memory "struct proc_dir_entry" tree to parse
> @@ -338,6 +357,7 @@ static const struct file_operations proc_dir_operations = {
> .llseek = generic_file_llseek,
> .read = generic_read_dir,
> .iterate_shared = proc_readdir,
> + .open = proc_dir_open,
This should not be necessary: if lookup and readdir filters work
then ->open can't happen.
> static int proc_reg_open(struct inode *inode, struct file *file)
> {
> + struct proc_fs_info *fs_info = proc_sb_info(inode->i_sb);
> struct proc_dir_entry *pde = PDE(inode);
> int rv = 0;
> typeof_member(struct file_operations, open) open;
> typeof_member(struct file_operations, release) release;
> struct pde_opener *pdeo;
>
> + if (proc_fs_pidonly(fs_info) == PROC_PIDONLY_ON)
> + return -ENOENT;
Ditto. Can't open what can't be looked up.
> --- a/include/linux/proc_fs.h
> +++ b/include/linux/proc_fs.h
> +/* definitions for hide_pid field */
> +enum {
> + HIDEPID_OFF = 0,
> + HIDEPID_NO_ACCESS = 1,
> + HIDEPID_INVISIBLE = 2,
> + HIDEPID_NOT_PTRACABLE = 3, /* Limit pids to only ptracable pids */
> +};
These should live in uapi/ as they _are_ user interface to mount().
More information about the Linux-security-module-archive
mailing list