[PATCH v6 00/10] proc: modernize proc to support multiple private instances
Alexey Gladkov
gladkov.alexey at gmail.com
Wed Jan 8 10:37:41 UTC 2020
On Mon, Jan 06, 2020 at 06:15:14PM +0300, Alexey Dobriyan wrote:
> > hidepid= Set /proc/<pid>/ access mode.
> > gid= Set the group authorized to learn processes information.
> > + pidonly= Show only task related subset of procfs.
>
> I'd rather have
>
> mount -t proc -o set=pid
This is a great idea.
> so that is can be naturally extended to
>
> mount -t proc -o set=pid,sysctl,misc
>
> > +static int proc_dir_open(struct inode *inode, struct file *file)
> > +{
> > + struct proc_fs_info *fs_info = proc_sb_info(inode->i_sb);
> > +
> > + if (proc_fs_pidonly(fs_info) == PROC_PIDONLY_ON)
> > + return -ENOENT;
> > +
> > + return 0;
> > +}
> > +
> > /*
> > * These are the generic /proc directory operations. They
> > * use the in-memory "struct proc_dir_entry" tree to parse
> > @@ -338,6 +357,7 @@ static const struct file_operations proc_dir_operations = {
> > .llseek = generic_file_llseek,
> > .read = generic_read_dir,
> > .iterate_shared = proc_readdir,
> > + .open = proc_dir_open,
>
> This should not be necessary: if lookup and readdir filters work
> then ->open can't happen.
Yes you are right.
> > --- a/include/linux/proc_fs.h
> > +++ b/include/linux/proc_fs.h
> > +/* definitions for hide_pid field */
> > +enum {
> > + HIDEPID_OFF = 0,
> > + HIDEPID_NO_ACCESS = 1,
> > + HIDEPID_INVISIBLE = 2,
> > + HIDEPID_NOT_PTRACABLE = 3, /* Limit pids to only ptracable pids */
> > +};
>
> These should live in uapi/ as they _are_ user interface to mount().
OK.
What do you think, maybe it's better to make these values a mask ?
I mean:
#define HIDEPID_OFF 0
#define HIDEPID_NO_ACCESS 1
#define HIDEPID_INVISIBLE 2
#define HIDEPID_NOT_PTRACABLE 4
In this case, if in the future there appear values that can be combined,
then there will be no need to make additional parameters.
--
Rgrds, legion
More information about the Linux-security-module-archive
mailing list