Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proc: checks system security policy before trying to get personalities #639

Merged
merged 1 commit into from
May 2, 2024
Merged

proc: checks system security policy before trying to get personalities #639

merged 1 commit into from
May 2, 2024
+38 −4

Conversation

HorlogeSkynet
Copy link
Contributor

@HorlogeSkynet HorlogeSkynet commented May 1, 2024
edited

(partially) closes #636 (re-submission of #637).

@HorlogeSkynet
proc: checks system security policy before trying to get personalities
276cc1c 
096972f and fc8f593 introduces task personalities retrieval to fix
incorrect /proc files info in some cases.
Linux governs access to personalities based on system ptrace policy,
which may be restricted by an LSM (e.g. Yama).

This patch implements a simple check for init's personality access to
make sure ptrace usage is allowed, and prevent access from containers to
proc files with "Permission denied" error if not.

> closes #636 (follow-up to #553 and #609).

Signed-off-by: Samuel FORESTIER <samuel+dev@forestier.app>
@HorlogeSkynet HorlogeSkynet force-pushed the check_personality_access_policy branch from 06021d2 to 276cc1c Compare May 1, 2024 09:10
@stgraber stgraber requested a review from mihalicyn May 1, 2024 22:16
@stgraber
Copy link
Member

stgraber commented May 1, 2024

@mihalicyn can you review this one?

@mihalicyn
Copy link
Member

Hi @HorlogeSkynet

please, don't close PR each time when you need to update it. (hint: You can use git rebase / git push -f)

Previous PR #637

mihalicyn
mihalicyn approved these changes May 2, 2024
View reviewed changes
Copy link
Member

@mihalicyn mihalicyn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@stgraber stgraber merged commit 9b873a1 into lxc:main May 2, 2024
10 checks passed
@HorlogeSkynet HorlogeSkynet deleted the check_personality_access_policy branch May 2, 2024 18:50
HorlogeSkynet added a commit to HorlogeSkynet/sysctl that referenced this pull request May 2, 2024
@HorlogeSkynet
Mentions kernel.yama.ptrace_scope = 3 breaks lxc v6+ procfs
0283efc 
See <lxc/lxcfs#636> and <lxc/lxcfs#639>.
@HorlogeSkynet HorlogeSkynet mentioned this pull request May 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mihalicyn mihalicyn mihalicyn approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Errors related to personality retrieval with Yama
3 participants
@HorlogeSkynet @stgraber @mihalicyn