search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.72k stars 559 forks source link

Command to mount `/proc` with `subset=pid` #6491

Open rusty-snake opened 1 week ago

rusty-snake commented 1 week ago

Is your feature request related to a problem? Please describe.

System information exposed in various proc files such as cmdline, kallsyms, ... can contain sensitive information. A lot of programs work w/o them.

Describe the solution you'd like

Mount proc with subset=pid. On older kernels were subset=pid isn't supported we should ignore it if it was requested in a profile an proceed without it; if it was requested on the cli, we should harderror.

This need to be opt-in so suggestions for the command name are welcome (for crabjail I currently use the bulky fs._proc-exposes-system-information to turn it off and --mount-proc-subset=pid in crablock to turn it on, systemd uses ProcSubset=pid to turn it on).

Describe alternatives you've considered

We have disable-proc.inc, but enumerating badness does not work as good as subset=pid does. Also some programs fail on EACCES but have fallback for ENOENT.

Downside: subset=pid is all or nothing. You can not mkdir/mknod in proc and bind something on it.

Additional context

Previous discussions:

rusty-snake commented 1 week ago 
$ crablock --mount-proc --mount-proc-subset= -- ls /proc
1       diskstats      keys       mounts    swaps
2       dma        key-users      mtd       sys
acpi        driver     kmsg       mtrr      sysrq-trigger
asound      dynamic_debug  kpagecgroup    net       sysvipc
bootconfig  execdomains    kpagecount     pagetypeinfo  thread-self
buddyinfo   filesystems    kpageflags     partitions    timer_list
bus     fs         latency_stats  pressure  tty
cgroups     interrupts     loadavg    schedstat uptime
cmdline     iomem      locks      scsi      version
consoles    ioports    mdstat     self      vmallocinfo
cpuinfo     irq        meminfo    slabinfo  vmstat
crypto      kallsyms       misc       softirqs  zoneinfo
devices     kcore      modules    stat
$ crablock --mount-proc --mount-proc-subset=pid -- ls /proc
1  2  self  thread-self
kmk3 commented 1 week ago

+1

It would be nice to have a command for hidepid=n as well.

rusty-snake commented 1 week ago

While it would be a nice to have, it us not very useful because of the unshared pid namespace. So you need processes with different uids running in the sandbox.