Project

General

Profile

Bug #16074

Re-enable hidepid

Added by intrigeri about 1 year ago. Updated 10 days ago.

Status:
Needs Validation
Priority:
Low
Assignee:
Category:
-
Target version:
Start date:
10/25/2018
Due date:
% Done:

0%

Feature Branch:
bug/16074-re-enable-hidepid+force-all-tests
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

When porting to Jessie we've tried to enable the hidepid=2 hardening feature but we reverted it as it broke stuff (e.g. #8256). It seems one can make hidepid=2 work:

  • pass gid=<gid> mount option for /proc
  • give systemd-logind.service the SupplementaryGroups=<gid> option
  • possibly some more services need to have SupplementaryGroups=<gid>, e.g. polkitd; testing will tell
  • add the polkitd user to the <gid> group

See https://wiki.debian.org/Hardening#Mounting_.2Fproc_with_hidepid for details and possibly more up-to-date info.


Related issues

Blocked by Tails - Bug #17265: devel branch FTBFS since torbrowser-launcher 0.3.2-4 was uploaded to sid Confirmed

History

#1 Updated by intrigeri about 1 year ago

  • Type of work changed from Code to Test

I'll try that on my own system and if it's good enough there, chances are that it'll work for Tails too :)

#2 Updated by intrigeri 12 months ago

  • Description updated (diff)

#3 Updated by denkxor about 1 month ago

I started implementing this here: https://gitlab.com/denkxor/tails/tree/bug/16074-re-enable-hidepid
I don't know how to modify the systemd-logind unit file because i could not find it. Could anybody point me to the location where I can find the systemd unit files?

#4 Updated by intrigeri 29 days ago

I started implementing this […]

Great!

I don't know how to modify the systemd-logind unit file because i could not find it. Could anybody point me to the location where I can find the systemd unit files?

systemctl status systemd-logind will tell you where the unit file lives, that is: /lib/systemd/system/systemd-logind.service.

But we don't modify unit files directly, instead we use drop-in snippets to amend them. The link in the ticket description documents how to do so for this very use case :)

#5 Updated by denkxor 23 days ago

intrigeri wrote:

But we don't modify unit files directly, instead we use drop-in snippets to amend them. The link in the ticket description documents how to do so for this very use case :)

Oops, sorry, missed that. Thank you for the hint.
I updated the above branch. ATM I have no setup to build tails images or run automatic tests myself, so would be great if someone could do so.

#6 Updated by intrigeri 22 days ago

  • Status changed from Confirmed to In Progress
  • Assignee changed from intrigeri to denkxor

Hi!

I updated the above branch.

Great, thanks!

This looks mostly good to me. In particular, I really appreciate the detailed commit messages! :)

Two comments:

  • I'd rather use a GID > 150 for the newly introduced group. Rationale: we've had lots of trouble with shifting UIDs/GIDs (see e.g. config/chroot_local-hooks/04-change-gids-and-uids) and picking a larger one decreases the risk this new group will itself cause trouble further down the road.
  • I think I'd slightly prefer if the mount options were set in config/chroot_local-includes/etc/fstab, i.e. in a declarative manner, and the config/chroot_local-includes/lib/live/config/1000-remount-procfs script only remounted /proc. FWIW, that's how hidepid was implemented initially: c77ddc0a81a37721f36b44741f21908994571b08 and 18f6064f68175e4ccf22bf4ac0c120c9f90ead11. What do you think? I'm not completely stuck on this opinion.

At this stage, feel free to rewrite the history of your branch to implement these follow-up fixes.

ATM I have no setup to build tails images or run automatic tests myself, so would be great if someone could do so.

Sure, a Foundations Team member will do this once the code review passes :)

Lastly, I've given you "Contributor" status here, so you can now update metadata on this ticket, which you'll need for submitting your branch via the documented process :)

#7 Updated by denkxor 15 days ago

  • Status changed from In Progress to Needs Validation
  • Assignee changed from denkxor to intrigeri
  • Feature Branch set to https://gitlab.com/denkxor/tails/tree/bug/16074-re-enable-hidepid

intrigeri wrote:

  • I'd rather use a GID > 150 for the newly introduced group. Rationale: we've had lots of trouble with shifting UIDs/GIDs (see e.g. config/chroot_local-hooks/04-change-gids-and-uids) and picking a larger one decreases the risk this new group will itself cause trouble further down the road.

Good point, I didn't know if there are rules how to use GIDs. Now GID 151 is used.

  • I think I'd slightly prefer if the mount options were set in config/chroot_local-includes/etc/fstab, i.e. in a declarative manner, and the config/chroot_local-includes/lib/live/config/1000-remount-procfs script only remounted /proc. FWIW, that's how hidepid was implemented initially: c77ddc0a81a37721f36b44741f21908994571b08 and 18f6064f68175e4ccf22bf4ac0c120c9f90ead11. What do you think? I'm not completely stuck on this opinion.

Sounds reasonable, changed this.

At this stage, feel free to rewrite the history of your branch to implement these follow-up fixes.

Ok, changes in are in this branch: https://gitlab.com/denkxor/tails/tree/bug/16074-re-enable-hidepid

Would be great if someone could review this. I'm worried that simply adding a /etc/fstab file could break things, since when you boot tails there is a non-empty /etc/fstab file. But I don't know how all this is expected to work.

#8 Updated by intrigeri 10 days ago

  • Blocked by Bug #17265: devel branch FTBFS since torbrowser-launcher 0.3.2-4 was uploaded to sid added

#9 Updated by intrigeri 10 days ago

  • Feature Branch changed from https://gitlab.com/denkxor/tails/tree/bug/16074-re-enable-hidepid to bug/16074-re-enable-hidepid+force-all-tests

Code review passes, woohoo! I've pushed your branch to our CI. Builds and tests will run there once we've fixed #17265.

#10 Updated by intrigeri 10 days ago

  • Target version set to Tails_4.5
  • Type of work changed from Test to Code

This is subject to change, but for now our next major release is supposed to be 4.5. The topic branch is based on devel which is used to build major releases (https://tails.boum.org/contribute/git/#branches); regardless, I'd feel slightly more comfortable if this went in a RC first. If someone disagrees and prefers seeing this released earlier, I'm open to discussing it.

Also available in: Atom PDF