.The `hidepid=n` mount option is not supported in RHEL 8 `systemd`
The mount option `hidepid=n`, which controls who can access information in `/proc/[pid]` directories, is not compatible with `systemd` infrastructure provided in RHEL 8.
In addition, using this option might cause certain services started by `systemd` to produce SELinux AVC denial messages and prevent other operations from completing.
For more information, see the related Knowledgebase solution link:https://access.redhat.com/solutions/6704531[Is mounting /proc with "hidepid=2" recommended with RHEL7 and RHEL8?].
Description of problem:
Some customers used "hidepid=2,gid=xxx" in the past (up to RHEL7) to hide processes from other users.
With RHEL8, when setting such option, we can see sys_ptrace and signull AVCs, which seem to prevent normal operations to complete, e.g.
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE msg=audit(01/10/2022 15:35:30.024:31) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/10/2022 15:35:30.024:31) : arch=x86_64 syscall=kill success=no exit=EACCES(Permission denied) a0=0x4a1 a1=SIG0 a2=0x0 a3=0x0 items=0 ppid=1 pid=1148 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/10/2022 15:35:30.024:31) : avc: denied { signull } for pid=1148 comm=NetworkManager scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Here above NetworkManager tries to "ping" NetworkManager-wait-online process
and
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE msg=audit(01/10/2022 15:35:32.650:49) : proctitle=/usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
type=SYSCALL msg=audit(01/10/2022 15:35:32.650:49) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=0xffffff9c a1=0x7ffe06a54920 a2=O_RDONLY a3=0x0 items=0 ppid=1133 pid=1213 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_nss exe=/usr/libexec/sssd/sssd_nss subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(01/10/2022 15:35:32.650:49) : avc: denied { sys_ptrace } for pid=1213 comm=sssd_nss capability=sys_ptrace scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Here above "sssd_nss" tries to open /proc/XXX/cmdline to verify the command line, which is typically used to verify who connects to the sssd Unix socket: this happens for "systemd --user" instances which do some sssd query.
The mount(8) manpage on RHEL8 doesn't list the option. The manpage on RHEL7 was only listing "gid=xxx" option and was stating "I don't know which effect it has" ...
Please clarify whether "hidepid" is still supported as proc mount option.
Version-Release number of selected component (if applicable):
kernel-4.18.0-348.7.1.el8_5.x86_64 and below
How reproducible:
Always
Steps to Reproduce:
1. Set options in /etc/fstab
proc /proc proc rw,nosuid,nodev,noexec,relatime,hidepid=2,gid=1000 0 0
2. Enable sssd
# yum -y install sssd
# authselect select sssd
3. Reboot and log in as some user
Actual results:
AVCs
Expected results:
Additional info:
I'm redirecting this BZ to systemd because systemd QE needs to make sure everything works with "hidepid=2,gid=xxx".
With special properties such as PrivateXXX and ProtectSystem, I doubt this works.
In particular we can see NetworkManager fails to ping nm-online (see BZ #2039725).
On the SSSD side, sssd_nss doesn't seem to work anymore (see BZ #2039730).
(In reply to Renaud Métrich from comment #4)
> I'm redirecting this BZ to systemd because systemd QE needs to make sure
> everything works with "hidepid=2,gid=xxx".
> With special properties such as PrivateXXX and ProtectSystem, I doubt this
> works.
It doesn't, see https://github.com/systemd/systemd/issues/12955#issuecomment-508490893 .
OK, then we need to have the doc mention this clearly.
Ideally the proc(5) should also have a note stating that this cannot be used on systemd systems.
Description of problem: Some customers used "hidepid=2,gid=xxx" in the past (up to RHEL7) to hide processes from other users. With RHEL8, when setting such option, we can see sys_ptrace and signull AVCs, which seem to prevent normal operations to complete, e.g. -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- type=PROCTITLE msg=audit(01/10/2022 15:35:30.024:31) : proctitle=/usr/sbin/NetworkManager --no-daemon type=SYSCALL msg=audit(01/10/2022 15:35:30.024:31) : arch=x86_64 syscall=kill success=no exit=EACCES(Permission denied) a0=0x4a1 a1=SIG0 a2=0x0 a3=0x0 items=0 ppid=1 pid=1148 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(01/10/2022 15:35:30.024:31) : avc: denied { signull } for pid=1148 comm=NetworkManager scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Here above NetworkManager tries to "ping" NetworkManager-wait-online process and -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- type=PROCTITLE msg=audit(01/10/2022 15:35:32.650:49) : proctitle=/usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files type=SYSCALL msg=audit(01/10/2022 15:35:32.650:49) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=0xffffff9c a1=0x7ffe06a54920 a2=O_RDONLY a3=0x0 items=0 ppid=1133 pid=1213 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_nss exe=/usr/libexec/sssd/sssd_nss subj=system_u:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(01/10/2022 15:35:32.650:49) : avc: denied { sys_ptrace } for pid=1213 comm=sssd_nss capability=sys_ptrace scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability permissive=0 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Here above "sssd_nss" tries to open /proc/XXX/cmdline to verify the command line, which is typically used to verify who connects to the sssd Unix socket: this happens for "systemd --user" instances which do some sssd query. The mount(8) manpage on RHEL8 doesn't list the option. The manpage on RHEL7 was only listing "gid=xxx" option and was stating "I don't know which effect it has" ... Please clarify whether "hidepid" is still supported as proc mount option. Version-Release number of selected component (if applicable): kernel-4.18.0-348.7.1.el8_5.x86_64 and below How reproducible: Always Steps to Reproduce: 1. Set options in /etc/fstab proc /proc proc rw,nosuid,nodev,noexec,relatime,hidepid=2,gid=1000 0 0 2. Enable sssd # yum -y install sssd # authselect select sssd 3. Reboot and log in as some user Actual results: AVCs Expected results: Additional info: