Bug 2038929 - Please clarify whether "hidepid" is still supported as proc mount option
Summary: Please clarify whether "hidepid" is still supported as proc mount option
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: Documentation
Version: 8.5
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Šárka Jana
QA Contact:
Šárka Jana
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-10 15:09 UTC by Renaud Métrich
Modified: 2022-09-26 14:09 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Deprecated Functionality
Doc Text:
.The `hidepid=n` mount option is not supported in RHEL 8 `systemd` The mount option `hidepid=n`, which controls who can access information in `/proc/[pid]` directories, is not compatible with `systemd` infrastructure provided in RHEL 8. In addition, using this option might cause certain services started by `systemd` to produce SELinux AVC denial messages and prevent other operations from completing. For more information, see the related Knowledgebase solution link:https://access.redhat.com/solutions/6704531[Is mounting /proc with "hidepid=2" recommended with RHEL7 and RHEL8?].
Clone Of:
Environment:
Last Closed: 2022-02-04 15:59:15 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-107302 0 None None None 2022-01-10 15:26:20 UTC

Description Renaud Métrich 2022-01-10 15:09:14 UTC 
Description of problem:

Some customers used "hidepid=2,gid=xxx" in the past (up to RHEL7) to hide processes from other users.
With RHEL8, when setting such option, we can see sys_ptrace and signull AVCs, which seem to prevent normal operations to complete, e.g.

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE msg=audit(01/10/2022 15:35:30.024:31) : proctitle=/usr/sbin/NetworkManager --no-daemon 
type=SYSCALL msg=audit(01/10/2022 15:35:30.024:31) : arch=x86_64 syscall=kill success=no exit=EACCES(Permission denied) a0=0x4a1 a1=SIG0 a2=0x0 a3=0x0 items=0 ppid=1 pid=1148 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(01/10/2022 15:35:30.024:31) : avc:  denied  { signull } for  pid=1148 comm=NetworkManager scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Here above NetworkManager tries to "ping" NetworkManager-wait-online process

and

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE msg=audit(01/10/2022 15:35:32.650:49) : proctitle=/usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files 
type=SYSCALL msg=audit(01/10/2022 15:35:32.650:49) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=0xffffff9c a1=0x7ffe06a54920 a2=O_RDONLY a3=0x0 items=0 ppid=1133 pid=1213 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_nss exe=/usr/libexec/sssd/sssd_nss subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(01/10/2022 15:35:32.650:49) : avc:  denied  { sys_ptrace } for  pid=1213 comm=sssd_nss capability=sys_ptrace  scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability permissive=0 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Here above "sssd_nss" tries to open /proc/XXX/cmdline to verify the command line, which is typically used to verify who connects to the sssd Unix socket: this happens for "systemd --user" instances which do some sssd query.

The mount(8) manpage on RHEL8 doesn't list the option. The manpage on RHEL7 was only listing "gid=xxx" option and was stating "I don't know which effect it has" ...

Please clarify whether "hidepid" is still supported as proc mount option.

Version-Release number of selected component (if applicable):

kernel-4.18.0-348.7.1.el8_5.x86_64 and below

How reproducible:

Always

Steps to Reproduce:
1. Set options in /etc/fstab

  proc /proc proc rw,nosuid,nodev,noexec,relatime,hidepid=2,gid=1000 0 0

2. Enable sssd

  # yum -y install sssd
  # authselect select sssd

3. Reboot and log in as some user

Actual results:

AVCs

Expected results:


Additional info:
Comment 1 Renaud Métrich 2022-01-10 15:32:52 UTC 
Actually proc(5) manpage documents the options.
Comment 4 Renaud Métrich 2022-01-12 10:22:24 UTC 
I'm redirecting this BZ to systemd because systemd QE needs to make sure everything works with "hidepid=2,gid=xxx".
With special properties such as PrivateXXX and ProtectSystem, I doubt this works.

In particular we can see NetworkManager fails to ping nm-online (see BZ #2039725).
On the SSSD side, sssd_nss doesn't seem to work anymore (see BZ #2039730).
Comment 5 David Tardon 2022-01-12 12:46:28 UTC 
(In reply to Renaud Métrich from comment #4)
> I'm redirecting this BZ to systemd because systemd QE needs to make sure
> everything works with "hidepid=2,gid=xxx".
> With special properties such as PrivateXXX and ProtectSystem, I doubt this
> works.

It doesn't, see https://github.com/systemd/systemd/issues/12955#issuecomment-508490893 .
Comment 6 Renaud Métrich 2022-01-12 13:50:31 UTC 
OK, then we need to have the doc mention this clearly.
Ideally the proc(5) should also have a note stating that this cannot be used on systemd systems.
Comment 14 Lenka Špačková 2022-02-04 15:59:15 UTC 
Release note published:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.5_release_notes/index#BZ-2038929

as well as the related KCS:
https://access.redhat.com/solutions/6704531
Note You need to log in before you can comment on or make changes to this bug.