Hide Forgot
Description of problem: Some customers used "hidepid=2,gid=xxx" in the past (up to RHEL7) to hide processes from other users. With RHEL8, when setting such option, we can see sys_ptrace and signull AVCs, which seem to prevent normal operations to complete, e.g. -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- type=PROCTITLE msg=audit(01/10/2022 15:35:30.024:31) : proctitle=/usr/sbin/NetworkManager --no-daemon type=SYSCALL msg=audit(01/10/2022 15:35:30.024:31) : arch=x86_64 syscall=kill success=no exit=EACCES(Permission denied) a0=0x4a1 a1=SIG0 a2=0x0 a3=0x0 items=0 ppid=1 pid=1148 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(01/10/2022 15:35:30.024:31) : avc: denied { signull } for pid=1148 comm=NetworkManager scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Here above NetworkManager tries to "ping" NetworkManager-wait-online process and -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- type=PROCTITLE msg=audit(01/10/2022 15:35:32.650:49) : proctitle=/usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files type=SYSCALL msg=audit(01/10/2022 15:35:32.650:49) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=0xffffff9c a1=0x7ffe06a54920 a2=O_RDONLY a3=0x0 items=0 ppid=1133 pid=1213 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_nss exe=/usr/libexec/sssd/sssd_nss subj=system_u:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(01/10/2022 15:35:32.650:49) : avc: denied { sys_ptrace } for pid=1213 comm=sssd_nss capability=sys_ptrace scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability permissive=0 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Here above "sssd_nss" tries to open /proc/XXX/cmdline to verify the command line, which is typically used to verify who connects to the sssd Unix socket: this happens for "systemd --user" instances which do some sssd query. The mount(8) manpage on RHEL8 doesn't list the option. The manpage on RHEL7 was only listing "gid=xxx" option and was stating "I don't know which effect it has" ... Please clarify whether "hidepid" is still supported as proc mount option. Version-Release number of selected component (if applicable): kernel-4.18.0-348.7.1.el8_5.x86_64 and below How reproducible: Always Steps to Reproduce: 1. Set options in /etc/fstab proc /proc proc rw,nosuid,nodev,noexec,relatime,hidepid=2,gid=1000 0 0 2. Enable sssd # yum -y install sssd # authselect select sssd 3. Reboot and log in as some user Actual results: AVCs Expected results: Additional info:
Actually proc(5) manpage documents the options.
I'm redirecting this BZ to systemd because systemd QE needs to make sure everything works with "hidepid=2,gid=xxx". With special properties such as PrivateXXX and ProtectSystem, I doubt this works. In particular we can see NetworkManager fails to ping nm-online (see BZ #2039725). On the SSSD side, sssd_nss doesn't seem to work anymore (see BZ #2039730).
(In reply to Renaud Métrich from comment #4) > I'm redirecting this BZ to systemd because systemd QE needs to make sure > everything works with "hidepid=2,gid=xxx". > With special properties such as PrivateXXX and ProtectSystem, I doubt this > works. It doesn't, see https://github.com/systemd/systemd/issues/12955#issuecomment-508490893 .
OK, then we need to have the doc mention this clearly. Ideally the proc(5) should also have a note stating that this cannot be used on systemd systems.
Release note published: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.5_release_notes/index#BZ-2038929 as well as the related KCS: https://access.redhat.com/solutions/6704531