RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2038929 - Please clarify whether "hidepid" is still supported as proc mount option
Summary: Please clarify whether "hidepid" is still supported as proc mount option
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: Documentation
Version: 8.5
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Šárka Jana
QA Contact:
Šárka Jana
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-10 15:09 UTC by Renaud Métrich
Modified: 2022-09-26 14:09 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Deprecated Functionality
Doc Text:
.The `hidepid=n` mount option is not supported in RHEL 8 `systemd` The mount option `hidepid=n`, which controls who can access information in `/proc/[pid]` directories, is not compatible with `systemd` infrastructure provided in RHEL 8. In addition, using this option might cause certain services started by `systemd` to produce SELinux AVC denial messages and prevent other operations from completing. For more information, see the related Knowledgebase solution link:https://access.redhat.com/solutions/6704531[Is mounting /proc with "hidepid=2" recommended with RHEL7 and RHEL8?].
Clone Of:
Environment:
Last Closed: 2022-02-04 15:59:15 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-107302 0 None None None 2022-01-10 15:26:20 UTC

Description Renaud Métrich 2022-01-10 15:09:14 UTC
Description of problem:

Some customers used "hidepid=2,gid=xxx" in the past (up to RHEL7) to hide processes from other users.
With RHEL8, when setting such option, we can see sys_ptrace and signull AVCs, which seem to prevent normal operations to complete, e.g.

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE msg=audit(01/10/2022 15:35:30.024:31) : proctitle=/usr/sbin/NetworkManager --no-daemon 
type=SYSCALL msg=audit(01/10/2022 15:35:30.024:31) : arch=x86_64 syscall=kill success=no exit=EACCES(Permission denied) a0=0x4a1 a1=SIG0 a2=0x0 a3=0x0 items=0 ppid=1 pid=1148 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(01/10/2022 15:35:30.024:31) : avc:  denied  { signull } for  pid=1148 comm=NetworkManager scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Here above NetworkManager tries to "ping" NetworkManager-wait-online process

and

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE msg=audit(01/10/2022 15:35:32.650:49) : proctitle=/usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files 
type=SYSCALL msg=audit(01/10/2022 15:35:32.650:49) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=0xffffff9c a1=0x7ffe06a54920 a2=O_RDONLY a3=0x0 items=0 ppid=1133 pid=1213 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_nss exe=/usr/libexec/sssd/sssd_nss subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(01/10/2022 15:35:32.650:49) : avc:  denied  { sys_ptrace } for  pid=1213 comm=sssd_nss capability=sys_ptrace  scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability permissive=0 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Here above "sssd_nss" tries to open /proc/XXX/cmdline to verify the command line, which is typically used to verify who connects to the sssd Unix socket: this happens for "systemd --user" instances which do some sssd query.

The mount(8) manpage on RHEL8 doesn't list the option. The manpage on RHEL7 was only listing "gid=xxx" option and was stating "I don't know which effect it has" ...

Please clarify whether "hidepid" is still supported as proc mount option.

Version-Release number of selected component (if applicable):

kernel-4.18.0-348.7.1.el8_5.x86_64 and below

How reproducible:

Always

Steps to Reproduce:
1. Set options in /etc/fstab

  proc /proc proc rw,nosuid,nodev,noexec,relatime,hidepid=2,gid=1000 0 0

2. Enable sssd

  # yum -y install sssd
  # authselect select sssd

3. Reboot and log in as some user

Actual results:

AVCs

Expected results:


Additional info:

Comment 1 Renaud Métrich 2022-01-10 15:32:52 UTC
Actually proc(5) manpage documents the options.

Comment 4 Renaud Métrich 2022-01-12 10:22:24 UTC
I'm redirecting this BZ to systemd because systemd QE needs to make sure everything works with "hidepid=2,gid=xxx".
With special properties such as PrivateXXX and ProtectSystem, I doubt this works.

In particular we can see NetworkManager fails to ping nm-online (see BZ #2039725).
On the SSSD side, sssd_nss doesn't seem to work anymore (see BZ #2039730).

Comment 5 David Tardon 2022-01-12 12:46:28 UTC
(In reply to Renaud Métrich from comment #4)
> I'm redirecting this BZ to systemd because systemd QE needs to make sure
> everything works with "hidepid=2,gid=xxx".
> With special properties such as PrivateXXX and ProtectSystem, I doubt this
> works.

It doesn't, see https://github.com/systemd/systemd/issues/12955#issuecomment-508490893 .

Comment 6 Renaud Métrich 2022-01-12 13:50:31 UTC
OK, then we need to have the doc mention this clearly.
Ideally the proc(5) should also have a note stating that this cannot be used on systemd systems.


Note You need to log in before you can comment on or make changes to this bug.