Bug #16074

Re-enable hidepid

Added by intrigeri 2018-10-25 09:24:51 . Updated 2020-03-22 06:48:59 .

Status:
In Progress
Priority:
Low
Assignee:
denkxor
Category:
Target version:
Start date:
2018-10-25
Due date:
% Done:

0%

Feature Branch:
bug/16074-re-enable-hidepid+force-all-tests
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:
272

Description

When porting to Jessie we’ve tried to enable the hidepid=2 hardening feature but we reverted it as it broke stuff (e.g. Bug #8256). It seems one can make hidepid=2 work:

  • pass gid=<gid> mount option for /proc
  • give systemd-logind.service the SupplementaryGroups=<gid> option
  • possibly some more services need to have SupplementaryGroups=<gid>, e.g. polkitd; testing will tell
  • add the polkitd user to the <gid> group

See https://wiki.debian.org/Hardening#Mounting_.2Fproc_with_hidepid for details and possibly more up-to-date info.

Subtasks

Related issues

Blocked by Tails - Bug #17265: devel branch FTBFS since torbrowser-launcher 0.3.2-4 was uploaded to sid Resolved

History

#1 Updated by intrigeri 2018-10-25 09:25:35

  • Type of work changed from Code to Test

I’ll try that on my own system and if it’s good enough there, chances are that it’ll work for Tails too :)

#2 Updated by intrigeri 2018-12-28 10:13:04

  • Description updated

#3 Updated by denkxor 2019-11-06 21:49:56

I started implementing this here: https://gitlab.com/denkxor/tails/tree/bug/16074-re-enable-hidepid
I don’t know how to modify the systemd-logind unit file because i could not find it. Could anybody point me to the location where I can find the systemd unit files?

#4 Updated by intrigeri 2019-11-09 09:16:16

> I started implementing this […]

Great!

> I don’t know how to modify the systemd-logind unit file because i could not find it. Could anybody point me to the location where I can find the systemd unit files?

systemctl status systemd-logind will tell you where the unit file lives, that is: /lib/systemd/system/systemd-logind.service.

But we don’t modify unit files directly, instead we use drop-in snippets to amend them. The link in the ticket description documents how to do so for this very use case :)

#5 Updated by denkxor 2019-11-15 22:29:46

intrigeri wrote:
> But we don’t modify unit files directly, instead we use drop-in snippets to amend them. The link in the ticket description documents how to do so for this very use case :)

Oops, sorry, missed that. Thank you for the hint.
I updated the above branch. ATM I have no setup to build tails images or run automatic tests myself, so would be great if someone could do so.

#6 Updated by intrigeri 2019-11-16 07:42:44

  • Status changed from Confirmed to In Progress
  • Assignee changed from intrigeri to denkxor

Hi!

> I updated the above branch.

Great, thanks!

This looks mostly good to me. In particular, I really appreciate the detailed commit messages! :)

Two comments:

  • I’d rather use a GID > 150 for the newly introduced group. Rationale: we’ve had lots of trouble with shifting UIDs/GIDs (see e.g. config/chroot_local-hooks/04-change-gids-and-uids) and picking a larger one decreases the risk this new group will itself cause trouble further down the road.
  • I think I’d slightly prefer if the mount options were set in config/chroot_local-includes/etc/fstab, i.e. in a declarative manner, and the config/chroot_local-includes/lib/live/config/1000-remount-procfs script only remounted /proc. FWIW, that’s how hidepid was implemented initially: commit:c77ddc0a81a37721f36b44741f21908994571b08 and commit:18f6064f68175e4ccf22bf4ac0c120c9f90ead11. What do you think? I’m not completely stuck on this opinion.

At this stage, feel free to rewrite the history of your branch to implement these follow-up fixes.

> ATM I have no setup to build tails images or run automatic tests myself, so would be great if someone could do so.

Sure, a Foundations Team member will do this once the code review passes :)

Lastly, I’ve given you “Contributor” status here, so you can now update metadata on this ticket, which you’ll need for submitting your branch via the documented process :)

#7 Updated by denkxor 2019-11-23 14:18:01

  • Status changed from In Progress to Needs Validation
  • Assignee changed from denkxor to intrigeri
  • Feature Branch set to https://gitlab.com/denkxor/tails/tree/bug/16074-re-enable-hidepid
  • Deliverable for set to 272

intrigeri wrote:

> * I’d rather use a GID > 150 for the newly introduced group. Rationale: we’ve had lots of trouble with shifting UIDs/GIDs (see e.g. config/chroot_local-hooks/04-change-gids-and-uids) and picking a larger one decreases the risk this new group will itself cause trouble further down the road.

Good point, I didn’t know if there are rules how to use GIDs. Now GID 151 is used.

> * I think I’d slightly prefer if the mount options were set in config/chroot_local-includes/etc/fstab, i.e. in a declarative manner, and the config/chroot_local-includes/lib/live/config/1000-remount-procfs script only remounted /proc. FWIW, that’s how hidepid was implemented initially: commit:c77ddc0a81a37721f36b44741f21908994571b08 and commit:18f6064f68175e4ccf22bf4ac0c120c9f90ead11. What do you think? I’m not completely stuck on this opinion.

Sounds reasonable, changed this.

> At this stage, feel free to rewrite the history of your branch to implement these follow-up fixes.

Ok, changes in are in this branch: https://gitlab.com/denkxor/tails/tree/bug/16074-re-enable-hidepid

Would be great if someone could review this. I’m worried that simply adding a /etc/fstab file could break things, since when you boot tails there is a non-empty /etc/fstab file. But I don’t know how all this is expected to work.

#8 Updated by intrigeri 2019-11-28 18:44:13

  • blocked by Bug #17265: devel branch FTBFS since torbrowser-launcher 0.3.2-4 was uploaded to sid added

#9 Updated by intrigeri 2019-11-28 18:47:04

  • Feature Branch changed from https://gitlab.com/denkxor/tails/tree/bug/16074-re-enable-hidepid to bug/16074-re-enable-hidepid+force-all-tests

Code review passes, woohoo! I’ve pushed your branch to our CI. Builds and tests will run there once we’ve fixed Bug #17265.

#10 Updated by intrigeri 2019-11-28 18:55:01

  • Target version set to Tails_4.5
  • Type of work changed from Test to Code

This is subject to change, but for now our next major release is supposed to be 4.5. The topic branch is based on devel which is used to build major releases (https://tails.boum.org/contribute/git/#branches); regardless, I’d feel slightly more comfortable if this went in a RC first. If someone disagrees and prefers seeing this released earlier, I’m open to discussing it.

#11 Updated by intrigeri 2019-12-14 11:41:28

  • Status changed from Needs Validation to In Progress
  • Assignee changed from intrigeri to denkxor

Hi denkxor!

This branch fails to build for me:

10:23:40 Creating the procfs group
10:23:40 adduser: The user `polkitd' does not exist.
10:23:40 E: config/chroot_local-hooks/06-addgroup-procfs-mount failed (exit non-zero). You should check for errors.

FWIW, on my Debian sid (GNOME) system, I have no polkitd user.

#12 Updated by intrigeri 2020-03-22 06:48:59

  • Target version deleted (Tails_4.5)

(Let’s set a target version again once there’s a branch ready :)