TIL that Linux allows pids to be hidden. twitter.com/krisnova/statu
This Tweet is unavailable.
1
8
Conversation
Replying to
Process namespaces and hidepid both place restrictions on processes seeing each other, as can security modules. Unsure if that's what they're referring to and don't feel like trying to find that in a video.
1
1
Replying to
I'd understand that from normal users but root on Linux should show all pids (or have an option to show them).
Yeah, need more info on this to understand fully.
Watching video now but don't really want it scan back to find it either.
2
1
Replying to
Unconstrained root in the top-level namespace can see all the processes. There isn't necessarily any actual root on a system after early boot since root can restrict itself with MAC/MLS via security modules, or could set up namespaces and enter those without staying in top level.
2
2
I think init will always be in the top-level process namespace but there's no reason it can't spawn everything in namespaces below it. You can check if you're in the top-level namespace and then you know you probably aren't seeing everything.
There are a lot of variables and for example on Android, the Unix permission model is barely even relevant anymore for most things despite still being used as a basic layer since the SELinux MAC/MLS policies are so much stricter and finer grained so not that much falls through.
1
1
2
A few years ago, I helped to get hidepid=2 upstream for Android but it isn't very relevant anymore. Modern apps each have a unique MLS label so despite all being in the same untrusted_app MAC domain they can't see each other even if they didn't have a per-app-per-user uid/gid.
1
2
This reminds me of someone I came across on FreeBSD, they ran with an init_script that would cpuset init down to half or so of the CPUs on the system so that everything else spawns with only half.
It'd be kind of neat to run everything under init in jails, but I guess that's a
2
lot like just running with a higher security level.
1
Show replies