Re: [RFC][PATCH] Simple privacy enhancement for /proc/<pid>

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 10 Apr 2005, Rene Scharfe wrote:

> First, configuring via kernel parameters is sufficient.

I don't remember: Would a mount option be equally easy to implement?
(Kernel parameters are OK for me, too.)

> I have another idea: let's keep the details of _every_ process owned by
> user root readable by anyone.

What about SUID processes acting on behalf of users?

> -	processor.max_cstate=   [HW, ACPI]
> -			Limit processor to maximum C-state
> -			max_cstate=9 overrides any DMI blacklist limit.
> -

This seems to belong into another patch



(in pid_revalidate:)
What about moving the things around? (just editing in the MUA)

> +		if (IS_PID_DIR(proc_type(inode)) || task_dumpable(task)) {
>  			inode->i_uid = task->euid;
> +			inode->i_gid = proc_gid;
> +			if (!proc_privacy || IS_PID_DIR(proc_type(inode)))
>  				inode->i_gid = task->egid;
>  		} else {
>  			inode->i_uid = 0;
>  			inode->i_gid = 0;
>  		}
>  		security_task_to_inode(task, inode);
>  		return 1;
>  	}

BTW: You might be able to cache IS_PID_DIR(). It looks like being a gain.

> @@ -1454,6 +1468,11 @@ static struct dentry *proc_pident_lookup

> +		if (proc_privacy == 2 || task->euid != 0)
                                                   ^^^^^
redundand.
-- 
Funny quotes:
27. If people from Poland are called Poles, why aren't people from Holland
    called Holes?
Friß, Spammer: [email protected] [email protected]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux