This patch changes the permissions of the following procfs entries to restrict non-root users from accessing them: - /proc/devices - /proc/cmdline - /proc/version - /proc/uptime - /proc/cpuinfo - /proc/partitions - /proc/stat - /proc/interrupts - /proc/slabinfo - /proc/diskstats - /proc/modules - /proc/schedstat It's also available at: http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_fs_proc_proc_misc.c.patch -- Lorenzo Hernández García-Hierro <[email protected]> [1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
diff -puN fs/proc/proc_misc.c~proc-privacy-1 fs/proc/proc_misc.c
--- linux-2.6.11/fs/proc/proc_misc.c~proc-privacy-1 2005-04-17 18:09:40.615791096 +0200
+++ linux-2.6.11-lorenzo/fs/proc/proc_misc.c 2005-04-17 18:20:13.763538008 +0200
@@ -552,18 +552,14 @@ void __init proc_misc_init(void)
int (*read_proc)(char*,char**,off_t,int,int*,void*);
} *p, simple_ones[] = {
{"loadavg", loadavg_read_proc},
- {"uptime", uptime_read_proc},
{"meminfo", meminfo_read_proc},
- {"version", version_read_proc},
#ifdef CONFIG_PROC_HARDWARE
{"hardware", hardware_read_proc},
#endif
#ifdef CONFIG_STRAM_PROC
{"stram", stram_read_proc},
#endif
- {"devices", devices_read_proc},
{"filesystems", filesystems_read_proc},
- {"cmdline", cmdline_read_proc},
{"locks", locks_read_proc},
{"execdomains", execdomains_read_proc},
{NULL,}
@@ -571,25 +567,30 @@ void __init proc_misc_init(void)
for (p = simple_ones; p->name; p++)
create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
+ create_proc_read_entry("devices", S_IRUSR, NULL, &devices_read_proc, NULL);
+ create_proc_read_entry("cmdline", S_IRUSR, NULL, &cmdline_read_proc, NULL);
+ create_proc_read_entry("version", S_IRUSR, NULL, &version_read_proc, NULL);
+ create_proc_read_entry("uptime", S_IRUSR, NULL, &uptime_read_proc, NULL);
+
proc_symlink("mounts", NULL, "self/mounts");
/* And now for trickier ones */
entry = create_proc_entry("kmsg", S_IRUSR, &proc_root);
if (entry)
entry->proc_fops = &proc_kmsg_operations;
- create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
- create_seq_entry("partitions", 0, &proc_partitions_operations);
- create_seq_entry("stat", 0, &proc_stat_operations);
- create_seq_entry("interrupts", 0, &proc_interrupts_operations);
- create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
+ create_seq_entry("cpuinfo", S_IRUSR, &proc_cpuinfo_operations);
+ create_seq_entry("partitions", S_IRUSR, &proc_partitions_operations);
+ create_seq_entry("stat", S_IRUSR, &proc_stat_operations);
+ create_seq_entry("interrupts", S_IRUSR, &proc_interrupts_operations);
+ create_seq_entry("slabinfo",S_IWUSR|S_IRUSR,&proc_slabinfo_operations);
create_seq_entry("buddyinfo",S_IRUGO, &fragmentation_file_operations);
create_seq_entry("vmstat",S_IRUGO, &proc_vmstat_file_operations);
- create_seq_entry("diskstats", 0, &proc_diskstats_operations);
+ create_seq_entry("diskstats", S_IRUSR, &proc_diskstats_operations);
#ifdef CONFIG_MODULES
- create_seq_entry("modules", 0, &proc_modules_operations);
+ create_seq_entry("modules", S_IRUSR, &proc_modules_operations);
#endif
#ifdef CONFIG_SCHEDSTATS
- create_seq_entry("schedstat", 0, &proc_schedstat_operations);
+ create_seq_entry("schedstat", S_IRUSR, &proc_schedstat_operations);
#endif
#ifdef CONFIG_PROC_KCORE
proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
_
Attachment:
signature.asc
Description: This is a digitally signed message part
- Follow-Ups:
- Re: [PATCH 3/7] procfs privacy: misc. entries
- From: Dave Jones <[email protected]>
- Re: [PATCH 3/7] procfs privacy: misc. entries
- Prev by Date: [PATCH 4/7] procfs privacy: /proc/bus & /proc/net directory entries
- Next by Date: Re: intercepting syscalls
- Previous by thread: [PATCH 4/7] procfs privacy: /proc/bus & /proc/net directory entries
- Next by thread: Re: [PATCH 3/7] procfs privacy: misc. entries
- Index(es):
 |