grsecurity forums


https://forums.grsecurity.net./

suggestion: make /proc/net/tcp and /proc/net/tcp6 better

https://forums.grsecurity.net./viewtopic.php?f=1&t=1636

Page 1 of 1

suggestion: make /proc/net/tcp and /proc/net/tcp6 better

PostPosted: Fri Dec 29, 2006 11:26 am
by djGrrr
[12:56:19] ircd@drone:~> netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
/proc/net/tcp: Permission denied

What i was thinking, is that it should be like the processes, where it would allow access to that file, but only contain the connections/sockets that are owned by the current user (this is the way that bsd does it).

If this was added to the grsecurity patch it would make it that much better :)
I'm sure there are many more people who would like to see this as well.

PostPosted: Tue Jan 02, 2007 7:07 pm
by spender
I like this idea, and will look into implementing it for 2.1.10.

-Brad

PostPosted: Wed Jan 03, 2007 6:14 am
by djGrrr
I didn't even think about this when i suggested this:
there are various other files in /proc/net that should do the same.
udp, udp6, unix, and raw/raw6 maybe ? not sure if raw/raw6 has user tracking.
Any other files that have connection tracking, but no user tracking, should be readable, but only contain the header line, and the actual status show empty for restricted users

PostPosted: Mon Feb 05, 2007 1:17 pm
by djGrrr
i'm wondering, has their been any update on this yet?

PostPosted: Wed Feb 07, 2007 10:17 pm
by spender
I looked into it, and there doesn't seem to be any unified, clean way of doing it. It'd involve a lot of messy code for what in the end will just be a feature that adds only privacy, not security.

-Brad
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/