[PATCH] GRKERNSEC_PROC_VERSION
Posted: Sun Dec 05, 2010 6:48 pmThe following patch will restrict the output of /proc/version for non-root users.
Feedback welcome.
Feedback welcome.
- Code: Select all
diff -ruPN rthink-grsec//fs/proc/version.c rthink-patched//fs/proc/version.c
--- rthink-grsec//fs/proc/version.c 2010-12-05 16:51:23.000000000 -0500
+++ rthink-patched//fs/proc/version.c 2010-12-05 17:28:11.000000000 -0500
@@ -16,6 +16,11 @@
static int version_proc_open(struct inode *inode, struct file *file)
{
+#ifdef CONFIG_GRKERNSEC_PROC_VERSION
+ const struct cred *cred = current_cred();
+ if (cred->fsuid)
+ return -EPERM;
+#endif
return single_open(file, version_proc_show, NULL);
}
diff -ruPN rthink-grsec//grsecurity/Kconfig rthink-patched//grsecurity/Kconfig
--- rthink-grsec//grsecurity/Kconfig 2010-12-05 16:51:23.000000000 -0500
+++ rthink-patched//grsecurity/Kconfig 2010-12-05 17:29:45.000000000 -0500
@@ -413,6 +413,12 @@
/proc that keep normal users from viewing device information and
slabinfo information that could be useful for exploits.
+config GRKERNSEC_PROC_VERSION
+ bool "Restrict /proc/version"
+ depends on GRKERNSEC_PROC
+ help
+ If you say Y here, non-root users will not be able to access /proc/version
+
config GRKERNSEC_LINK
bool "Linking restrictions"
help