grsecurity forums

[mnalis]

Is there a way to allow some subject to override "denied read of sensitive /proc/pid/environ entry"?

I have GRKERNSEC_PROC_MEMMAP enabled, and would like that protection for ALMOST all subjects. However I have one subject that needs to access /proc/<pid>/environ (and possible other per-process data) of other processes (it is intrusion detection script, which looks at suspicios processes and logs and alerts admin)

[spender]

There isn't -- though I don't see why any legitimate app would be causing such logs. All they need to do is ensure that whatever process opens /proc/pid/environ is the same one that reads from it.

-Brad

[mnalis]

Ah, thanks!

I was under wrong impression that the restriction only allowed proces X to read /proc/X/environ (esentially allowing only /proc/self/environ), and not that any process can read /proc/X/environ, provided it is the same process that opened the file!

And the usage case is actually quite simple; the code in question executes shell helper which does (among other things) something like:

Code: Select all

tr '\000' '\n' < /proc/12659/environ

so, it was the shell that opens the /proc/*/environ, but the tr(1) that reads from it!
I've replaced it with:

Code: Select all

cat /proc/12659/environ | tr '\000' '\n'

and so it should work now (as only cat(1) would both open and read from it).

As additional bonus, I finally have excuse for beating down "the useless use of cat award" - it is not ALWAYS useless if one is using grsecurity