Page 1 of 1

override "denied read of sensitive /proc/pid/environ" ?

PostPosted: Tue Oct 28, 2014 6:54 am
by mnalis
Is there a way to allow some subject to override "denied read of sensitive /proc/pid/environ entry"?

I have GRKERNSEC_PROC_MEMMAP enabled, and would like that protection for ALMOST all subjects. However I have one subject that needs to access /proc/<pid>/environ (and possible other per-process data) of other processes (it is intrusion detection script, which looks at suspicios processes and logs and alerts admin)

Re: override "denied read of sensitive /proc/pid/environ" ?

PostPosted: Wed Oct 29, 2014 7:15 pm
by spender
There isn't -- though I don't see why any legitimate app would be causing such logs. All they need to do is ensure that whatever process opens /proc/pid/environ is the same one that reads from it.

-Brad

Re: override "denied read of sensitive /proc/pid/environ" ?

PostPosted: Wed Oct 29, 2014 8:00 pm
by mnalis
Ah, thanks!

I was under wrong impression that the restriction only allowed proces X to read /proc/X/environ (esentially allowing only /proc/self/environ), and not that any process can read /proc/X/environ, provided it is the same process that opened the file!

And the usage case is actually quite simple; the code in question executes shell helper which does (among other things) something like:
Code: Select all
tr '\000' '\n' < /proc/12659/environ


so, it was the shell that opens the /proc/*/environ, but the tr(1) that reads from it!
I've replaced it with:
Code: Select all
cat /proc/12659/environ | tr '\000' '\n'
and so it should work now (as only cat(1) would both open and read from it).

As additional bonus, I finally have excuse for beating down "the useless use of cat award" - it is not ALWAYS useless if one is using grsecurity :-)