grsecurity forums

[djGrrr]

[12:56:19] ircd@drone:~> netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
/proc/net/tcp: Permission denied

What i was thinking, is that it should be like the processes, where it would allow access to that file, but only contain the connections/sockets that are owned by the current user (this is the way that bsd does it).

If this was added to the grsecurity patch it would make it that much better
I'm sure there are many more people who would like to see this as well.

[spender]

I like this idea, and will look into implementing it for 2.1.10.

-Brad

[djGrrr]

I didn't even think about this when i suggested this:
there are various other files in /proc/net that should do the same.
udp, udp6, unix, and raw/raw6 maybe ? not sure if raw/raw6 has user tracking.
Any other files that have connection tracking, but no user tracking, should be readable, but only contain the header line, and the actual status show empty for restricted users

[djGrrr]

i'm wondering, has their been any update on this yet?

[spender]

I looked into it, and there doesn't seem to be any unified, clean way of doing it. It'd involve a lot of messy code for what in the end will just be a feature that adds only privacy, not security.

-Brad