grsecurity forums

[cormander]

One thing I noticed about the "h" flag is it doesn't hide the fact that the object is actually running.

For example, in my default policy, I have this:

Code: Select all

        /usr/sbin/sshd  h


But ps still reveals:

Code: Select all

root      1222  0.0  0.9  4096 1144 ?        Ss   Mar13   0:00 /usr/sbin/sshd


Now if I create a rule like this:

Code: Select all

        /proc/1222  h


Then ps won't see "/usr/sbin/sshd" in the tree, that is, until a restart of sshd (or a reboot).

Is there a way to either dynamically hide the /proc/<pid> of an object flagged for being hidden, or have an extra attribute for that?

Since the grsecurity kernel tracks execs of programs anyway, it could also (in theory) check for the h flag (or if you want to give this features a different flag) and dynamically load/unload the h flag for /proc/<pid> under subjects that aren't supposed to see that object.

Or maybe even make it a kernel .config option, similar to CONFIG_GRKERNSEC_ACL_HIDEKERN; named something like CONFIG_GRKERNSEC_ACL_HIDEFLAG_H

[spender]

"h" for objects is to hide the existence of the file. To hide the existence of a process, you need to create a subject (for sshd in your case) and add "h" to its subject mode. You likely already have a subject for sshd, so just append the "h" to the other subject flags for it.

-Brad

[cormander]

Yes that works just as I had hoped. Thanks!