[PATCH] GRKERNSEC_PROC_VERSION

Discuss and suggest new grsecurity features

[PATCH] GRKERNSEC_PROC_VERSION

Postby ThinkRob » Sun Dec 05, 2010 6:48 pm

The following patch will restrict the output of /proc/version for non-root users.

Feedback welcome.

Code: Select all
diff -ruPN rthink-grsec//fs/proc/version.c rthink-patched//fs/proc/version.c
--- rthink-grsec//fs/proc/version.c   2010-12-05 16:51:23.000000000 -0500
+++ rthink-patched//fs/proc/version.c   2010-12-05 17:28:11.000000000 -0500
@@ -16,6 +16,11 @@
 
 static int version_proc_open(struct inode *inode, struct file *file)
 {
+#ifdef CONFIG_GRKERNSEC_PROC_VERSION
+   const struct cred *cred = current_cred();
+   if (cred->fsuid)
+      return -EPERM;
+#endif
    return single_open(file, version_proc_show, NULL);
 }
 
diff -ruPN rthink-grsec//grsecurity/Kconfig rthink-patched//grsecurity/Kconfig
--- rthink-grsec//grsecurity/Kconfig   2010-12-05 16:51:23.000000000 -0500
+++ rthink-patched//grsecurity/Kconfig   2010-12-05 17:29:45.000000000 -0500
@@ -413,6 +413,12 @@
      /proc that keep normal users from viewing device information and
      slabinfo information that could be useful for exploits.
 
+config GRKERNSEC_PROC_VERSION
+   bool "Restrict /proc/version"
+   depends on GRKERNSEC_PROC
+   help
+      If you say Y here, non-root users will not be able to access /proc/version
+
 config GRKERNSEC_LINK
    bool "Linking restrictions"
    help
ThinkRob
 
Posts: 10
Joined: Thu Nov 05, 2009 8:43 am

Re: [PATCH] GRKERNSEC_PROC_VERSION

Postby perlish » Mon Feb 07, 2011 9:26 pm

cool stuff!
it makes hacker more difficult to gain localroot.
would you like to commit it into grsecurity.
perlish
 
Posts: 42
Joined: Sun Jan 11, 2004 10:42 pm


Return to grsecurity development