Page 1 of 1

/proc protection bypass

PostPosted: Sun Feb 12, 2017 10:28 am
by osea
Someone [url=https://bling.kapsi.fi/blog/no-proc-process-recon.html
]claiming[/url] to subvert /proc restrictions. What other grsec features can I block with?

Re: /proc protection bypass

PostPosted: Sun Feb 12, 2017 11:37 am
by spender
It's not a bypass, the main point of the /proc restrictions was to prevent access to the contents of the various files in the per-pid directories (for instance, /proc/pid/cmdline, which reveals commandline arguments) and also to lock down info about active network connections, going back to the original implementation by Openwall: http://www.openwall.com/linux/. Earlier implementations didn't even hide the existence of the directories and just relied on filesystem permissions alone (so you could see all the PIDs and who owned them), but sometime in 2.6 that changed because the upstream /proc code was rewritten and it became an easier way to deal with the problem by hiding the directories as well. The interpreter case with TPE is also well documented. ie. nothing to see here.

-Brad