hiding /proc/<pid>/ entries for objects with the h flag?
Posted: Fri Mar 14, 2008 4:17 pmOne thing I noticed about the "h" flag is it doesn't hide the fact that the object is actually running.
For example, in my default policy, I have this:
But ps still reveals:
Now if I create a rule like this:
Then ps won't see "/usr/sbin/sshd" in the tree, that is, until a restart of sshd (or a reboot).
Is there a way to either dynamically hide the /proc/<pid> of an object flagged for being hidden, or have an extra attribute for that?
Since the grsecurity kernel tracks execs of programs anyway, it could also (in theory) check for the h flag (or if you want to give this features a different flag) and dynamically load/unload the h flag for /proc/<pid> under subjects that aren't supposed to see that object.
Or maybe even make it a kernel .config option, similar to CONFIG_GRKERNSEC_ACL_HIDEKERN; named something like CONFIG_GRKERNSEC_ACL_HIDEFLAG_H
For example, in my default policy, I have this:
- Code: Select all
/usr/sbin/sshd h
But ps still reveals:
- Code: Select all
root 1222 0.0 0.9 4096 1144 ? Ss Mar13 0:00 /usr/sbin/sshd
Now if I create a rule like this:
- Code: Select all
/proc/1222 h
Then ps won't see "/usr/sbin/sshd" in the tree, that is, until a restart of sshd (or a reboot).
Is there a way to either dynamically hide the /proc/<pid> of an object flagged for being hidden, or have an extra attribute for that?
Since the grsecurity kernel tracks execs of programs anyway, it could also (in theory) check for the h flag (or if you want to give this features a different flag) and dynamically load/unload the h flag for /proc/<pid> under subjects that aren't supposed to see that object.
Or maybe even make it a kernel .config option, similar to CONFIG_GRKERNSEC_ACL_HIDEKERN; named something like CONFIG_GRKERNSEC_ACL_HIDEFLAG_H