/proc protection bypass

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

/proc protection bypass

Postby osea » Sun Feb 12, 2017 10:28 am

Someone [url=https://bling.kapsi.fi/blog/no-proc-process-recon.html
]claiming[/url] to subvert /proc restrictions. What other grsec features can I block with?
osea
 
Posts: 21
Joined: Thu Oct 27, 2016 3:17 pm

Re: /proc protection bypass

Postby spender » Sun Feb 12, 2017 11:37 am

It's not a bypass, the main point of the /proc restrictions was to prevent access to the contents of the various files in the per-pid directories (for instance, /proc/pid/cmdline, which reveals commandline arguments) and also to lock down info about active network connections, going back to the original implementation by Openwall: http://www.openwall.com/linux/. Earlier implementations didn't even hide the existence of the directories and just relied on filesystem permissions alone (so you could see all the PIDs and who owned them), but sometime in 2.6 that changed because the upstream /proc code was rewritten and it became an easier way to deal with the problem by hiding the directories as well. The interpreter case with TPE is also well documented. ie. nothing to see here.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support