On Wed, 26 Jan 2005 22:35:18 EST, John Richard Moser said: > This particular problem pertains to proc_misc.c and trying to create a > hook for some grsecurity protections that alter the modes on certain > /proc entries. The chunk of the patch I'm trying to immitate is:
> +#ifdef CONFIG_GRKERNSEC_PROC_ADD
> + create_seq_entry("cpuinfo", gr_mode, &proc_cpuinfo_operations);
> +#else
> create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
> +#endif
An alternate way to approach this - leave the permissions alone here.
And then use the security_ops->inode_permission() hook to do something like:
if ((inode == cpuinfo) && (current->fsuid))
return -EPERM;
Writing the proper tests for whether it's the inode you want and whether to
give the request the kiss-of-death are left as an excersize for the
programmer.. ;)
You may want to use a properly timed initcall() to create a callback that
happens after proc_misc_init() happens, but before userspace gets going, and
walk through the /proc tree at that time and cache info on the files you care
about, so you don't have to re-walk /proc every time permission() gets
called....
pgpbUiHxJ6hPa.pgp
Description: PGP signature
