SE Linux and /proc files - Albert Cahalan

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Albert Cahalan <albert@users.sourceforge.net>
To: selinux@tycho.nsa.gov
Subject: SE Linux and /proc files
Date: 01 Sep 2004 16:57:17 -0400	[thread overview]
Message-ID: <1094072237.434.7207.camel@cube> (raw)

At an extreme security level, users can't see processes
running in other roles. At a low security level, they can.

How about a middle ground? I've been thinking of adding
a new /proc file containing some basic data for procps.
It wouldn't have EIP, ESP, WCHAN, and a few others that
are quite revealing to an attacker. A list of items that
would be enough for basic procps functionality is:

class   - scheduling class
cmd     - COMMAND, w/o args
cstime  - CPU time
cutime  - CPU time
euid
nice
nlwp  - num threads
pcpu  - %CPU (once implemented)
pgrp
ppid
priority
processor
resident
rtprio
ruid
sched  - RT scheduling class
session
share  - memory info
size
start_time
state
stime  - CPU time
tgid
tid
tpgid
tty
utime  - CPU time
vm_lock - locked mem (just need yes/no)
vm_rss
vm_size

Might this be useful?

Anything on that list more troublesome than cmd?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

                 reply	other threads:[~2004-09-01 20:59 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1094072237.434.7207.camel@cube \
    --to=albert@users.sourceforge.net \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.