* SE Linux and /proc files
@ 2004-09-01 20:57 Albert Cahalan
0 siblings, 0 replies; only message in thread
From: Albert Cahalan @ 2004-09-01 20:57 UTC (permalink / raw)
To: selinux
At an extreme security level, users can't see processes
running in other roles. At a low security level, they can.
How about a middle ground? I've been thinking of adding
a new /proc file containing some basic data for procps.
It wouldn't have EIP, ESP, WCHAN, and a few others that
are quite revealing to an attacker. A list of items that
would be enough for basic procps functionality is:
class - scheduling class
cmd - COMMAND, w/o args
cstime - CPU time
cutime - CPU time
euid
nice
nlwp - num threads
pcpu - %CPU (once implemented)
pgrp
ppid
priority
processor
resident
rtprio
ruid
sched - RT scheduling class
session
share - memory info
size
start_time
state
stime - CPU time
tgid
tid
tpgid
tty
utime - CPU time
vm_lock - locked mem (just need yes/no)
vm_rss
vm_size
Might this be useful?
Anything on that list more troublesome than cmd?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2004-09-01 20:59 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-01 20:57 SE Linux and /proc files Albert Cahalan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.