[PATCH 3/7] procfs privacy: misc. entries

["Lorenzo Hernández García-Hierro" <lorenzo@gnu.org>]

[-- Attachment #1.1: Type: text/plain, Size: 575 bytes --]

This patch changes the permissions of the following procfs entries to
restrict non-root users from accessing them:

 - /proc/devices 
 - /proc/cmdline
 - /proc/version
 - /proc/uptime
 - /proc/cpuinfo
 - /proc/partitions
 - /proc/stat
 - /proc/interrupts
 - /proc/slabinfo
 - /proc/diskstats
 - /proc/modules
 - /proc/schedstat

It's also available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_fs_proc_proc_misc.c.patch

-- 
Lorenzo Hernández García-Hierro <lorenzo@gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

[-- Attachment #1.2: proc-privacy-1_fs_proc_proc_misc.c.patch --]
[-- Type: text/x-patch, Size: 2938 bytes --]

diff -puN fs/proc/proc_misc.c~proc-privacy-1 fs/proc/proc_misc.c
--- linux-2.6.11/fs/proc/proc_misc.c~proc-privacy-1	2005-04-17 18:09:40.615791096 +0200
+++ linux-2.6.11-lorenzo/fs/proc/proc_misc.c	2005-04-17 18:20:13.763538008 +0200
@@ -552,18 +552,14 @@ void __init proc_misc_init(void)
 		int (*read_proc)(char*,char**,off_t,int,int*,void*);
 	} *p, simple_ones[] = {
 		{"loadavg",     loadavg_read_proc},
-		{"uptime",	uptime_read_proc},
 		{"meminfo",	meminfo_read_proc},
-		{"version",	version_read_proc},
 #ifdef CONFIG_PROC_HARDWARE
 		{"hardware",	hardware_read_proc},
 #endif
 #ifdef CONFIG_STRAM_PROC
 		{"stram",	stram_read_proc},
 #endif
-		{"devices",	devices_read_proc},
 		{"filesystems",	filesystems_read_proc},
-		{"cmdline",	cmdline_read_proc},
 		{"locks",	locks_read_proc},
 		{"execdomains",	execdomains_read_proc},
 		{NULL,}
@@ -571,25 +567,30 @@ void __init proc_misc_init(void)
 	for (p = simple_ones; p->name; p++)
 		create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
 
+	create_proc_read_entry("devices", S_IRUSR, NULL, &devices_read_proc, NULL);
+	create_proc_read_entry("cmdline", S_IRUSR, NULL, &cmdline_read_proc, NULL);
+	create_proc_read_entry("version", S_IRUSR, NULL, &version_read_proc, NULL);
+	create_proc_read_entry("uptime", S_IRUSR, NULL, &uptime_read_proc, NULL);
+
 	proc_symlink("mounts", NULL, "self/mounts");
 
 	/* And now for trickier ones */
 	entry = create_proc_entry("kmsg", S_IRUSR, &proc_root);
 	if (entry)
 		entry->proc_fops = &proc_kmsg_operations;
-	create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
-	create_seq_entry("partitions", 0, &proc_partitions_operations);
-	create_seq_entry("stat", 0, &proc_stat_operations);
-	create_seq_entry("interrupts", 0, &proc_interrupts_operations);
-	create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
+	create_seq_entry("cpuinfo", S_IRUSR, &proc_cpuinfo_operations);
+	create_seq_entry("partitions", S_IRUSR, &proc_partitions_operations);
+	create_seq_entry("stat", S_IRUSR, &proc_stat_operations);
+	create_seq_entry("interrupts", S_IRUSR, &proc_interrupts_operations);
+	create_seq_entry("slabinfo",S_IWUSR|S_IRUSR,&proc_slabinfo_operations);
 	create_seq_entry("buddyinfo",S_IRUGO, &fragmentation_file_operations);
 	create_seq_entry("vmstat",S_IRUGO, &proc_vmstat_file_operations);
-	create_seq_entry("diskstats", 0, &proc_diskstats_operations);
+	create_seq_entry("diskstats", S_IRUSR, &proc_diskstats_operations);
 #ifdef CONFIG_MODULES
-	create_seq_entry("modules", 0, &proc_modules_operations);
+	create_seq_entry("modules", S_IRUSR, &proc_modules_operations);
 #endif
 #ifdef CONFIG_SCHEDSTATS
-	create_seq_entry("schedstat", 0, &proc_schedstat_operations);
+	create_seq_entry("schedstat", S_IRUSR, &proc_schedstat_operations);
 #endif
 #ifdef CONFIG_PROC_KCORE
 	proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
_

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]