procfs: make /proc/*/{stack,syscall,personality} 0400

These procfs files contain sensitive information and currently their mode is 0444. Change this to 0400, so the VFS will be able to block unprivileged processes from getting file descriptors on arbitrary privileged /proc/*/{stack,syscall,personality} files. This reduces the scope of ASLR leaking and bypasses by protecting already running processes. Signed-off-by: Djalal Harouni <tixxdz@opendz.org> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Andy Lutomirski <luto@amacapital.net> Cc: Eric W. Biederman <ebiederm@xmission.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Ingo Molnar <mingo@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Djalal Harouni <tixxdz@opendz.org> 2014-04-07 18:38:36 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2014-04-07 19:36:04 -0400
commit: 35a35046e4f9d8849e727b0e0f6edac0ece4ca6e (patch)
tree: 40e3296460ebc388f4c1ce3f622c0858fae0a6e9 /fs/proc
parent: 1c44dbc82f75aabc5de95da92b304393a94751fc (diff)
1 files changed, 6 insertions, 6 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c
index b9760628e1fd..a08c92289357 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2588,7 +2588,7 @@ static const struct pid_entry tgid_base_stuff[] = {
        REG("environ",    S_IRUSR, proc_environ_operations),
        INF("auxv",       S_IRUSR, proc_pid_auxv),
        ONE("status",     S_IRUGO, proc_pid_status),
-        ONE("personality", S_IRUGO, proc_pid_personality),
+        ONE("personality", S_IRUSR, proc_pid_personality),
        INF("limits",     S_IRUGO, proc_pid_limits),
 #ifdef CONFIG_SCHED_DEBUG
        REG("sched",      S_IRUGO|S_IWUSR, proc_pid_sched_operations),
@@ -2598,7 +2598,7 @@ static const struct pid_entry tgid_base_stuff[] = {
 #endif
        REG("comm",      S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
 #ifdef CONFIG_HAVE_ARCH_TRACEHOOK
-        INF("syscall",    S_IRUGO, proc_pid_syscall),
+        INF("syscall",    S_IRUSR, proc_pid_syscall),
 #endif
        INF("cmdline",    S_IRUGO, proc_pid_cmdline),
        ONE("stat",       S_IRUGO, proc_tgid_stat),
@@ -2626,7 +2626,7 @@ static const struct pid_entry tgid_base_stuff[] = {
        INF("wchan",      S_IRUGO, proc_pid_wchan),
 #endif
 #ifdef CONFIG_STACKTRACE
-        ONE("stack",      S_IRUGO, proc_pid_stack),
+        ONE("stack",      S_IRUSR, proc_pid_stack),
 #endif
 #ifdef CONFIG_SCHEDSTATS
        INF("schedstat",  S_IRUGO, proc_pid_schedstat),
@@ -2927,14 +2927,14 @@ static const struct pid_entry tid_base_stuff[] = {
        REG("environ",   S_IRUSR, proc_environ_operations),
        INF("auxv",      S_IRUSR, proc_pid_auxv),
        ONE("status",    S_IRUGO, proc_pid_status),
-        ONE("personality", S_IRUGO, proc_pid_personality),
+        ONE("personality", S_IRUSR, proc_pid_personality),
        INF("limits",    S_IRUGO, proc_pid_limits),
 #ifdef CONFIG_SCHED_DEBUG
        REG("sched",     S_IRUGO|S_IWUSR, proc_pid_sched_operations),
 #endif
        REG("comm",      S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
 #ifdef CONFIG_HAVE_ARCH_TRACEHOOK
-        INF("syscall",   S_IRUGO, proc_pid_syscall),
+        INF("syscall",   S_IRUSR, proc_pid_syscall),
 #endif
        INF("cmdline",   S_IRUGO, proc_pid_cmdline),
        ONE("stat",      S_IRUGO, proc_tid_stat),
@@ -2964,7 +2964,7 @@ static const struct pid_entry tid_base_stuff[] = {
        INF("wchan",     S_IRUGO, proc_pid_wchan),
 #endif
 #ifdef CONFIG_STACKTRACE
-        ONE("stack",      S_IRUGO, proc_pid_stack),
+        ONE("stack",      S_IRUSR, proc_pid_stack),
 #endif
 #ifdef CONFIG_SCHEDSTATS
        INF("schedstat", S_IRUGO, proc_pid_schedstat),
author	Djalal Harouni <tixxdz@opendz.org>	2014-04-07 18:38:36 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2014-04-07 19:36:04 -0400
commit	35a35046e4f9d8849e727b0e0f6edac0ece4ca6e (patch)
tree	40e3296460ebc388f4c1ce3f622c0858fae0a6e9 /fs/proc
parent	1c44dbc82f75aabc5de95da92b304393a94751fc (diff)

diff --git a/fs/proc/base.c b/fs/proc/base.c index b9760628e1fd..a08c92289357 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c
@@ -2588,7 +2588,7 @@ static const struct pid_entry tgid_base_stuff[] = {
2588	REG("environ", S_IRUSR, proc_environ_operations),	2588	REG("environ", S_IRUSR, proc_environ_operations),
2589	INF("auxv", S_IRUSR, proc_pid_auxv),	2589	INF("auxv", S_IRUSR, proc_pid_auxv),
2590	ONE("status", S_IRUGO, proc_pid_status),	2590	ONE("status", S_IRUGO, proc_pid_status),
2591	ONE("personality", S_IRUGO, proc_pid_personality),	2591	ONE("personality", S_IRUSR, proc_pid_personality),
2592	INF("limits", S_IRUGO, proc_pid_limits),	2592	INF("limits", S_IRUGO, proc_pid_limits),
2593	#ifdef CONFIG_SCHED_DEBUG	2593	#ifdef CONFIG_SCHED_DEBUG
2594	REG("sched", S_IRUGO\|S_IWUSR, proc_pid_sched_operations),	2594	REG("sched", S_IRUGO\|S_IWUSR, proc_pid_sched_operations),
@@ -2598,7 +2598,7 @@ static const struct pid_entry tgid_base_stuff[] = {
2598	#endif	2598	#endif
2599	REG("comm", S_IRUGO\|S_IWUSR, proc_pid_set_comm_operations),	2599	REG("comm", S_IRUGO\|S_IWUSR, proc_pid_set_comm_operations),
2600	#ifdef CONFIG_HAVE_ARCH_TRACEHOOK	2600	#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
2601	INF("syscall", S_IRUGO, proc_pid_syscall),	2601	INF("syscall", S_IRUSR, proc_pid_syscall),
2602	#endif	2602	#endif
2603	INF("cmdline", S_IRUGO, proc_pid_cmdline),	2603	INF("cmdline", S_IRUGO, proc_pid_cmdline),
2604	ONE("stat", S_IRUGO, proc_tgid_stat),	2604	ONE("stat", S_IRUGO, proc_tgid_stat),
@@ -2626,7 +2626,7 @@ static const struct pid_entry tgid_base_stuff[] = {
2626	INF("wchan", S_IRUGO, proc_pid_wchan),	2626	INF("wchan", S_IRUGO, proc_pid_wchan),
2627	#endif	2627	#endif
2628	#ifdef CONFIG_STACKTRACE	2628	#ifdef CONFIG_STACKTRACE
2629	ONE("stack", S_IRUGO, proc_pid_stack),	2629	ONE("stack", S_IRUSR, proc_pid_stack),
2630	#endif	2630	#endif
2631	#ifdef CONFIG_SCHEDSTATS	2631	#ifdef CONFIG_SCHEDSTATS
2632	INF("schedstat", S_IRUGO, proc_pid_schedstat),	2632	INF("schedstat", S_IRUGO, proc_pid_schedstat),
@@ -2927,14 +2927,14 @@ static const struct pid_entry tid_base_stuff[] = {
2927	REG("environ", S_IRUSR, proc_environ_operations),	2927	REG("environ", S_IRUSR, proc_environ_operations),
2928	INF("auxv", S_IRUSR, proc_pid_auxv),	2928	INF("auxv", S_IRUSR, proc_pid_auxv),
2929	ONE("status", S_IRUGO, proc_pid_status),	2929	ONE("status", S_IRUGO, proc_pid_status),
2930	ONE("personality", S_IRUGO, proc_pid_personality),	2930	ONE("personality", S_IRUSR, proc_pid_personality),
2931	INF("limits", S_IRUGO, proc_pid_limits),	2931	INF("limits", S_IRUGO, proc_pid_limits),
2932	#ifdef CONFIG_SCHED_DEBUG	2932	#ifdef CONFIG_SCHED_DEBUG
2933	REG("sched", S_IRUGO\|S_IWUSR, proc_pid_sched_operations),	2933	REG("sched", S_IRUGO\|S_IWUSR, proc_pid_sched_operations),
2934	#endif	2934	#endif
2935	REG("comm", S_IRUGO\|S_IWUSR, proc_pid_set_comm_operations),	2935	REG("comm", S_IRUGO\|S_IWUSR, proc_pid_set_comm_operations),
2936	#ifdef CONFIG_HAVE_ARCH_TRACEHOOK	2936	#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
2937	INF("syscall", S_IRUGO, proc_pid_syscall),	2937	INF("syscall", S_IRUSR, proc_pid_syscall),
2938	#endif	2938	#endif
2939	INF("cmdline", S_IRUGO, proc_pid_cmdline),	2939	INF("cmdline", S_IRUGO, proc_pid_cmdline),
2940	ONE("stat", S_IRUGO, proc_tid_stat),	2940	ONE("stat", S_IRUGO, proc_tid_stat),
@@ -2964,7 +2964,7 @@ static const struct pid_entry tid_base_stuff[] = {
2964	INF("wchan", S_IRUGO, proc_pid_wchan),	2964	INF("wchan", S_IRUGO, proc_pid_wchan),
2965	#endif	2965	#endif
2966	#ifdef CONFIG_STACKTRACE	2966	#ifdef CONFIG_STACKTRACE
2967	ONE("stack", S_IRUGO, proc_pid_stack),	2967	ONE("stack", S_IRUSR, proc_pid_stack),
2968	#endif	2968	#endif
2969	#ifdef CONFIG_SCHEDSTATS	2969	#ifdef CONFIG_SCHEDSTATS
2970	INF("schedstat", S_IRUGO, proc_pid_schedstat),	2970	INF("schedstat", S_IRUGO, proc_pid_schedstat),