| |||||||||||||
Protecting /proc/slabinfoProtecting /proc/slabinfoPosted Mar 10, 2011 17:54 UTC (Thu) by rilder (subscriber, #59804)Parent article: Protecting /proc/slabinfo
Every now and then, we see exploit related issues concerning either procfs or sysfs. So rather than disallowing files like /proc/slabinfo individually, we should disable all and whitelist only a few to be read by a non-root user, all others requiring root permission. It can be made an optional CONFIG_XXX bool entry for now to help distros in transition, making it compulsory in future versions.
(Log in to post comments)
Protecting /proc/slabinfo Posted Mar 10, 2011 20:06 UTC (Thu) by nevets (subscriber, #11875) [Link]
hehe, this reminds me of that old saying:
"When all you have is a hammer, everything looks like a nail.".
Not saying it's a bad idea. I'm just saying it reminds me of that saying.
Protecting /proc/slabinfo Posted Mar 15, 2011 22:47 UTC (Tue) by steffen780 (guest, #68142) [Link]
+1. Enumerating the bad simply doesn't scale. How many times will this discussion be held? Adding this kernel option, then defaulting to yes in a couple of years once the whitelist is sufficiently populated, seems to be the perfect solution.
|
|||||||||||||