首页 发现 帮助
登录
GfA
/
linux_kernel
5
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

proc: report no_new_privs state

Similar to being able to examine if a process has been correctly
confined with seccomp, the state of no_new_privs is equally interesting,
so this adds it to /proc/$pid/status.

Link: http://lkml.kernel.org/r/20161103214041.GA58566@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jann Horn <jann@thejh.net>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Rodrigo Freire <rfreire@redhat.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Cc: Robert Ho <robert.hu@intel.com>
Cc: Jerome Marchand <jmarchan@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: "Richard W.M. Jones" <rjones@redhat.com>
Cc: Joe Perches <joe@perches.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Kees Cook 8 年之前
父节点
8f6066049c
当前提交
af884cd4a5
共有 2 个文件被更改,包括 5 次插入2 次删除
分列视图 显示文件统计
  1. 2 0
      Documentation/filesystems/proc.txt
  2. 3 2
      fs/proc/array.c

+ 2 - 0
Documentation/filesystems/proc.txt
查看文件 

@@ -191,6 +191,7 @@ read the file /proc/PID/status:
 
   CapPrm: 0000000000000000
 
   CapEff: 0000000000000000
 
   CapBnd: ffffffffffffffff
 
+  NoNewPrivs:     0
 
   Seccomp:        0
 
   voluntary_ctxt_switches:        0
 
   nonvoluntary_ctxt_switches:     1
 
@@ -262,6 +263,7 @@ Table 1-2: Contents of the status files (as of 4.1)
 
  CapPrm                      bitmap of permitted capabilities
 
  CapEff                      bitmap of effective capabilities
 
  CapBnd                      bitmap of capabilities bounding set
 
+ NoNewPrivs                  no_new_privs, like prctl(PR_GET_NO_NEW_PRIV, ...)
 
  Seccomp                     seccomp mode, like prctl(PR_GET_SECCOMP, ...)
 
  Cpus_allowed                mask of CPUs on which this process may run
 
  Cpus_allowed_list           Same as previous, but in "list format"

+ 3 - 2
fs/proc/array.c
查看文件 

@@ -342,10 +342,11 @@ static inline void task_cap(struct seq_file *m, struct task_struct *p)
 
 
 static inline void task_seccomp(struct seq_file *m, struct task_struct *p)
 
 {
 
+	seq_put_decimal_ull(m, "NoNewPrivs:\t", task_no_new_privs(p));
 
 #ifdef CONFIG_SECCOMP
 
-	seq_put_decimal_ull(m, "Seccomp:\t", p->seccomp.mode);
 
-	seq_putc(m, '\n');
 
+	seq_put_decimal_ull(m, "\nSeccomp:\t", p->seccomp.mode);
 
 #endif
 
+	seq_putc(m, '\n');
 
 }
 
 
 static inline void task_context_switch_counts(struct seq_file *m,