Главная Обзор Помощь
Вход
GfA
/
linux_kernel
5
0
Ответвить 0
Файлы Задачи 0 Запросы на слияние 0 Вики
Просмотр исходного кода

proc: report no_new_privs state

Similar to being able to examine if a process has been correctly
confined with seccomp, the state of no_new_privs is equally interesting,
so this adds it to /proc/$pid/status.

Link: http://lkml.kernel.org/r/20161103214041.GA58566@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jann Horn <jann@thejh.net>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Rodrigo Freire <rfreire@redhat.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Cc: Robert Ho <robert.hu@intel.com>
Cc: Jerome Marchand <jmarchan@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: "Richard W.M. Jones" <rjones@redhat.com>
Cc: Joe Perches <joe@perches.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Kees Cook 8 лет назад
Родитель
8f6066049c
Сommit
af884cd4a5
2 измененных файлов с 5 добавлено и 2 удалено
Единый вид Показать статистику Diff
  1. 2 0
      Documentation/filesystems/proc.txt
  2. 3 2
      fs/proc/array.c

+ 2 - 0
Documentation/filesystems/proc.txt
Просмотреть файл 

@@ -191,6 +191,7 @@ read the file /proc/PID/status:
 
   CapPrm: 0000000000000000
 
   CapPrm: 0000000000000000
 
   CapEff: 0000000000000000
 
   CapEff: 0000000000000000
 
   CapBnd: ffffffffffffffff
 
   CapBnd: ffffffffffffffff
 
+  NoNewPrivs:     0
 
   Seccomp:        0
 
   Seccomp:        0
 
   voluntary_ctxt_switches:        0
 
   voluntary_ctxt_switches:        0
 
   nonvoluntary_ctxt_switches:     1
 
   nonvoluntary_ctxt_switches:     1
 
@@ -262,6 +263,7 @@ Table 1-2: Contents of the status files (as of 4.1)
 
  CapPrm                      bitmap of permitted capabilities
 
  CapPrm                      bitmap of permitted capabilities
 
  CapEff                      bitmap of effective capabilities
 
  CapEff                      bitmap of effective capabilities
 
  CapBnd                      bitmap of capabilities bounding set
 
  CapBnd                      bitmap of capabilities bounding set
 
+ NoNewPrivs                  no_new_privs, like prctl(PR_GET_NO_NEW_PRIV, ...)
 
  Seccomp                     seccomp mode, like prctl(PR_GET_SECCOMP, ...)
 
  Seccomp                     seccomp mode, like prctl(PR_GET_SECCOMP, ...)
 
  Cpus_allowed                mask of CPUs on which this process may run
 
  Cpus_allowed                mask of CPUs on which this process may run
 
  Cpus_allowed_list           Same as previous, but in "list format"
 
  Cpus_allowed_list           Same as previous, but in "list format"

+ 3 - 2
fs/proc/array.c
Просмотреть файл 

@@ -342,10 +342,11 @@ static inline void task_cap(struct seq_file *m, struct task_struct *p)
 
 
 
 static inline void task_seccomp(struct seq_file *m, struct task_struct *p)
 
 static inline void task_seccomp(struct seq_file *m, struct task_struct *p)
 
 {
 
 {
 
+	seq_put_decimal_ull(m, "NoNewPrivs:\t", task_no_new_privs(p));
 
 #ifdef CONFIG_SECCOMP
 
 #ifdef CONFIG_SECCOMP
 
-	seq_put_decimal_ull(m, "Seccomp:\t", p->seccomp.mode);
 
-	seq_putc(m, '\n');
 
+	seq_put_decimal_ull(m, "\nSeccomp:\t", p->seccomp.mode);
 
 #endif
 
 #endif
 
+	seq_putc(m, '\n');
 
 }
 
 }
 
 
 
 static inline void task_context_switch_counts(struct seq_file *m,
 
 static inline void task_context_switch_counts(struct seq_file *m,