RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 19:57:35 +00:00
Code Issues Activity Actions

ProcFS: Reduce the amount of info accessible to non-superusers

Browse source 
This patch hardens /proc a bit by making many things only accessible
to UID 0, and also disallowing access to /proc/PID/ for anyone other
than the UID of that process (and superuser, obviously.)
This commit is contained in:
Andreas Kling 2019-12-31 01:23:03 +01:00
parent 54d182f553
commit 9af054af9e
2 changed files with 47 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Kernel/FileSystem/ProcFS.h
View file

@ -34,9 +34,10 @@ private:
struct ProcFSDirectoryEntry {
ProcFSDirectoryEntry() {}
ProcFSDirectoryEntry(const char* a_name, unsigned a_proc_file_type, Function<Optional<KBuffer>(InodeIdentifier)>&& a_read_callback = nullptr, Function<ssize_t(InodeIdentifier, const ByteBuffer&)>&& a_write_callback = nullptr, RefPtr<ProcFSInode>&& a_inode = nullptr)
ProcFSDirectoryEntry(const char* a_name, unsigned a_proc_file_type, bool a_supervisor_only, Function<Optional<KBuffer>(InodeIdentifier)>&& a_read_callback = nullptr, Function<ssize_t(InodeIdentifier, const ByteBuffer&)>&& a_write_callback = nullptr, RefPtr<ProcFSInode>&& a_inode = nullptr)
: name(a_name)
, proc_file_type(a_proc_file_type)
, supervisor_only(a_supervisor_only)
, read_callback(move(a_read_callback))
, write_callback(move(a_write_callback))
, inode(move(a_inode))
@ -45,6 +46,7 @@ private:
const char* name { nullptr };
unsigned proc_file_type { 0 };
bool supervisor_only { false };
Function<Optional<KBuffer>(InodeIdentifier)> read_callback;
Function<ssize_t(InodeIdentifier, const ByteBuffer&)> write_callback;
RefPtr<ProcFSInode> inode;