Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease ofattacking
From: Jesper Juhl
Date: Thu Nov 04 2010 - 20:31:52 EST
On Thu, 4 Nov 2010, Marcus Meissner wrote:
>
> Hi,
>
> Making /proc/kallsyms readable only for root makes it harder
> for attackers to write generic kernel exploits by removing
> one source of knowledge where things are in the kernel.
>
> Signed-off-by: Marcus Meissner <meissner@xxxxxxx>
> ---
> kernel/kallsyms.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
> index 6f6d091..a8db257 100644
> --- a/kernel/kallsyms.c
> +++ b/kernel/kallsyms.c
> @@ -546,7 +546,7 @@ static const struct file_operations kallsyms_operations = {
>
> static int __init kallsyms_init(void)
> {
> - proc_create("kallsyms", 0444, NULL, &kallsyms_operations);
> + proc_create("kallsyms", 0400, NULL, &kallsyms_operations);
> return 0;
> }
> device_initcall(kallsyms_init);
>
This doesn't harden things much, but a little is better than nothing.
This makes sense to me and looks OK.
Reviewed-by: Jesper Juhl <jj@xxxxxxxxxxxxx>
--
Jesper Juhl <jj@xxxxxxxxxxxxx> http://www.chaosbits.net/
Plain text mails only, please http://www.expita.com/nomime.html
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/