summaryrefslogtreecommitdiff
path: root/process.c
diff options
context:
space:
mode:
authorJeremie Koenig <jk@jk.fr.eu.org>2010-08-21 18:06:16 +0000
committerJeremie Koenig <jk@jk.fr.eu.org>2010-08-30 14:29:50 +0200
commit80e439d146f661c416b7f42c4180b16aae7ac2f7 (patch)
tree3e4fe0379d6e34d9a4402ac565771be21aeae205 /process.c
parent75f53efdc66be8c6ffac31bd17a309f9065e273c (diff)
Set a restrictive mode on some sensitive files
* process.c (process_file_make_node, entries): Set the environ and stat files as readable only by the owner of the process.
Diffstat (limited to 'process.c')
-rw-r--r--process.c16
1 files changed, 15 insertions, 1 deletions
diff --git a/process.c b/process.c
index 779a2e1..8955cf4 100644
--- a/process.c
+++ b/process.c
@@ -119,6 +119,9 @@ struct process_file_desc
/* The cmdline and environ contents don't need any cleaning since they are
part of a proc_stat structure. */
int no_cleanup;
+
+ /* If specified, the file mode to be set with procfs_node_chmod(). */
+ mode_t mode;
};
/* Information associated to an actual file node. */
@@ -160,6 +163,7 @@ process_file_make_node (void *dir_hook, void *entry_hook)
.cleanup = free,
};
struct process_file_node *f;
+ struct node *np;
f = malloc (sizeof *f);
if (! f)
@@ -168,7 +172,15 @@ process_file_make_node (void *dir_hook, void *entry_hook)
f->desc = entry_hook;
f->ps = dir_hook;
- return procfs_make_node (f->desc->no_cleanup ? &ops_no_cleanup : &ops, f);
+ np = procfs_make_node (f->desc->no_cleanup ? &ops_no_cleanup : &ops, f);
+ if (! np)
+ return NULL;
+
+ procfs_node_chown (np, proc_stat_owner_uid (f->ps));
+ if (f->desc->mode)
+ procfs_node_chmod (np, f->desc->mode);
+
+ return np;
}
@@ -189,6 +201,7 @@ static struct procfs_dir_entry entries[] = {
.get_contents = process_file_gc_environ,
.needs = PSTAT_ENV,
.no_cleanup = 1,
+ .mode = 0400,
},
},
{
@@ -199,6 +212,7 @@ static struct procfs_dir_entry entries[] = {
.needs = PSTAT_PID | PSTAT_ARGS | PSTAT_STATE | PSTAT_PROC_INFO
| PSTAT_TASK | PSTAT_TASK_BASIC | PSTAT_THREAD_BASIC
| PSTAT_THREAD_WAIT,
+ .mode = 0400,
},
},
{}