Hello,
I'm pretty happy that the OpenVZ team have ported some of the Gresurity
features,
but the current OpenVZ patch lacks many grsecurity features and one of
them - very small,
but very useful for my setup is CONFIG_GRKERNSEC_PROC_IPADDR or
/proc/$PID/ipaddr support.
I made a patch that enables that feature for patch-ovz006.4-combined patch.
It isn't very pretty but it works on my systems.
I will be vert happy if you introduce that gresecurity feature in some
of yours next OpenVZ releases.
About the CONFIG_GRKERNSEC_PROC_IPADDR feature,
this is the info for it from the Gresecurity help:
If you say Y here, a new entry will be added to each /proc/<pid>
directory that contains the IP address of the person using the task.
The IP is carried across local TCP and AF_UNIX stream sockets.
This information can be useful for IDS/IPSes to perform remote response
to a local attack. The entry is readable by only the owner of the
process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
the RBAC system), and thus does not create privacy concerns.
Thank You
Iavor Stoev
System Administrator at ICDSoft Ltd
--- fs/proc/internal.h.orig 2008-10-31 23:06:07.000000000 +0200
+++ fs/proc/internal.h 2008-10-31 23:02:45.000000000 +0200
@@ -52,6 +52,8 @@
extern int proc_tgid_stat(struct task_struct *, char *);
extern int proc_pid_status(struct task_struct *, char *);
extern int proc_pid_statm(struct task_struct *, char *);
+/* /proc/$pid/ipaddr support */
+extern int proc_pid_ipaddr(struct task_struct*,char*);
extern const struct file_operations proc_maps_operations;
extern const struct file_operations proc_numa_maps_operations;
--- fs/proc/array.c.orig 2008-10-31 22:56:42.000000000 +0200
+++ fs/proc/array.c 2008-10-31 23:03:18.000000000 +0200
@@ -663,3 +663,12 @@
return sprintf(buffer, "%d %d %d %d %d %d %d\n",
size, resident, shared, text, lib, data, 0);
}
+
+/* /proc/$pid/ipaddr support */
+int proc_pid_ipaddr(struct task_struct *task, char * buffer)
+{
+ int len;
+
+ len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
+ return len;
+}
--- fs/proc/base.c.orig 2008-10-31 23:04:08.000000000 +0200
+++ fs/proc/base.c 2008-10-31 23:04:55.000000000 +0200
@@ -2267,6 +2267,8 @@
#ifdef CONFIG_TASK_IO_ACCOUNTING
INF("io", S_IRUGO, pid_io_accounting),
#endif
+/* /proc/$pid/ipaddr support */
+ INF("ipaddr", S_IRUSR, pid_ipaddr),
};
static int proc_tgid_base_readdir(struct file * filp,
--- include/linux/sched.h.orig 2008-10-31 20:03:58.000000000 +0200
+++ include/linux/sched.h 2008-11-01 00:15:58.000000000 +0200
@@ -539,6 +539,10 @@
unsigned audit_tty;
struct tty_audit_buf *tty_audit_buf;
#endif
+
+/* /proc/$pid/ipaddr support */
+u32 curr_ip;
+
};
/* Context switch must be unlocked if interrupts are to be enabled */
_______________________________________________
Devel mailing list
[email protected]
https://openvz.org/mailman/listinfo/devel
