patch: hide processes non owned by a user

Mon, 26 Jan 2015 23:28:25 -0800 

Hello,
I wrote a patch which adds a new kernel sysctl (hideproc) to hide processes non owned by a user, except for root. This should be mostly useful on shell servers and on servers with chroots. 


I know some controversial patches have been presented in the past, but 
this one only does only one thing and should have a small enough impact.



While writing it, I was using a snapshot of about 1 week old, and the 
patch didn't work for a reason I have not found. But it works fine on 
5.6 (that's why this one applies to 5.6). So there might be or have been 
a regression somewhere.



diff -aur oldsys/kern/kern_sysctl.c sys/kern/kern_sysctl.c
--- oldsys/kern/kern_sysctl.c   Tue Jul 22 19:13:26 2014
+++ sys/kern/kern_sysctl.c      Tue Jan 27 08:32:31 2015
@@ -38,7 +38,6 @@
 /*
  * sysctl system call.
  */
-
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
@@ -246,6 +245,7 @@
 char domainname[MAXHOSTNAMELEN];
 int domainnamelen;
 long hostid;
+int hideproc;
 char *disknames = NULL;
 struct diskstats *diskstats = NULL;
 #ifdef INSECURE
@@ -597,6 +597,8 @@

                return sysctl_rdstruct(oldp, oldlenp, newp, &dev, 
sizeof(dev));

        case KERN_NETLIVELOCKS:
                return (sysctl_rdint(oldp, oldlenp, newp, net_livelocks));
+       case KERN_HIDEPROC:
+               return(sysctl_int(oldp, oldlenp, newp, newlen, &hideproc));
        case KERN_POOL_DEBUG: {
                int old_pool_debug = pool_debug;

@@ -1376,6 +1378,17 @@
                 * Skip embryonic processes.
                 */
                if (pr->ps_flags & PS_EMBRYO)
+                       continue;
+
+               /*
+               * Only show user owned processes if hideproc flag is set
+               * or the last exec gave us setuid/setgid privs
+               * (unless you're root).
+               */
+
+               if ( hideproc > 0 && (pr != curproc->p_p &&

+                       (pr->ps_ucred->cr_ruid != 
curproc->p_ucred->cr_ruid ||
+                       (pr->ps_flags & PS_SUGID)) && suser(curproc, 0) 
!= 0))

                        continue;

                /*
--- oldsys/sys/sysctl.h Sun Jul 13 18:41:22 2014
+++ sys/sys/sysctl.h    Tue Jan 27 08:38:31 2015
@@ -180,7 +180,8 @@

 #define        KERN_POOL_DEBUG         77      /* int: enable 
pool_debug */

 #define        KERN_PROC_CWD           78      /* node: proc cwd */

 #define        KERN_PROC_NOBROADCASTKILL 79    /* node: proc no 
broadcast kill */
-#define        KERN_MAXID              80      /* number of valid kern 
ids */

+#define KERN_HIDEPROC          80      /* int: system hide other procs */

+#define        KERN_MAXID              81      /* number of valid kern 
ids */


 #define        CTL_KERN_NAMES { \
        { 0, 0 }, \
@@ -263,6 +264,7 @@
        { "pool_debug", CTLTYPE_INT }, \
        { "proc_cwd", CTLTYPE_NODE }, \
        { "proc_nobroadcastkill", CTLTYPE_NODE }, \
+       { "hideproc", CTLTYPE_INT }, \
 }

 /*




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to