Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit af884cd4 authored by Kees Cook's avatar Kees Cook Committed by Linus Torvalds
Browse files

proc: report no_new_privs state 

Similar to being able to examine if a process has been correctly
confined with seccomp, the state of no_new_privs is equally interesting,
so this adds it to /proc/$pid/status.

Link: http://lkml.kernel.org/r/20161103214041.GA58566@beast


Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Reviewed-by: default avatarJann Horn <jann@thejh.net>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Rodrigo Freire <rfreire@redhat.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Cc: Robert Ho <robert.hu@intel.com>
Cc: Jerome Marchand <jmarchan@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: "Richard W.M. Jones" <rjones@redhat.com>
Cc: Joe Perches <joe@perches.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 8f606604

Documentation/filesystems/proc.txt

+2 −0
Original line number Original line Diff line number Diff line
@@ -191,6 +191,7 @@ read the file /proc/PID/status: 
  CapPrm: 0000000000000000

  CapPrm: 0000000000000000

  CapEff: 0000000000000000

  CapEff: 0000000000000000

  CapBnd: ffffffffffffffff

  CapBnd: ffffffffffffffff

  NoNewPrivs:     0

  Seccomp:        0

  Seccomp:        0

  voluntary_ctxt_switches:        0

  voluntary_ctxt_switches:        0

  nonvoluntary_ctxt_switches:     1

  nonvoluntary_ctxt_switches:     1
@@ -262,6 +263,7 @@ Table 1-2: Contents of the status files (as of 4.1) 
 CapPrm                      bitmap of permitted capabilities

 CapPrm                      bitmap of permitted capabilities

 CapEff                      bitmap of effective capabilities

 CapEff                      bitmap of effective capabilities

 CapBnd                      bitmap of capabilities bounding set

 CapBnd                      bitmap of capabilities bounding set

 NoNewPrivs                  no_new_privs, like prctl(PR_GET_NO_NEW_PRIV, ...)

 Seccomp                     seccomp mode, like prctl(PR_GET_SECCOMP, ...)

 Seccomp                     seccomp mode, like prctl(PR_GET_SECCOMP, ...)

 Cpus_allowed                mask of CPUs on which this process may run

 Cpus_allowed                mask of CPUs on which this process may run

 Cpus_allowed_list           Same as previous, but in "list format"

 Cpus_allowed_list           Same as previous, but in "list format"

fs/proc/array.c

+3 −2
Original line number Original line Diff line number Diff line
@@ -342,10 +342,11 @@ static inline void task_cap(struct seq_file *m, struct task_struct *p) 




static inline void task_seccomp(struct seq_file *m, struct task_struct *p)

static inline void task_seccomp(struct seq_file *m, struct task_struct *p)

{

{

	seq_put_decimal_ull(m, "NoNewPrivs:\t", task_no_new_privs(p));

#ifdef CONFIG_SECCOMP

#ifdef CONFIG_SECCOMP

	seq_put_decimal_ull(m, "Seccomp:\t", p->seccomp.mode);

	seq_put_decimal_ull(m, "\nSeccomp:\t", p->seccomp.mode);

	seq_putc(m, '\n');

#endif

#endif

	seq_putc(m, '\n');

}

}





static inline void task_context_switch_counts(struct seq_file *m,

static inline void task_context_switch_counts(struct seq_file *m,