TT#157800 support file mode mask for /proc interface

The per-table /proc files may contain sensitive information. Add an
optional file mode mask to apply to the top directly to hide it from
unprivileged users.

Change-Id: I3ec02739e0d97e53c8628259922ccf64ddfa8415

debian/ngcp-rtpengine-iptables-setup

@@ -29,6 +29,10 @@ if ! test -z "$SET_GROUP"; then
   test -z "$PGID" || MODPROBE_OPTIONS="$MODPROBE_OPTIONS proc_gid=$PGID"
 fi
 
+if ! test -z "$SET_MASK"; then
+  MODPROBE_OPTIONS="$MODPROBE_OPTIONS proc_mask=$SET_MASK"
+fi
+
 ###
 
 if [ -x "$(which ngcp-virt-identify 2>/dev/null)" ]; then

kernel-module/xt_RTPENGINE.c

@@ -180,11 +180,14 @@ static uint proc_uid = 0;
 module_param(proc_uid, uint, 0);
 MODULE_PARM_DESC(proc_uid, "rtpengine procfs tree user id");
 
-
 static kgid_t proc_kgid;
 static uint proc_gid = 0;
 module_param(proc_gid, uint, 0);
 MODULE_PARM_DESC(proc_gid, "rtpengine procfs tree group id");
+
+static int proc_mask;
+module_param(proc_mask, hexint, 0);
+MODULE_PARM_DESC(proc_mask, "rtpengine procfs tree mode mask");
 #endif
 
 static uint stream_packets_list_limit = 10;
@@ -779,7 +782,7 @@ static int table_create_proc(struct rtpengine_table *t, uint32_t id) {
 
 	sprintf(num, "%u", id);
 
-	t->proc_root = proc_mkdir_user(num, S_IRUGO | S_IXUGO, my_proc_root);
+	t->proc_root = proc_mkdir_user(num, (S_IRUGO | S_IXUGO) & ~proc_mask, my_proc_root);
 	if (!t->proc_root)
 		return -1;