From 6b651319664a013260bab4997e2a21364458eb3b Mon Sep 17 00:00:00 2001 From: Richard Fuchs Date: Mon, 10 Jan 2022 08:35:05 -0500 Subject: [PATCH] TT#157800 support file mode mask for /proc interface The per-table /proc files may contain sensitive information. Add an optional file mode mask to apply to the top directly to hide it from unprivileged users. Change-Id: I3ec02739e0d97e53c8628259922ccf64ddfa8415 --- debian/ngcp-rtpengine-iptables-setup | 4 ++++ kernel-module/xt_RTPENGINE.c | 7 +++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/debian/ngcp-rtpengine-iptables-setup b/debian/ngcp-rtpengine-iptables-setup index 3b9045db7..23e108d90 100755 --- a/debian/ngcp-rtpengine-iptables-setup +++ b/debian/ngcp-rtpengine-iptables-setup @@ -29,6 +29,10 @@ if ! test -z "$SET_GROUP"; then test -z "$PGID" || MODPROBE_OPTIONS="$MODPROBE_OPTIONS proc_gid=$PGID" fi +if ! test -z "$SET_MASK"; then + MODPROBE_OPTIONS="$MODPROBE_OPTIONS proc_mask=$SET_MASK" +fi + ### if [ -x "$(which ngcp-virt-identify 2>/dev/null)" ]; then diff --git a/kernel-module/xt_RTPENGINE.c b/kernel-module/xt_RTPENGINE.c index 5b96678ce..36d59acbb 100644 --- a/kernel-module/xt_RTPENGINE.c +++ b/kernel-module/xt_RTPENGINE.c @@ -180,11 +180,14 @@ static uint proc_uid = 0; module_param(proc_uid, uint, 0); MODULE_PARM_DESC(proc_uid, "rtpengine procfs tree user id"); - static kgid_t proc_kgid; static uint proc_gid = 0; module_param(proc_gid, uint, 0); MODULE_PARM_DESC(proc_gid, "rtpengine procfs tree group id"); + +static int proc_mask; +module_param(proc_mask, hexint, 0); +MODULE_PARM_DESC(proc_mask, "rtpengine procfs tree mode mask"); #endif static uint stream_packets_list_limit = 10; @@ -779,7 +782,7 @@ static int table_create_proc(struct rtpengine_table *t, uint32_t id) { sprintf(num, "%u", id); - t->proc_root = proc_mkdir_user(num, S_IRUGO | S_IXUGO, my_proc_root); + t->proc_root = proc_mkdir_user(num, (S_IRUGO | S_IXUGO) & ~proc_mask, my_proc_root); if (!t->proc_root) return -1;