On Thu, Apr 25, 2024 at 04:45:51PM -0400, Kent Overstreet wrote: > On Thu, Apr 25, 2024 at 01:08:50PM -0700, Kees Cook wrote: > > The /proc/allocinfo file exposes a tremendous about of information about > > kernel build details, memory allocations (obviously), and potentially > > even image layout (due to ordering). As this is intended to be consumed > > by system owners (like /proc/slabinfo), use the same file permissions as > > there: 0400. > > The side effect of locking down more and more reporting interfaces is > that programs that consume those interfaces now have to run as root. I'm fine if you want to tie it to some existing capability, but it shouldn't be world-readable. Also, plenty of diagnostic tools already either run as root or open whatever files they need to before dropping privs. -- Kees Cook
