How to hide procedure debates from various other customers?
A while earlier, I made use of to make use of the grsecurity kernel spots, which had an alternative to hide procedure debates from various other non - origin customers. Primarily this simply made
/proc/*/cmdline be setting 0600, and also
ps takes care of that effectively by revealing that the procedure exists yet not its debates.
This is sort of wonderful if a person on a multiuser equipment is running claim
vi christmas-presents.txt, to make use of the approved instance.
Exists any kind of sustained means to do this in Ubuntu, apart from by mounting a new kernel?
(I'm acquainted with the strategy that allows specific programs modify their argv, yet the majority of programs do not do that and also in any case it is racy. This stackoverflow user appears to be asking the very same inquiry, yet in fact simply appears really overwhelmed.)
You can stop them from accessing system display and also top, by transforming their permissions in the customers and also teams setups. I'm not particular this will certainly be a full remedy yet it need to suffice to obstruct this from most usual customers.
Up to and also consisting of Natty it is not feasible to transform the approvals on the
/proc/$pid/cmdline submits with the supply kernel, the approvals little bits are constructed right into the kernel. Presently you would certainly need to construct a bespoke kernel with those spots used.
If the spots are straightforward to enable this capability after that it might deserve uploading them to the Ubuntu Kernel Team checklist ( kernel - group @lists.ubuntu.com ) and also we can consider them for incorporation in future launches.
The only means to do this presently is to place each customer in a different container (see duplicate with
CLONE_NEWPID and also
CLONE_NEWNS), and also placing a new
/proc in the container. ( lxc will certainly do several of this for you.)
Nonetheless, there are strategies to be porting grsecurity features to the Ubuntu and also upstream bits. If you can, please enroll in something and also assist.