[grsec] info still visible in /proc

[Carlos Carvalho]

Kernel 2.6.22.16, grsec grsecurity-2.1.11-2.6.22.9-200710101250.patch.

I configured grsec to limit /proc access to group 0 only:

CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=0
CONFIG_GRKERNSEC_PROC_ADD=y

However some things that [I think] should be hidden are not:

hoggar% cd /proc
hoggar%/proc ls
31699  7254       crypto       ide         mdstat      stat           version
31706  7261       devices      interrupts  meminfo     swaps          vmstat
32074  8411       diskstats    iomem       misc        sys            zoneinfo
32079  8654       dma          ioports     mounts      sysrq-trigger
32081  buddyinfo  driver       irq         net         sysvipc
32093  bus        execdomains  kmsg        partitions  timer_list
5460   cmdline    filesystems  loadavg     self        tty
5842   cpuinfo    fs           locks       slabinfo    uptime
hoggar%/proc ls bus
ls: bus: Permission denied
hoggar%/proc ls driver 
rtc
hoggar%/proc ls fs
ls: fs: Permission denied

This is fine but

hoggar%/proc cd fs
hoggar%/proc/fs ls
ls: .: Permission denied

cd should be allowed?

hoggar%/proc/fs cd nfs
hoggar%/proc/fs/nfs ls
exports

ops...

hoggar%/proc/fs/nfs cd ../nfsd
hoggar%/proc/fs/nfsd ls
exports  filehandle  max_block_size  pool_threads  portlist  threads  versions

ops...

hoggar%/proc/fs/nfsd ls -l
total 0
-r--r--r-- 1 root root 0 2008-01-20 18:56 exports
-rw------- 1 root root 0 2008-01-20 18:56 filehandle
-rw-r--r-- 1 root root 0 2008-01-20 18:56 max_block_size
-rw------- 1 root root 0 2008-01-20 18:56 pool_threads
-rw-r--r-- 1 root root 0 2008-01-20 18:56 portlist
-rw------- 1 root root 0 2008-01-20 18:56 threads
-rw------- 1 root root 0 2008-01-20 18:56 versions

and looking at exports shows everything!

Is this behavior expected? I'd prefer that all this info is not shown.