diff --git a/fs/proc/generic.c b/fs/proc/generic.c index 10090d9..91dc403 100644 --- a/fs/proc/generic.c +++ b/fs/proc/generic.c @@ -22,6 +22,7 @@ #include #include #include +#include #include #include "internal.h" @@ -451,6 +452,15 @@ struct dentry *proc_lookup(struct inode *dir, struct dentry *dentry, return proc_lookup_de(PDE(dir), dir, dentry); } +struct dentry *proc_lookup_restrict(struct inode *dir, struct dentry *dentry, + struct nameidata *nd) +{ + if (gr_proc_is_restricted()) + return ERR_PTR(-EACCES); + + return proc_lookup_de(PDE(dir), dir, dentry); +} + /* * This returns non-zero if at EOF, so that the /proc * root directory can use this and check if it should @@ -532,6 +542,16 @@ int proc_readdir(struct file *filp, void *dirent, filldir_t filldir) return proc_readdir_de(PDE(inode), filp, dirent, filldir); } +int proc_readdir_restrict(struct file *filp, void *dirent, filldir_t filldir) +{ + struct inode *inode = filp->f_path.dentry->d_inode; + + if (gr_proc_is_restricted()) + return -EACCES; + + return proc_readdir_de(PDE(inode), filp, dirent, filldir); +} + /* * These are the generic /proc directory operations. They * use the in-memory "struct proc_dir_entry" tree to parse @@ -543,6 +563,12 @@ static const struct file_operations proc_dir_operations = { .readdir = proc_readdir, }; +static const struct file_operations proc_dir_restricted_operations = { + .llseek = generic_file_llseek, + .read = generic_read_dir, + .readdir = proc_readdir_restrict, +}; + /* * proc directories can do almost nothing.. */ @@ -552,6 +578,12 @@ static const struct inode_operations proc_dir_inode_operations = { .setattr = proc_notify_change, }; +static const struct inode_operations proc_dir_restricted_inode_operations = { + .lookup = proc_lookup_restrict, + .getattr = proc_getattr, + .setattr = proc_notify_change, +}; + static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp) { unsigned int i; @@ -564,8 +596,13 @@ static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp if (S_ISDIR(dp->mode)) { if (dp->proc_iops == NULL) { - dp->proc_fops = &proc_dir_operations; - dp->proc_iops = &proc_dir_inode_operations; + if (dp->restricted) { + dp->proc_fops = &proc_dir_restricted_operations; + dp->proc_iops = &proc_dir_restricted_inode_operations; + } else { + dp->proc_fops = &proc_dir_operations; + dp->proc_iops = &proc_dir_inode_operations; + } } dir->nlink++; } else if (S_ISLNK(dp->mode)) { @@ -675,6 +712,23 @@ struct proc_dir_entry *proc_mkdir_mode(const char *name, mode_t mode, } EXPORT_SYMBOL(proc_mkdir_mode); +struct proc_dir_entry *proc_mkdir_mode_restrict(const char *name, mode_t mode, + struct proc_dir_entry *parent) +{ + struct proc_dir_entry *ent; + + ent = __proc_create(&parent, name, S_IFDIR | mode, 2); + if (ent) { + ent->restricted = 1; + if (proc_register(parent, ent) < 0) { + kfree(ent); + ent = NULL; + } + } + return ent; +} +EXPORT_SYMBOL(proc_mkdir_mode_restrict); + struct proc_dir_entry *proc_net_mkdir(struct net *net, const char *name, struct proc_dir_entry *parent) { @@ -683,6 +737,7 @@ struct proc_dir_entry *proc_net_mkdir(struct net *net, const char *name, ent = __proc_create(&parent, name, S_IFDIR | S_IRUGO | S_IXUGO, 2); if (ent) { ent->data = net; + ent->restricted = 1; if (proc_register(parent, ent) < 0) { kfree(ent); ent = NULL; @@ -699,6 +754,13 @@ struct proc_dir_entry *proc_mkdir(const char *name, } EXPORT_SYMBOL(proc_mkdir); +struct proc_dir_entry *proc_mkdir_restrict(const char *name, + struct proc_dir_entry *parent) +{ + return proc_mkdir_mode_restrict(name, S_IRUGO | S_IXUGO, parent); +} +EXPORT_SYMBOL(proc_mkdir_restrict); + struct proc_dir_entry *create_proc_entry(const char *name, mode_t mode, struct proc_dir_entry *parent) { diff --git a/fs/proc/internal.h b/fs/proc/internal.h index 29697de..9efa574 100644 --- a/fs/proc/internal.h +++ b/fs/proc/internal.h @@ -127,7 +127,9 @@ struct inode *proc_get_inode(struct super_block *, struct proc_dir_entry *); * of the /proc/ subdirectories. */ int proc_readdir(struct file *, void *, filldir_t); +int proc_readdir_restrict(struct file *, void *, filldir_t); struct dentry *proc_lookup(struct inode *, struct dentry *, struct nameidata *); +struct dentry *proc_lookup_restrict(struct inode *, struct dentry *, struct nameidata *); diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c index 226e98e..867e17d 100644 --- a/fs/proc/proc_net.c +++ b/fs/proc/proc_net.c @@ -33,6 +33,8 @@ static struct net *get_proc_net(const struct inode *inode) return maybe_get_net(PDE_NET(PDE(inode))); } +extern const struct seq_operations dev_seq_ops; + int seq_open_net(struct inode *ino, struct file *f, const struct seq_operations *ops, int size) { @@ -41,6 +43,10 @@ int seq_open_net(struct inode *ino, struct file *f, BUG_ON(size < sizeof(*p)); + /* only permit access to /proc/net/dev */ + if (ops != &dev_seq_ops && gr_proc_is_restricted()) + return -EACCES; + net = get_proc_net(ino); if (net == NULL) return -ENXIO; @@ -63,6 +69,9 @@ int single_open_net(struct inode *inode, struct file *file, int err; struct net *net; + if (gr_proc_is_restricted()) + return -EACCES; + err = -ENXIO; net = get_proc_net(inode); if (net == NULL) @@ -106,17 +115,6 @@ static struct net *get_proc_task_net(struct inode *dir) struct task_struct *task; struct nsproxy *ns; struct net *net = NULL; -#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) - const struct cred *cred = current_cred(); -#endif - -#ifdef CONFIG_GRKERNSEC_PROC_USER - if (cred->fsuid) - return net; -#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) - if (cred->fsuid && !in_group_p(grsec_proc_gid)) - return net; -#endif rcu_read_lock(); task = pid_task(proc_pid(dir), PIDTYPE_PID); diff --git a/fs/seq_file.c b/fs/seq_file.c index 4e25536..cb3437c 100644 --- a/fs/seq_file.c +++ b/fs/seq_file.c @@ -10,6 +10,7 @@ #include #include #include +#include #include #include @@ -66,6 +67,16 @@ int seq_open(struct file *file, const struct seq_operations *op) } EXPORT_SYMBOL(seq_open); + +int seq_open_restrict(struct file *file, const struct seq_operations *op) +{ + if (gr_proc_is_restricted()) + return -EACCES; + + return seq_open(file, op); +} +EXPORT_SYMBOL(seq_open_restrict); + static int traverse(struct seq_file *m, loff_t offset) { loff_t pos = 0, index; @@ -587,6 +598,17 @@ int single_open(struct file *file, int (*show)(struct seq_file *, void *), } EXPORT_SYMBOL(single_open); +int single_open_restrict(struct file *file, int (*show)(struct seq_file *, void *), + void *data) +{ + if (gr_proc_is_restricted()) + return -EACCES; + + return single_open(file, show, data); +} +EXPORT_SYMBOL(single_open_restrict); + + int single_release(struct inode *inode, struct file *file) { const struct seq_operations *op = ((struct seq_file *)file->private_data)->op; diff --git a/grsecurity/Makefile b/grsecurity/Makefile index 5307c8a..30ababb 100644 --- a/grsecurity/Makefile +++ b/grsecurity/Makefile @@ -21,7 +21,7 @@ KBUILD_CFLAGS += -Werror obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \ grsec_mount.o grsec_sig.o grsec_sysctl.o \ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o \ - grsec_usb.o grsec_ipc.o + grsec_usb.o grsec_ipc.o grsec_proc.o obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \ diff --git a/grsecurity/grsec_proc.c b/grsecurity/grsec_proc.c new file mode 100644 index 0000000..381864d --- /dev/null +++ b/grsecurity/grsec_proc.c @@ -0,0 +1,20 @@ +#include +#include +#include +#include + +int gr_proc_is_restricted(void) +{ +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + const struct cred *cred = current_cred(); +#endif + +#ifdef CONFIG_GRKERNSEC_PROC_USER + if (cred->fsuid) + return -EACCES; +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + if (cred->fsuid && !in_group_p(grsec_proc_gid)) + return -EACCES; +#endif + return 0; +} diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h index f253c0e..053a2fa 100644 --- a/include/linux/grsecurity.h +++ b/include/linux/grsecurity.h @@ -64,6 +64,8 @@ umode_t gr_acl_umask(void); int gr_tpe_allow(const struct file *file); +int gr_proc_is_restricted(void); + void gr_set_chroot_entries(struct task_struct *task, struct path *path); void gr_clear_chroot_entries(struct task_struct *task); diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h index 1bd456a..c9bfc32 100644 --- a/include/linux/proc_fs.h +++ b/include/linux/proc_fs.h @@ -74,6 +74,7 @@ struct proc_dir_entry { struct completion *pde_unload_completion; struct list_head pde_openers; /* who did ->open, but not ->release */ spinlock_t pde_unload_lock; /* proc_fops checks and pde_users bumps */ + u8 restricted; /* a directory in /proc/net that should be restricted via GRKERNSEC_PROC */ u8 namelen; char name[]; } __randomize_layout; @@ -146,6 +147,7 @@ extern void proc_device_tree_update_prop(struct proc_dir_entry *pde, extern struct proc_dir_entry *proc_symlink(const char *, struct proc_dir_entry *, const char *); extern struct proc_dir_entry *proc_mkdir(const char *,struct proc_dir_entry *); +extern struct proc_dir_entry *proc_mkdir_restrict(const char *,struct proc_dir_entry *); extern struct proc_dir_entry *proc_mkdir_mode(const char *name, mode_t mode, struct proc_dir_entry *parent); diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h index b2ffa4c..39a6b09 100644 --- a/include/linux/seq_file.h +++ b/include/linux/seq_file.h @@ -80,6 +80,7 @@ static inline void seq_commit(struct seq_file *m, int num) char *mangle_path(char *s, char *p, char *esc); int seq_open(struct file *, const struct seq_operations *); +int seq_open_restrict(struct file *, const struct seq_operations *); ssize_t seq_read(struct file *, char __user *, size_t, loff_t *); loff_t seq_lseek(struct file *, loff_t, int); int seq_release(struct inode *, struct file *); @@ -121,6 +122,7 @@ static inline int seq_nodemask_list(struct seq_file *m, nodemask_t *mask) } int single_open(struct file *, int (*)(struct seq_file *, void *), void *); +int single_open_restrict(struct file *, int (*)(struct seq_file *, void *), void *); int single_release(struct inode *, struct file *); void *__seq_open_private(struct file *, const struct seq_operations *, int); int seq_open_private(struct file *, const struct seq_operations *, int); diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c index b5b1a22..700277b 100644 --- a/net/appletalk/atalk_proc.c +++ b/net/appletalk/atalk_proc.c @@ -255,7 +255,7 @@ int __init atalk_proc_init(void) struct proc_dir_entry *p; int rc = -ENOMEM; - atalk_proc_dir = proc_mkdir("atalk", init_net.proc_net); + atalk_proc_dir = proc_mkdir_restrict("atalk", init_net.proc_net); if (!atalk_proc_dir) goto out; diff --git a/net/can/bcm.c b/net/can/bcm.c index 3910c1f..268b30e 100644 --- a/net/can/bcm.c +++ b/net/can/bcm.c @@ -1618,7 +1618,7 @@ static int __init bcm_module_init(void) } /* create /proc/net/can-bcm directory */ - proc_dir = proc_mkdir("can-bcm", init_net.proc_net); + proc_dir = proc_mkdir_restrict("can-bcm", init_net.proc_net); return 0; } diff --git a/net/can/proc.c b/net/can/proc.c index ba873c3..3b00036 100644 --- a/net/can/proc.c +++ b/net/can/proc.c @@ -472,7 +472,7 @@ static void can_remove_proc_readentry(const char *name) void can_init_proc(void) { /* create /proc/net/can directory */ - can_dir = proc_mkdir("can", init_net.proc_net); + can_dir = proc_mkdir_restrict("can", init_net.proc_net); if (!can_dir) { printk(KERN_INFO "can: failed to create /proc/net/can . " diff --git a/net/core/dev.c b/net/core/dev.c index 15d6bb8..3bb8e78 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -4189,7 +4189,13 @@ static void dev_seq_printf_stats(struct seq_file *seq, struct net_device *dev) struct rtnl_link_stats64 temp; const struct rtnl_link_stats64 *stats = dev_get_stats(dev, &temp); - seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu " + if (gr_proc_is_restricted()) + seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu " + "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n", + dev->name, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, + 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL); + else + seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu " "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n", dev->name, stats->rx_bytes, stats->rx_packets, stats->rx_errors, @@ -4264,7 +4270,7 @@ static int softnet_seq_show(struct seq_file *seq, void *v) return 0; } -static const struct seq_operations dev_seq_ops = { +const struct seq_operations dev_seq_ops = { .start = dev_seq_start, .next = dev_seq_next, .stop = dev_seq_stop, @@ -4294,7 +4300,7 @@ static const struct seq_operations softnet_seq_ops = { static int softnet_seq_open(struct inode *inode, struct file *file) { - return seq_open(file, &softnet_seq_ops); + return seq_open_restrict(file, &softnet_seq_ops); } static const struct file_operations softnet_seq_fops = { diff --git a/net/core/pktgen.c b/net/core/pktgen.c index 80aeac9..b08d0a8 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -3726,7 +3726,7 @@ static int __init pg_init(void) pr_info("%s", version); - pg_proc_dir = proc_mkdir(PG_PROC_DIR, init_net.proc_net); + pg_proc_dir = proc_mkdir_restrict(PG_PROC_DIR, init_net.proc_net); if (!pg_proc_dir) return -ENODEV; diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index a639967..8f44480 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -707,7 +707,7 @@ static int __init clusterip_tg_init(void) goto cleanup_target; #ifdef CONFIG_PROC_FS - clusterip_procdir = proc_mkdir("ipt_CLUSTERIP", init_net.proc_net); + clusterip_procdir = proc_mkdir_restrict("ipt_CLUSTERIP", init_net.proc_net); if (!clusterip_procdir) { pr_err("Unable to proc dir entry\n"); ret = -ENOMEM; diff --git a/net/ipv4/route.c b/net/ipv4/route.c index c682a62..843be03 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -551,7 +551,7 @@ static const struct seq_operations rt_cpu_seq_ops = { static int rt_cpu_seq_open(struct inode *inode, struct file *file) { - return seq_open(file, &rt_cpu_seq_ops); + return seq_open_restrict(file, &rt_cpu_seq_ops); } static const struct file_operations rt_cpu_seq_fops = { @@ -589,7 +589,7 @@ static int rt_acct_proc_show(struct seq_file *m, void *v) static int rt_acct_proc_open(struct inode *inode, struct file *file) { - return single_open(file, rt_acct_proc_show, NULL); + return single_open_restrict(file, rt_acct_proc_show, NULL); } static const struct file_operations rt_acct_proc_fops = { diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c index 1008ce9..db7ea62 100644 --- a/net/ipv6/proc.c +++ b/net/ipv6/proc.c @@ -307,7 +307,7 @@ static int __net_init ipv6_proc_init_net(struct net *net) if (!proc_net_fops_create(net, "snmp6", S_IRUGO, &snmp6_seq_fops)) goto proc_snmp6_fail; - net->mib.proc_net_devsnmp6 = proc_mkdir("dev_snmp6", net->proc_net); + net->mib.proc_net_devsnmp6 = proc_mkdir_restrict("dev_snmp6", net->proc_net); if (!net->mib.proc_net_devsnmp6) goto proc_dev_snmp6_fail; return 0; diff --git a/net/ipx/ipx_proc.c b/net/ipx/ipx_proc.c index f8ba30d..927a4aa 100644 --- a/net/ipx/ipx_proc.c +++ b/net/ipx/ipx_proc.c @@ -289,7 +289,7 @@ int __init ipx_proc_init(void) struct proc_dir_entry *p; int rc = -ENOMEM; - ipx_proc_dir = proc_mkdir("ipx", init_net.proc_net); + ipx_proc_dir = proc_mkdir_restrict("ipx", init_net.proc_net); if (!ipx_proc_dir) goto out; diff --git a/net/irda/irproc.c b/net/irda/irproc.c index b9ac598..f88cc56 100644 --- a/net/irda/irproc.c +++ b/net/irda/irproc.c @@ -66,7 +66,7 @@ void __init irda_proc_register(void) { int i; - proc_irda = proc_mkdir("irda", init_net.proc_net); + proc_irda = proc_mkdir_restrict("irda", init_net.proc_net); if (proc_irda == NULL) return; diff --git a/net/llc/llc_proc.c b/net/llc/llc_proc.c index a1839c0..4e06b9b 100644 --- a/net/llc/llc_proc.c +++ b/net/llc/llc_proc.c @@ -247,7 +247,7 @@ int __init llc_proc_init(void) int rc = -ENOMEM; struct proc_dir_entry *p; - llc_proc_dir = proc_mkdir("llc", init_net.proc_net); + llc_proc_dir = proc_mkdir_restrict("llc", init_net.proc_net); if (!llc_proc_dir) goto out; diff --git a/net/netfilter/core.c b/net/netfilter/core.c index afca6c7..594a841 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -269,7 +269,7 @@ void __init netfilter_init(void) } #ifdef CONFIG_PROC_FS - proc_net_netfilter = proc_mkdir("netfilter", init_net.proc_net); + proc_net_netfilter = proc_mkdir_restrict("netfilter", init_net.proc_net); if (!proc_net_netfilter) panic("cannot create netfilter proc entry"); #endif diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index 8f3f280..3f68faf 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c @@ -755,11 +755,11 @@ static int __net_init hashlimit_proc_net_init(struct net *net) { struct hashlimit_net *hashlimit_net = hashlimit_pernet(net); - hashlimit_net->ipt_hashlimit = proc_mkdir("ipt_hashlimit", net->proc_net); + hashlimit_net->ipt_hashlimit = proc_mkdir_restrict("ipt_hashlimit", net->proc_net); if (!hashlimit_net->ipt_hashlimit) return -ENOMEM; #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) - hashlimit_net->ip6t_hashlimit = proc_mkdir("ip6t_hashlimit", net->proc_net); + hashlimit_net->ip6t_hashlimit = proc_mkdir_restrict("ip6t_hashlimit", net->proc_net); if (!hashlimit_net->ip6t_hashlimit) { proc_net_remove(net, "ipt_hashlimit"); return -ENOMEM; diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c index d2ff15a..cdeb1f2 100644 --- a/net/netfilter/xt_recent.c +++ b/net/netfilter/xt_recent.c @@ -574,7 +574,7 @@ static int __net_init recent_proc_net_init(struct net *net) { struct recent_net *recent_net = recent_pernet(net); - recent_net->xt_recent = proc_mkdir("xt_recent", net->proc_net); + recent_net->xt_recent = proc_mkdir_restrict("xt_recent", net->proc_net); if (!recent_net->xt_recent) return -ENOMEM; return 0; diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c index d52dc47..a10ccad 100644 --- a/net/sctp/protocol.c +++ b/net/sctp/protocol.c @@ -109,7 +109,7 @@ static __init int sctp_proc_init(void) goto out_nomem; #ifdef CONFIG_PROC_FS if (!proc_net_sctp) { - proc_net_sctp = proc_mkdir("sctp", init_net.proc_net); + proc_net_sctp = proc_mkdir_restrict("sctp", init_net.proc_net); if (!proc_net_sctp) goto out_free_percpu; } diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c index 237a2ee..947e9db 100644 --- a/net/sunrpc/cache.c +++ b/net/sunrpc/cache.c @@ -1587,7 +1587,7 @@ static int create_cache_proc_entries(struct cache_detail *cd, struct net *net) struct sunrpc_net *sn; sn = net_generic(net, sunrpc_net_id); - cd->u.procfs.proc_ent = proc_mkdir(cd->name, sn->proc_net_rpc); + cd->u.procfs.proc_ent = proc_mkdir_restrict(cd->name, sn->proc_net_rpc); if (cd->u.procfs.proc_ent == NULL) goto out_nomem; cd->u.procfs.channel_ent = NULL; diff --git a/net/sunrpc/stats.c b/net/sunrpc/stats.c index 80df89d..2056196 100644 --- a/net/sunrpc/stats.c +++ b/net/sunrpc/stats.c @@ -262,7 +262,7 @@ int rpc_proc_init(struct net *net) dprintk("RPC: registering /proc/net/rpc\n"); sn = net_generic(net, sunrpc_net_id); - sn->proc_net_rpc = proc_mkdir("rpc", net->proc_net); + sn->proc_net_rpc = proc_mkdir_restrict("rpc", net->proc_net); if (sn->proc_net_rpc == NULL) return -ENOMEM; diff --git a/net/wanrouter/wanproc.c b/net/wanrouter/wanproc.c index c43612e..dd69d0c 100644 --- a/net/wanrouter/wanproc.c +++ b/net/wanrouter/wanproc.c @@ -289,7 +289,7 @@ static const struct file_operations wandev_fops = { int __init wanrouter_proc_init(void) { struct proc_dir_entry *p; - proc_router = proc_mkdir(ROUTER_NAME, init_net.proc_net); + proc_router = proc_mkdir_restrict(ROUTER_NAME, init_net.proc_net); if (!proc_router) goto fail; diff --git a/net/x25/x25_proc.c b/net/x25/x25_proc.c index 2ffde46..76f0432 100644 --- a/net/x25/x25_proc.c +++ b/net/x25/x25_proc.c @@ -217,7 +217,7 @@ int __init x25_proc_init(void) struct proc_dir_entry *p; int rc = -ENOMEM; - x25_proc_dir = proc_mkdir("x25", init_net.proc_net); + x25_proc_dir = proc_mkdir_restrict("x25", init_net.proc_net); if (!x25_proc_dir) goto out;