[Devel] patch suggestion for CONFIG_GRKERNSEC_PROC_IPADDR

[Iavor Stoev]

Hello,

I'm pretty happy that the OpenVZ team have ported some of the Gresurity 
features,
but the current OpenVZ patch lacks many grsecurity features and one of 
them - very small,
but very useful for my setup is CONFIG_GRKERNSEC_PROC_IPADDR or 
/proc/$PID/ipaddr support.
I made a patch that enables that feature for patch-ovz006.4-combined patch.
It isn't very pretty but it works on my systems.
I will be vert happy if you introduce that gresecurity feature in some 
of yours next OpenVZ releases.

About the CONFIG_GRKERNSEC_PROC_IPADDR feature,
this is the info for it from the Gresecurity help:

If you say Y here, a new entry will be added to each /proc/<pid>         
directory that contains the IP address of the person using the task.     
The IP is carried across local TCP and AF_UNIX stream sockets.           
This information can be useful for IDS/IPSes to perform remote response  
to a local attack.  The entry is readable by only the owner of the       
process (and root if he has CAP_DAC_OVERRIDE, which can be removed via   
the RBAC system), and thus does not create privacy concerns.  


Thank You

Iavor Stoev
System Administrator at ICDSoft Ltd

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openvz-ipaddr.patch
URL: <http://lists.openvz.org/pipermail/devel/attachments/20081103/73af46a9/attachment-0001.ksh>