From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=XjGd=PO=kernelnewbies.org=kernelnewbies-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 80DB4C43387
	for <kernelnewbies@archiver.kernel.org>; Sun,  6 Jan 2019 22:46:04 +0000 (UTC)
Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 3578C2070C
	for <kernelnewbies@archiver.kernel.org>; Sun,  6 Jan 2019 22:46:03 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3578C2070C
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=vt.edu
Authentication-Results: mail.kernel.org; spf=fail smtp.mailfrom=kernelnewbies-bounces@kernelnewbies.org
Received: from localhost ([::1] helo=shelob.surriel.com)
	by shelob.surriel.com with esmtp (Exim 4.91)
	(envelope-from <kernelnewbies-bounces@kernelnewbies.org>)
	id 1ggHAu-0004ZI-V5; Sun, 06 Jan 2019 17:45:44 -0500
Received: from omr2.cc.ipv6.vt.edu ([2607:b400:92:8400:0:33:fb76:806e]
 helo=omr2.cc.vt.edu)
 by shelob.surriel.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
 (Exim 4.91) (envelope-from <valdis@vt.edu>) id 1ggHAt-0004ZC-3D
 for kernelnewbies@kernelnewbies.org; Sun, 06 Jan 2019 17:45:43 -0500
Received: from mr3.cc.vt.edu (mr3.cc.vt.edu
 [IPv6:2607:b400:92:8500:0:7f:b804:6b0a])
 by omr2.cc.vt.edu (8.14.4/8.14.4) with ESMTP id x06Mjetp019720
 for <kernelnewbies@kernelnewbies.org>; Sun, 6 Jan 2019 17:45:41 -0500
Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com
 [209.85.160.197])
 by mr3.cc.vt.edu (8.14.7/8.14.7) with ESMTP id x06MjZVZ023371
 for <kernelnewbies@kernelnewbies.org>; Sun, 6 Jan 2019 17:45:40 -0500
Received: by mail-qt1-f197.google.com with SMTP id 41so49886245qto.17
 for <kernelnewbies@kernelnewbies.org>; Sun, 06 Jan 2019 14:45:40 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:from:to:cc:subject:in-reply-to:references
 :mime-version:date:message-id;
 bh=R623PaFKwCZKxzZu0BNNYi7gAluYTF0Vc+xzpw6wPgw=;
 b=qzuKaTFZckNZbrVwb3WML9gscCtpdT+Kvcj1Az2y2HIuxvwUUl51OzNcujWXDGwunl
 VjO5FdqUQ6S1whLddUwLatoBBS6hSTIKPHbwDduEW58A20tzoqIl5lrm3/nHyGg1weW6
 pfBGp5/tECqvE07aIwBwFd+MaSqTnnYHxJAWGgyLRqwJu6B/UsVvuOzj71obl2zYUE/c
 FpZMlLu8oa0FFDHQqeqRePw1j1LGNfER+w3XMFqCQ7Xz7yEjFAz1ba5pgwMR+0j1hS53
 /q0wQYzj2/t9sd1yk9FnQnszn4usVCgk7yMebcQlTtvHuroSxAipu5MV7PLrnfAe8IF0
 xfOg==
X-Gm-Message-State: AJcUukd+DYAW8jw/jlKM+Jx9aSM/TnAnfoIBmEFqkia+b64lFoHzpERa
 XNrKaSKLaB9uliKm2IpPNWSQD4mKX09EMksJo3SNLUHiubHLxg4AghWmFUlfr5LfhPnRJ812UAF
 tB49bRhfAtFxXfBb961w8jDiV6OcQo7USH6rcw4U=
X-Received: by 2002:a37:80c2:: with SMTP id b185mr54597844qkd.8.1546814735505; 
 Sun, 06 Jan 2019 14:45:35 -0800 (PST)
X-Google-Smtp-Source: ALg8bN7Br6VrilAEf7DTmqSyu0FV+T1N5CdvshzKA0sZL8+lcdcYGyfQfJwEppzv3yTgzUbgB/V/Bg==
X-Received: by 2002:a37:80c2:: with SMTP id b185mr54597840qkd.8.1546814735268; 
 Sun, 06 Jan 2019 14:45:35 -0800 (PST)
Received: from turing-police.cc.vt.edu ([2601:5c0:c001:4341::359])
 by smtp.gmail.com with ESMTPSA id d85sm352887qkb.89.2019.01.06.14.45.33
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Sun, 06 Jan 2019 14:45:34 -0800 (PST)
From: valdis.kletnieks@vt.edu
X-Google-Original-From: Valdis.Kletnieks@vt.edu
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7+dev
To: Lev Olshvang <levonshe@yandex.com>
Subject: Re: mount /proc at boot as read-only
In-reply-to: <28484691546798406@myt4-415a3339794b.qloud-c.yandex.net>
References: <28484691546798406@myt4-415a3339794b.qloud-c.yandex.net>
Mime-Version: 1.0
Date: Sun, 06 Jan 2019 17:45:33 -0500
Message-ID: <11334.1546814733@turing-police.cc.vt.edu>
Cc: kernelnewbies <kernelnewbies@kernelnewbies.org>
X-BeenThere: kernelnewbies@kernelnewbies.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Learn about the Linux kernel <kernelnewbies.kernelnewbies.org>
List-Unsubscribe: <https://lists.kernelnewbies.org/mailman/options/kernelnewbies>, 
 <mailto:kernelnewbies-request@kernelnewbies.org?subject=unsubscribe>
List-Archive: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/>
List-Post: <mailto:kernelnewbies@kernelnewbies.org>
List-Help: <mailto:kernelnewbies-request@kernelnewbies.org?subject=help>
List-Subscribe: <https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies>, 
 <mailto:kernelnewbies-request@kernelnewbies.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kernelnewbies-bounces@kernelnewbies.org

On Sun, 06 Jan 2019 21:13:26 +0300, Lev Olshvang said:

> I am trying to harden the embedded system.
> I have embedded system with systemd .....

OK, you've already got a problem right there.

It's an embedded system.  Therefor, you know everything that should be running,
and what order it should start in.  If you don't already know that, you have bigger
design issues.

So you probably want to reduce system complexity and save both RAM and flash
memory space by heaving systemd over the side and using something simpler
(sysvinit, or upstart, or even use '/bin/make' if you want to guarantee that
certain tasks don't start till others have actually launched successfully, or
use a custom-written system launcher).

That's going to do more to reduce the attack surface than any amount of monkeying
around with the permissions in /proc will do.

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies