From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Kulu=PP=kernelnewbies.org=kernelnewbies-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.3 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED,
	USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A4972C43387
	for <kernelnewbies@archiver.kernel.org>; Mon,  7 Jan 2019 08:36:21 +0000 (UTC)
Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 4830C20675
	for <kernelnewbies@archiver.kernel.org>; Mon,  7 Jan 2019 08:36:21 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=fail reason="signature verification failed" (2048-bit key) header.d=kroah.com header.i=@kroah.com header.b="r4kZt3yE";
	dkim=fail reason="signature verification failed" (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="LEc9n24G"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4830C20675
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kroah.com
Authentication-Results: mail.kernel.org; spf=fail smtp.mailfrom=kernelnewbies-bounces@kernelnewbies.org
Received: from localhost ([::1] helo=shelob.surriel.com)
	by shelob.surriel.com with esmtp (Exim 4.91)
	(envelope-from <kernelnewbies-bounces@kernelnewbies.org>)
	id 1ggQO7-0006bE-1K; Mon, 07 Jan 2019 03:35:59 -0500
Received: from wout2-smtp.messagingengine.com ([64.147.123.25])
 by shelob.surriel.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
 (Exim 4.91) (envelope-from <greg@kroah.com>) id 1ggQO4-0006b8-UA
 for kernelnewbies@kernelnewbies.org; Mon, 07 Jan 2019 03:35:57 -0500
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46])
 by mailout.west.internal (Postfix) with ESMTP id F3F3C1450;
 Mon,  7 Jan 2019 03:35:53 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
 by compute6.internal (MEProxy); Mon, 07 Jan 2019 03:35:54 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kroah.com; h=
 date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=fm2; bh=kbajwPYppv0COuzpWPJtJAw+gNA
 Bzcpj0cg7wYxjoNQ=; b=r4kZt3yEvIyzJs3NI9XBT2NYSM94tI1cQwQPqCtYtqI
 tmVvmKfgFnlRPJO7r/8kuSZ69o+BsgsjxFr9E/xxtNJYHmCzKrXhYUPISZaA5zM1
 +XsJgnbOTNREicmF6PmDHjXyN6rfOlbaD2BZmh8BRvpmlSN7pl6b4kuE9rlsJXyK
 Yewx4dDPV/crHHd5FqsuwcL8XR743f/izrQdiDk6iKiWljDb8U4sTRPP9ej3NrAh
 Nz7bikpiIKZ2/iD6OWApz/OMcoeM6/LwYd6cLK+j/8BRY9TbPqhYRcV6gglDRcc3
 DFtcn+Nkcqz5TEfGw6n7MSoUpD/7j6GN2D1IikZWJNw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=kbajwP
 Yppv0COuzpWPJtJAw+gNABzcpj0cg7wYxjoNQ=; b=LEc9n24GoGAIP9y2CWsJsW
 zkv3YNoQ1RFtxUu4FyqboxrARv8ak3dGxJX/QR4W3pyP8iUHBOsgvmqwmDKWVG6n
 VOGcTbT7ifwQyJ8j3OMeDRGug2EmQE1tU3HJkQxA/3UNTr1TmY4aLcZ/gQRsGPuY
 lHdYQr9ICQy739GqawgU+rWYQ/06sCDAPAFJZCKUoyY4bEUO53rUFEBDF1jJsQ6A
 c+DRYx98deba5TdOhBNaTPEphUXmiQLG9opsMHBb2e/D+DQz3wZhRmJj/JhwJl12
 dDXvZ8ZTozPSKbRL6Y1m/PPwehRhsWs4efKN7wd6CIEvIBMhUhMfF4+OKeEMlQuA
 ==
X-ME-Sender: <xms:aQ8zXEVg_0Xw6jj8MZFW_ZoYLkrqPeCG5bOEBMm1EaRhbmP7vR-ktQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledrvdeigdduvdegucdltddurdegtdekrddttd
 dmucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhht
 necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjfgesth
 dtredttdervdenucfhrhhomhepifhrvghgucfmjfcuoehgrhgvgheskhhrohgrhhdrtgho
 mheqnecukfhppeekfedrkeeirdekledruddtjeenucfrrghrrghmpehmrghilhhfrhhomh
 epghhrvghgsehkrhhorghhrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:aQ8zXNKOUbZ0V-TMRDX972pO61pfpM0M8s2zjrNy4PpzikXqP__FhQ>
 <xmx:aQ8zXFj7gu2pE4VRImX0EyF1pnyRm87BtnRI_mFYB9HY1A7seUc-Fg>
 <xmx:aQ8zXKKlcRahFfDsIWLmZx6JRlRwxj8O74mGtWby0PY7BfFiP1dClQ>
 <xmx:aQ8zXOJ6bOXxseKivDNP5daxNSs3RyIfHFsfrENk6uFsR2jJkcO6lQ>
Received: from localhost (5356596b.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
 by mail.messagingengine.com (Postfix) with ESMTPA id A599E10085;
 Mon,  7 Jan 2019 03:35:52 -0500 (EST)
Date: Mon, 7 Jan 2019 09:35:51 +0100
From: Greg KH <greg@kroah.com>
To: Lev Olshvang <levonshe@yandex.com>
Subject: Re: mount  /proc at boot as read-only
Message-ID: <20190107083551.GA23284@kroah.com>
References: <28484691546798406@myt4-415a3339794b.qloud-c.yandex.net>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <28484691546798406@myt4-415a3339794b.qloud-c.yandex.net>
User-Agent: Mutt/1.11.1 (2018-12-01)
Cc: kernelnewbies <kernelnewbies@kernelnewbies.org>
X-BeenThere: kernelnewbies@kernelnewbies.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Learn about the Linux kernel <kernelnewbies.kernelnewbies.org>
List-Unsubscribe: <https://lists.kernelnewbies.org/mailman/options/kernelnewbies>, 
 <mailto:kernelnewbies-request@kernelnewbies.org?subject=unsubscribe>
List-Archive: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/>
List-Post: <mailto:kernelnewbies@kernelnewbies.org>
List-Help: <mailto:kernelnewbies-request@kernelnewbies.org?subject=help>
List-Subscribe: <https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies>, 
 <mailto:kernelnewbies-request@kernelnewbies.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kernelnewbies-bounces@kernelnewbies.org

On Sun, Jan 06, 2019 at 09:13:26PM +0300, Lev Olshvang wrote:
> 
> Hello all,
> 
> I am trying to harden the embedded system.

Please define exactly what you mean by "harden".

> Is it possible and safe to mount /proc file system in a read-only mode and how to do this?

Why would you want /proc to be read-only?  What is that going to protect
you from?  What is insecure in there as-is?

> I have embedded system with systemd where /proc is mounted rw.

Odds are your system needs this that way.  If not, then why mount proc
at all?  Why not just disable the proc filesystem from your kernel
entirely and not even worry about it at all?

thanks,

greg k-h

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies