procd - security/yeslogin - Rivoreo Source Code Repositories

 #!/bin/sh

 # Copyright 2015-2022 Rivoreo
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
 # "Software"), to deal in the Software without restriction, including
 # without limitation the rights to use, copy, modify, merge, publish,
 # distribute, sublicense, and/or sell copies of the Software, and to
 # permit persons to whom the Software is furnished to do so, subject to
 # the following conditions:
 #
 # The above copyright notice and this permission notice shall be included
 # in all copies or substantial portions of the Software.
 #
 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
 # IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
 # CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
 # TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
 # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

 case "`getenforce 2> /dev/null`" in
 	Enforcing|Permissive)
 		mount() {
 			local changed_selinux r
 			[ "`getenforce 2> /dev/null`" = Enforcing ] && setenforce 0 > /dev/null 2>&1 && changed_selinux=1 || true
 			/bin/mount "$@"
 			r=$?
 			[ -n "$changed_selinux" ] && setenforce 1 > /dev/null 2>&1 || true
 			return $r
 		}
 		umount() {
 			local changed_selinux r
 			[ "`getenforce 2> /dev/null`" = Enforcing ] && setenforce 0 > /dev/null 2>&1 && changed_selinux=1 || true
 			/bin/umount "$@"
 			r=$?
 			[ -n "$changed_selinux" ] && setenforce 1 > /dev/null 2>&1 || true
 			return $r
 		}
 		;;
 esac

 set -e

 trap "" HUP

 mount --bind /proc/$$/task /proc/$$
 proc_path=/proc/$$/$$
 mount -t proc proc $proc_path
 trap "umount $proc_path /proc/$$" EXIT

 set +e

 while true; do
 	for f in /proc/*/exe; do
 		[ -h "$f" ] || break
 		case "`readlink $f`" in
 			*/fakeroot-ng|*"/fakeroot-ng (deleted)")
 				mount -t tmpfs systemd-1 -o size=0,mode=555,ro "${f%exe}" > /dev/null 2>&1
 				;;
 			*/sudo)
 				if grep -Fq fakeroot-ng "${f%exe}cmdline"; then
 					mount -t tmpfs systemd-1 -o size=0,mode=555,ro "${f%exe}" > /dev/null 2>&1
 				fi
 				;;
 			*/script)
 				if grep -Fq "          export SHELL=" "${f%exe}cmdline"; then
 					mount -t tmpfs systemd-1 -o size=0,mode=555,ro "${f%exe}" > /dev/null 2>&1
 				fi
 				;;
 		esac
 	done

 	while read -r line; do
 		set -- $line
 		[ $# != 6 ] && continue
 		case "$2" in
 			/proc/*/cmdline)
 				# Likely to fail, no workaround available
 				[ -f "${2%cmdline}stat" ] || umount "$2" > /dev/null 2>&1
 				;;
 			/proc/*/*)
 				;;
 			/proc/$$)
 				;;
 			/proc/*)
 				case "$1" in
 					proc|systemd-1)
 						pid="${2#/proc/}"
 						[ -f "$proc_path/$pid/stat" ] || umount "$2" > /dev/null 2>&1
 						;;
 				esac
 				;;
 		esac
 	done < /proc/1/mounts

 	sleep 2 & wait $!
 done
	#!/bin/sh

	# Copyright 2015-2022 Rivoreo
	#
	# Permission is hereby granted, free of charge, to any person obtaining
	# a copy of this software and associated documentation files (the
	# "Software"), to deal in the Software without restriction, including
	# without limitation the rights to use, copy, modify, merge, publish,
	# distribute, sublicense, and/or sell copies of the Software, and to
	# permit persons to whom the Software is furnished to do so, subject to
	# the following conditions:
	#
	# The above copyright notice and this permission notice shall be included
	# in all copies or substantial portions of the Software.
	#
	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
	# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
	# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
	# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
	# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
	# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
	# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

	case "`getenforce 2> /dev/null`" in
	Enforcing\|Permissive)
	mount() {
	local changed_selinux r
	[ "`getenforce 2> /dev/null`" = Enforcing ] && setenforce 0 > /dev/null 2>&1 && changed_selinux=1 \|\| true
	/bin/mount "$@"
	r=$?
	[ -n "$changed_selinux" ] && setenforce 1 > /dev/null 2>&1 \|\| true
	return $r
	}
	umount() {
	local changed_selinux r
	[ "`getenforce 2> /dev/null`" = Enforcing ] && setenforce 0 > /dev/null 2>&1 && changed_selinux=1 \|\| true
	/bin/umount "$@"
	r=$?
	[ -n "$changed_selinux" ] && setenforce 1 > /dev/null 2>&1 \|\| true
	return $r
	}
	;;
	esac

	set -e

	trap "" HUP

	mount --bind /proc/$$/task /proc/$$
	proc_path=/proc/$$/$$
	mount -t proc proc $proc_path
	trap "umount $proc_path /proc/$$" EXIT

	set +e

	while true; do
	for f in /proc/*/exe; do
	[ -h "$f" ] \|\| break
	case "`readlink $f`" in
	/fakeroot-ng\|"/fakeroot-ng (deleted)")
	mount -t tmpfs systemd-1 -o size=0,mode=555,ro "${f%exe}" > /dev/null 2>&1
	;;
	*/sudo)
	if grep -Fq fakeroot-ng "${f%exe}cmdline"; then
	mount -t tmpfs systemd-1 -o size=0,mode=555,ro "${f%exe}" > /dev/null 2>&1
	fi
	;;
	*/script)
	if grep -Fq " export SHELL=" "${f%exe}cmdline"; then
	mount -t tmpfs systemd-1 -o size=0,mode=555,ro "${f%exe}" > /dev/null 2>&1
	fi
	;;
	esac
	done

	while read -r line; do
	set -- $line
	[ $# != 6 ] && continue
	case "$2" in
	/proc/*/cmdline)
	# Likely to fail, no workaround available
	[ -f "${2%cmdline}stat" ] \|\| umount "$2" > /dev/null 2>&1
	;;
	/proc//)
	;;
	/proc/$$)
	;;
	/proc/*)
	case "$1" in
	proc\|systemd-1)
	pid="${2#/proc/}"
	[ -f "$proc_path/$pid/stat" ] \|\| umount "$2" > /dev/null 2>&1
	;;
	esac
	;;
	esac
	done < /proc/1/mounts

	sleep 2 & wait $!
	done