Addressing requests to /proc and /sys

Does anyone have a Red Hat linux system? They may have some other additions, you can get them with echo /proc/* | xargs -n 1 echo | sort

On Debian 11 I’ve found these additions:

/proc/dynamic_debug
/proc/keys
/proc/pressure

RH 8.2 additions:

/proc/asound

Sles 15 contains mixed of items above.

I think blocking just the string /proc/ might cause a little of FP so I’m tempted to make an exhaustive listing of our /proc filesystems to block as much as possible while steering clear of FP.

Note that we have already some proc entries in lfi-os-files.data. We have also restricted-files.data. I think the entries should be added to both (so they are blocked as REQUEST_FILENAME but also as form parameters).

We also should think of /sys/.

I think we can do with a simple text match (pmFromFile) since that is easier to maintain, and these strings seem quite technical so would be extremely rare in normal requests. (Although, I can think of a REST API that does https://example.com/api/proc/1 to retrieve a “proceeding” or “process”, so it’s an option to remove those from restricted-files.data as it may hurt APIs. I’m not totally decided about that, opinions welcome!)

The following proc and sys strings are from Ubuntu 18.04 and Ubuntu 20.04 systems. I turned the pids (e.g. /proc/1234) into 10 strings that match all possible pids. Does anyone have a Red Hat linux system? They may have some other additions, you can get them with echo /proc/* | xargs -n 1 echo | sort

/proc/0
/proc/1
/proc/2
/proc/3
/proc/4
/proc/5
/proc/6
/proc/7
/proc/8
/proc/9
/proc/acpi
/proc/buddyinfo
/proc/bus
/proc/cgroups
/proc/cmdline
/proc/config.gz
/proc/consoles
/proc/cpuinfo
/proc/crypto
/proc/devices
/proc/diskstats
/proc/dma
/proc/docker
/proc/driver
/proc/execdomains
/proc/fb
/proc/filesystems
/proc/fs
/proc/interrupts
/proc/iomem
/proc/ioports
/proc/ipmi
/proc/irq
/proc/kallsyms
/proc/kcore
/proc/key-users
/proc/keys
/proc/kmsg
/proc/kpagecgroup
/proc/kpagecount
/proc/kpageflags
/proc/latency_stats
/proc/loadavg
/proc/locks
/proc/mdstat
/proc/meminfo
/proc/misc
/proc/modules
/proc/mounts
/proc/mpt
/proc/mtrr
/proc/net
/proc/pagetypeinfo
/proc/partitions
/proc/sched_debug
/proc/schedstat
/proc/scsi
/proc/self
/proc/slabinfo
/proc/softirqs
/proc/stat
/proc/swaps
/proc/sys
/proc/sysrq-trigger
/proc/sysvipc
/proc/thread-self
/proc/timer_list
/proc/timer_stats
/proc/tty
/proc/uptime
/proc/version
/proc/version_signature
/proc/vmallocinfo
/proc/vmstat
/proc/zoneinfo
/sys/block
/sys/bus
/sys/class
/sys/dev
/sys/devices
/sys/firmware
/sys/fs
/sys/hypervisor
/sys/kernel
/sys/module
/sys/power