mem: use more restrictive permissions on hugepages

There is no need for the page files to be readable (and executable) by
other users. This can be exploited by non-privileged users to access the
working memory of a DPDK app.

Open the files with 0600.

Signed-off-by: Robin Jarry <robin.jarry@6wind.com>

diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c b/lib/librte_eal/linuxapp/eal/eal_memory.c
index 992a1b1..612626c 100644 (file)
--- a/lib/librte_eal/linuxapp/eal/eal_memory.c
+++ b/lib/librte_eal/linuxapp/eal/eal_memory.c
@@ -442,7 +442,7 @@ map_all_hugepages(struct hugepage_file *hugepg_tbl,
 #endif
 
                /* try to create hugepage file */
-               fd = open(hugepg_tbl[i].filepath, O_CREAT | O_RDWR, 0755);
+               fd = open(hugepg_tbl[i].filepath, O_CREAT | O_RDWR, 0600);
                if (fd < 0) {
                        RTE_LOG(DEBUG, EAL, "%s(): open failed: %s\n", __func__,
                                        strerror(errno));
@@ -581,7 +581,7 @@ remap_all_hugepages(struct hugepage_file *hugepg_tbl, struct hugepage_info *hpi)
                                hugepg_tbl[page_idx].file_id);
 
                /* try to create hugepage file */
-               fd = open(filepath, O_CREAT | O_RDWR, 0755);
+               fd = open(filepath, O_CREAT | O_RDWR, 0600);
                if (fd < 0) {
                        RTE_LOG(ERR, EAL, "%s(): open failed: %s\n", __func__, strerror(errno));
                        return -1;