kernel-hardening - Re: [PATCH] proc: prevent a task from writing on its own /proc/*/mem

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Sat, 26 May 2018 18:48:19 +0300
From: Alexey Dobriyan <adobriyan@...il.com>
To: Salvatore Mesoraca <s.mesoraca16@...il.com>
Cc: kernel-hardening@...ts.openwall.com,
	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-mm@...ck.org, Andrew Morton <akpm@...ux-foundation.org>,
	Akinobu Mita <akinobu.mita@...il.com>,
	Dmitry Vyukov <dvyukov@...gle.com>, Arnd Bergmann <arnd@...db.de>,
	Davidlohr Bueso <dave@...olabs.net>,
	Kees Cook <keescook@...omium.org>
Subject: Re: [PATCH] proc: prevent a task from writing on its own /proc/*/mem

On Sat, May 26, 2018 at 04:50:46PM +0200, Salvatore Mesoraca wrote:
> Prevent a task from opening, in "write" mode, any /proc/*/mem
> file that operates on the task's mm.
> /proc/*/mem is mainly a debugging means and, as such, it shouldn't
> be used by the inspected process itself.
> Current implementation always allow a task to access its own
> /proc/*/mem file.
> A process can use it to overwrite read-only memory, making
> pointless the use of security_file_mprotect() or other ways to
> enforce RO memory.

You can do it in security_ptrace_access_check() or security_file_open()

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.