| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9ce0c222-c80c-4049-8746-d74e612c3030@infradead.org> Date: Fri, 24 May 2024 22:49:54 -0700 From: Randy Dunlap <rdunlap@...radead.org> To: Adrian Ratiu <adrian.ratiu@...labora.com>, linux-fsdevel@...r.kernel.org Cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org, linux-doc@...r.kernel.org, kernel@...labora.com, gbiv@...gle.com, ryanbeltran@...gle.com, inglorion@...gle.com, ajordanr@...gle.com, jorgelo@...omium.org, Guenter Roeck <groeck@...omium.org>, Doug Anderson <dianders@...omium.org>, Kees Cook <keescook@...omium.org>, Jann Horn <jannh@...gle.com>, Andrew Morton <akpm@...ux-foundation.org>, Christian Brauner <brauner@...nel.org>, Mike Frysinger <vapier@...omium.org> Subject: Re: [PATCH v4 2/2] proc: restrict /proc/pid/mem Hi-- On 5/24/24 12:28 PM, Adrian Ratiu wrote: > diff --git a/security/Kconfig b/security/Kconfig > index 412e76f1575d..0cd73f848b5a 100644 > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -183,6 +183,74 @@ config STATIC_USERMODEHELPER_PATH > If you wish for all usermode helper programs to be disabled, > specify an empty string here (i.e. ""). > > +menu "Procfs mem restriction options" > + > +config PROC_MEM_RESTRICT_FOLL_FORCE_DEFAULT > + bool "Restrict all FOLL_FORCE flag usage" > + default n > + help > + Restrict all FOLL_FORCE usage during /proc/*/mem RW. > + Debuggerg like GDB require using FOLL_FORCE for basic Debuggers > + functionality. > + > +config PROC_MEM_RESTRICT_FOLL_FORCE_PTRACE_DEFAULT > + bool "Restrict FOLL_FORCE usage except for ptracers" > + default n > + help > + Restrict FOLL_FORCE usage during /proc/*/mem RW, except > + for ptracer processes. Debuggerg like GDB require using Debuggers > + FOLL_FORCE for basic functionality. > + > +config PROC_MEM_RESTRICT_OPEN_READ_DEFAULT > + bool "Restrict all open() read access" > + default n > + help > + Restrict all open() read access to /proc/*/mem files. > + Use with caution: this can break init systems, debuggers, > + container supervisors and other tasks using /proc/*/mem. > + > +config PROC_MEM_RESTRICT_OPEN_READ_PTRACE_DEFAULT > + bool "Restrict open() for reads except for ptracers" > + default n > + help > + Restrict open() read access except for ptracer processes. > + Use with caution: this can break init systems, debuggers, > + container supervisors and other non-ptrace capable tasks > + using /proc/*/mem. > + > +config PROC_MEM_RESTRICT_OPEN_WRITE_DEFAULT > + bool "Restrict all open() write access" > + default n > + help > + Restrict all open() write access to /proc/*/mem files. > + Debuggers like GDB and some container supervisors tasks > + require opening as RW and may break. > + > +config PROC_MEM_RESTRICT_OPEN_WRITE_PTRACE_DEFAULT > + bool "Restrict open() for writes except for ptracers" > + default n > + help > + Restrict open() write access except for ptracer processes, > + usually debuggers. > + > +config PROC_MEM_RESTRICT_WRITE_DEFAULT > + bool "Restrict all write() calls" > + default n > + help > + Restrict all /proc/*/mem direct write calls. > + Open calls with RW modes are still allowed, this blocks > + just the write() calls. > + > +config PROC_MEM_RESTRICT_WRITE_PTRACE_DEFAULT > + bool "Restrict write() calls except for ptracers" > + default n > + help > + Restrict /proc/*/mem direct write calls except for ptracer processes. > + Open calls with RW modes are still allowed, this blocks just > + the write() calls. > + > +endmenu -- #Randy https://people.kernel.org/tglx/notes-about-netiquette https://subspace.kernel.org/etiquette.html
Powered by blists - more mailing lists