| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240717205335.GA3632@sol.localdomain> Date: Wed, 17 Jul 2024 13:53:35 -0700 From: Eric Biggers <ebiggers@...nel.org> To: Adrian Ratiu <adrian.ratiu@...labora.com> Cc: linux-fsdevel@...r.kernel.org, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org, kernel@...labora.com, gbiv@...gle.com, inglorion@...gle.com, ajordanr@...gle.com, Doug Anderson <dianders@...omium.org>, Jeff Xu <jeffxu@...gle.com>, Jann Horn <jannh@...gle.com>, Kees Cook <kees@...nel.org>, Christian Brauner <brauner@...nel.org>, Linus Torvalds <torvalds@...ux-foundation.org> Subject: Re: [PATCH] proc: add config to block FOLL_FORCE in mem writes On Wed, Jul 17, 2024 at 02:13:58PM +0300, Adrian Ratiu wrote: > +config SECURITY_PROC_MEM_RESTRICT_FOLL_FORCE > + bool "Remove FOLL_FORCE usage from /proc/pid/mem writes" > + default n > + help > + This restricts FOLL_FORCE flag usage in procfs mem write calls > + because it bypasses memory permission checks and can be used by > + attackers to manipulate process memory contents that would be > + otherwise protected. > + > + Enabling this will break GDB, gdbserver and other debuggers > + which require FOLL_FORCE for basic functionalities. > + > + If you are unsure how to answer this question, answer N. FOLL_FORCE is an internal flag, and people who aren't kernel developers aren't going to know what it is. Could this option be named and documented in a way that would be more understandable to people who aren't kernel developers? What is the effect on how /proc/pid/mem behaves? - Eric
Powered by blists - more mailing lists