aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/filesystems
diff options
context:
space:
mode:
authorKees Cook <kees@outflux.net>2007-05-08 03:26:04 -0400
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-05-08 14:15:02 -0400
commit5096add84b9e96e2e0a9c72675c442fe5433388a (patch)
treef0444013cb7db32596d2b6febafc1ee4c2a4ea1f /Documentation/filesystems
parent4a1ccb5b1eff949a90ab830869cb23d6609c3d5f (diff)
proc: maps protection
The /proc/pid/ "maps", "smaps", and "numa_maps" files contain sensitive information about the memory location and usage of processes. Issues: - maps should not be world-readable, especially if programs expect any kind of ASLR protection from local attackers. - maps cannot just be 0400 because "-D_FORTIFY_SOURCE=2 -O2" makes glibc check the maps when %n is in a *printf call, and a setuid(getuid()) process wouldn't be able to read its own maps file. (For reference see http://lkml.org/lkml/2006/1/22/150) - a system-wide toggle is needed to allow prior behavior in the case of non-root applications that depend on access to the maps contents. This change implements a check using "ptrace_may_attach" before allowing access to read the maps contents. To control this protection, the new knob /proc/sys/kernel/maps_protect has been added, with corresponding updates to the procfs documentation. [akpm@linux-foundation.org: build fixes] [akpm@linux-foundation.org: New sysctl numbers are old hat] Signed-off-by: Kees Cook <kees@outflux.net> Cc: Arjan van de Ven <arjan@infradead.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'Documentation/filesystems')
-rw-r--r--Documentation/filesystems/proc.txt7
1 files changed, 7 insertions, 0 deletions
diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt
index 3f4b226572e7..4f3e84c520a5 100644
--- a/Documentation/filesystems/proc.txt
+++ b/Documentation/filesystems/proc.txt
@@ -1138,6 +1138,13 @@ determine whether or not they are still functioning properly.
1138Because the NMI watchdog shares registers with oprofile, by disabling the NMI 1138Because the NMI watchdog shares registers with oprofile, by disabling the NMI
1139watchdog, oprofile may have more registers to utilize. 1139watchdog, oprofile may have more registers to utilize.
1140 1140
1141maps_protect
1142------------
1143
1144Enables/Disables the protection of the per-process proc entries "maps" and
1145"smaps". When enabled, the contents of these files are visible only to
1146readers that are allowed to ptrace() the given process.
1147
1141 1148
11422.4 /proc/sys/vm - The virtual memory subsystem 11492.4 /proc/sys/vm - The virtual memory subsystem
1143----------------------------------------------- 1150-----------------------------------------------