diff options
author | Kees Cook <kees@outflux.net> | 2007-05-08 03:26:04 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-05-08 14:15:02 -0400 |
commit | 5096add84b9e96e2e0a9c72675c442fe5433388a (patch) | |
tree | f0444013cb7db32596d2b6febafc1ee4c2a4ea1f /Documentation/filesystems | |
parent | 4a1ccb5b1eff949a90ab830869cb23d6609c3d5f (diff) |
proc: maps protection
The /proc/pid/ "maps", "smaps", and "numa_maps" files contain sensitive
information about the memory location and usage of processes. Issues:
- maps should not be world-readable, especially if programs expect any
kind of ASLR protection from local attackers.
- maps cannot just be 0400 because "-D_FORTIFY_SOURCE=2 -O2" makes glibc
check the maps when %n is in a *printf call, and a setuid(getuid())
process wouldn't be able to read its own maps file. (For reference
see http://lkml.org/lkml/2006/1/22/150)
- a system-wide toggle is needed to allow prior behavior in the case of
non-root applications that depend on access to the maps contents.
This change implements a check using "ptrace_may_attach" before allowing
access to read the maps contents. To control this protection, the new knob
/proc/sys/kernel/maps_protect has been added, with corresponding updates to
the procfs documentation.
[akpm@linux-foundation.org: build fixes]
[akpm@linux-foundation.org: New sysctl numbers are old hat]
Signed-off-by: Kees Cook <kees@outflux.net>
Cc: Arjan van de Ven <arjan@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'Documentation/filesystems')
-rw-r--r-- | Documentation/filesystems/proc.txt | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt index 3f4b226572e7..4f3e84c520a5 100644 --- a/Documentation/filesystems/proc.txt +++ b/Documentation/filesystems/proc.txt | |||
@@ -1138,6 +1138,13 @@ determine whether or not they are still functioning properly. | |||
1138 | Because the NMI watchdog shares registers with oprofile, by disabling the NMI | 1138 | Because the NMI watchdog shares registers with oprofile, by disabling the NMI |
1139 | watchdog, oprofile may have more registers to utilize. | 1139 | watchdog, oprofile may have more registers to utilize. |
1140 | 1140 | ||
1141 | maps_protect | ||
1142 | ------------ | ||
1143 | |||
1144 | Enables/Disables the protection of the per-process proc entries "maps" and | ||
1145 | "smaps". When enabled, the contents of these files are visible only to | ||
1146 | readers that are allowed to ptrace() the given process. | ||
1147 | |||
1141 | 1148 | ||
1142 | 2.4 /proc/sys/vm - The virtual memory subsystem | 1149 | 2.4 /proc/sys/vm - The virtual memory subsystem |
1143 | ----------------------------------------------- | 1150 | ----------------------------------------------- |