diff options
author | Kees Cook <kees@outflux.net> | 2007-05-08 03:26:04 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-05-08 14:15:02 -0400 |
commit | 5096add84b9e96e2e0a9c72675c442fe5433388a (patch) | |
tree | f0444013cb7db32596d2b6febafc1ee4c2a4ea1f /kernel | |
parent | 4a1ccb5b1eff949a90ab830869cb23d6609c3d5f (diff) |
proc: maps protection
The /proc/pid/ "maps", "smaps", and "numa_maps" files contain sensitive
information about the memory location and usage of processes. Issues:
- maps should not be world-readable, especially if programs expect any
kind of ASLR protection from local attackers.
- maps cannot just be 0400 because "-D_FORTIFY_SOURCE=2 -O2" makes glibc
check the maps when %n is in a *printf call, and a setuid(getuid())
process wouldn't be able to read its own maps file. (For reference
see http://lkml.org/lkml/2006/1/22/150)
- a system-wide toggle is needed to allow prior behavior in the case of
non-root applications that depend on access to the maps contents.
This change implements a check using "ptrace_may_attach" before allowing
access to read the maps contents. To control this protection, the new knob
/proc/sys/kernel/maps_protect has been added, with corresponding updates to
the procfs documentation.
[akpm@linux-foundation.org: build fixes]
[akpm@linux-foundation.org: New sysctl numbers are old hat]
Signed-off-by: Kees Cook <kees@outflux.net>
Cc: Arjan van de Ven <arjan@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/sysctl.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/kernel/sysctl.c b/kernel/sysctl.c index c904748f2290..f0664bd5011c 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c | |||
@@ -76,6 +76,7 @@ extern int pid_max_min, pid_max_max; | |||
76 | extern int sysctl_drop_caches; | 76 | extern int sysctl_drop_caches; |
77 | extern int percpu_pagelist_fraction; | 77 | extern int percpu_pagelist_fraction; |
78 | extern int compat_log; | 78 | extern int compat_log; |
79 | extern int maps_protect; | ||
79 | 80 | ||
80 | /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */ | 81 | /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */ |
81 | static int maxolduid = 65535; | 82 | static int maxolduid = 65535; |
@@ -603,6 +604,16 @@ static ctl_table kern_table[] = { | |||
603 | .proc_handler = &proc_dointvec, | 604 | .proc_handler = &proc_dointvec, |
604 | }, | 605 | }, |
605 | #endif | 606 | #endif |
607 | #ifdef CONFIG_PROC_FS | ||
608 | { | ||
609 | .ctl_name = CTL_UNNUMBERED, | ||
610 | .procname = "maps_protect", | ||
611 | .data = &maps_protect, | ||
612 | .maxlen = sizeof(int), | ||
613 | .mode = 0644, | ||
614 | .proc_handler = &proc_dointvec, | ||
615 | }, | ||
616 | #endif | ||
606 | 617 | ||
607 | { .ctl_name = 0 } | 618 | { .ctl_name = 0 } |
608 | }; | 619 | }; |