proc: maps protection
The /proc/pid/ "maps", "smaps", and "numa_maps" files contain sensitive information about the memory location and usage of processes. Issues: - maps should not be world-readable, especially if programs expect any kind of ASLR protection from local attackers. - maps cannot just be 0400 because "-D_FORTIFY_SOURCE=2 -O2" makes glibc check the maps when %n is in a *printf call, and a setuid(getuid()) process wouldn't be able to read its own maps file. (For reference see http://lkml.org/lkml/2006/1/22/150) - a system-wide toggle is needed to allow prior behavior in the case of non-root applications that depend on access to the maps contents. This change implements a check using "ptrace_may_attach" before allowing access to read the maps contents. To control this protection, the new knob /proc/sys/kernel/maps_protect has been added, with corresponding updates to the procfs documentation. [akpm@linux-foundation.org: build fixes] [akpm@linux-foundation.org: New sysctl numbers are old hat] Signed-off-by: Kees Cook <kees@outflux.net> Cc: Arjan van de Ven <arjan@infradead.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Kees Cook
committed by
Linus Torvalds
Linus Torvalds
parent
4a1ccb5b1e
commit
5096add84b
@@ -37,6 +37,8 @@ do { \
|
||||
extern int nommu_vma_show(struct seq_file *, struct vm_area_struct *);
|
||||
#endif
|
||||
|
||||
extern int maps_protect;
|
||||
|
||||
extern void create_seq_entry(char *name, mode_t mode, const struct file_operations *f);
|
||||
extern int proc_exe_link(struct inode *, struct dentry **, struct vfsmount **);
|
||||
extern int proc_tid_stat(struct task_struct *, char *);
|
||||
|
||||
Reference in New Issue
Block a user