• Kees Cook's avatar
    proc: maps protection · 5096add8
    Kees Cook authored
    The /proc/pid/ "maps", "smaps", and "numa_maps" files contain sensitive
    information about the memory location and usage of processes.  Issues:
    
    - maps should not be world-readable, especially if programs expect any
      kind of ASLR protection from local attackers.
    - maps cannot just be 0400 because "-D_FORTIFY_SOURCE=2 -O2" makes glibc
      check the maps when %n is in a *printf call, and a setuid(getuid())
      process wouldn't be able to read its own maps file.  (For reference
      see http://lkml.org/lkml/2006/1/22/150)
    - a system-wide toggle is needed to allow prior behavior in the case of
      non-root applications that depend on access to the maps contents.
    
    This change implements a check using "ptrace_may_attach" before allowing
    access to read the maps contents.  To control this protection, the new knob
    /proc/sys/kernel/maps_protect has been added, with corresponding updates to
    the procfs documentation.
    
    [akpm@linux-foundation.org: build fixes]
    [akpm@linux-foundation.org: New sysctl numbers are old hat]
    Signed-off-by: default avatarKees Cook <kees@outflux.net>
    Cc: Arjan van de Ven <arjan@infradead.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    5096add8
base.c 57.5 KB