[PATCH v4 3/3] prctl: Allow ptrace capable processes to change /proc/self/exe
Cyrill Gorcunov
gorcunov at gmail.com
Tue Jul 7 20:27:39 UTC 2020
On Tue, Jul 07, 2020 at 05:45:04PM +0200, Christian Brauner wrote:
...
>
> Ok, so the original patch proposal was presented in [4] in 2014. The
> final version of that patch added the PR_SET_MM_MAP we know today. The
> initial version presented in [4] did not require _any_ privilege.
>
True. I still think that relyng on /proc/<pid>/exe being immutable (or
guarded by caps) in a sake of security is a bit misleading, this link
only a hint without any guarantees of what code is being executed once
we pass cs:rip to userspace right after exec is completed. Nowadays I rather
think we might need to call audit_log() here or something similar to point
that exe link is changed (by criu or someone else) and simply notify
node's administrator, that's all. But as you pointed tomoyo may be
affected if we simply drops all caps from here. Thus I agree that
the new cap won't make situation worse.
Still I'm not in touch with kernel code for a couple of years already
and might be missing something obvious here.
More information about the Linux-security-module-archive
mailing list