Writes to /proc/self/mem and file_mprotect() LSM hook

Igor Zhbanov izh1979 at gmail.com
Tue Aug 24 09:25:00 UTC 2021


There are several ways to write data to write-protected page. For example,
a process can write to /proc/self/mem to change read-only or even executable
pages: https://offlinemark.com/2021/05/12/an-obscure-quirk-of-proc/

In this case, the kernel code will map the physical page with another access
mode and change the data (FOLL_FORCE flag will ignore the access check). The
problem is that no security hooks are called in this case. For example, the
file_mprotect() LSM hook was designed to intercept process' attempts to
remap memory pages. Particularly SELinux and IMA controlling, if a process
is trying to make a code page writable. And this method allows to bypass it.

Therefore, my question is, should all page modifications that ignores the
protection mode call LSM hook prior to temporarily remapping the page?


More information about the Linux-security-module-archive mailing list