[PATCH] proc: allow restricting /proc/pid/mem writes
Mike Frysinger
vapier at chromium.org
Mon Feb 26 20:28:49 UTC 2024
(lemme try this again as plain text)
On Mon, Feb 26, 2024 at 2:24 PM Kees Cook <keescook at chromium.org> wrote:
> On Mon, Feb 26, 2024 at 09:10:54AM -0800, Doug Anderson wrote:
> > On Wed, Feb 21, 2024 at 1:06 PM Adrian Ratiu <adrian.ratiu at collabora.com> wrote:
> > + if (ptracer_capable(current, mm->user_ns) &&
>
> It really looks like you're trying to do a form of ptrace_may_access(),
> but _without_ the introspection exception?
to be clear, we want the check to be "ptracer is attached, and the
process attempting the write is the ptracer", not "does the writer
pass ptrace access checks". the latter opens up more angles,
including shellcode self-modification, that we don't want. the only
use case we have for writable mem files is for debuggers, and those
should already be attached.
-mike
More information about the Linux-security-module-archive
mailing list