[PATCH] proc: add config to block FOLL_FORCE in mem writes
Kees Cook
kees at kernel.org
Wed Jul 17 17:22:58 UTC 2024
On Wed, Jul 17, 2024 at 02:13:58PM +0300, Adrian Ratiu wrote:
> This simple Kconfig option removes the FOLL_FORCE flag from
> procfs write calls because it can be abused.
For this to be available for general distros, I still want to have a
bootparam to control this, otherwise this mitigation will never see much
testing as most kernel deployments don't build their own kernels. A
simple __ro_after_init variable can be used.
In the future if folks want a more flexible version, we could make this
a one-way per-process flag, like no_new_privs.
--
Kees Cook
More information about the Linux-security-module-archive
mailing list