On Wed, Mar 19, 2014 at 6:56 PM, Andi Kleen <a...@linux.intel.com> wrote: >> >> Why are we fixing this? > > Also sysctl writes are root only anyways. > > Protecting root against root? Seems odd.
I think you misunderstood my motivation. I don't want to protect anything here except a code auditor's mind. :) The flaw itself was entirely with Chrome OS and poor filtering of options that landed in procfs. The failure to recognize the needed filtering came from the fact that procfs writes behave in an unexpected manner. I'd still be curious to see if we could improve things at all without breaking actual uses. At least some better documentation seems warranted. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
