Re: [PATCH v6 2/2] proc: restrict /proc/pid/mem

On Wednesday, June 19, 2024 23:41 EEST, Kees Cook wrote: > On Tue, Jun 18, 2024 at 03:39:44PM -0700, Jeff Xu wrote: > > Hi > > > > Thanks for the patch ! > > > > On Thu, Jun 13, 2024 at 6:40 AM Adrian Ratiu > > wrote: > > > > > > P

Re: [PATCH v6 1/2] proc: pass file instead of inode to proc_mem_open

On Monday, June 17, 2024 11:48 EEST, Christian Brauner wrote: > On Thu, Jun 13, 2024 at 04:39:36PM GMT, Adrian Ratiu wrote: > > The file struct is required in proc_mem_open() so its > > f_mode can be checked when deciding whether to allow or > > deny /proc/*/mem open requ

[PATCH v6 1/2] proc: pass file instead of inode to proc_mem_open

inside it. Cc: Jann Horn Cc: Kees Cook Cc: Christian Brauner Cc: Jeff Xu Signed-off-by: Adrian Ratiu Reviewed-by: Kees Cook --- No changes in v6 --- fs/proc/base.c | 6 +++--- fs/proc/internal.h | 2 +- fs/proc/task_mmu.c | 6 +++--- fs/proc/task_nommu.c | 2 +- 4 files changed, 8

[PATCH v6 2/2] proc: restrict /proc/pid/mem

[1] Link: https://issues.chromium.org/issues/40089045 [2] Cc: Guenter Roeck Cc: Doug Anderson Cc: Kees Cook Cc: Jann Horn Cc: Andrew Morton Cc: Randy Dunlap Cc: Christian Brauner Cc: Jeff Xu Co-developed-by: Mike Frysinger Signed-off-by: Mike Frysinger Signed-off-by: Adrian Ratiu --- Changes

Re: [PATCH v5 2/2] proc: restrict /proc/pid/mem

On Thursday, June 06, 2024 20:45 EEST, Kees Cook wrote: > On Wed, Jun 05, 2024 at 07:49:31PM +0300, Adrian Ratiu wrote: > > + proc_mem.restrict_foll_force= [KNL] > > + Format: {all | ptracer} > > + Restricts the use of the FOLL_FORC

Re: [PATCH v5 2/2] proc: restrict /proc/pid/mem

On Thursday, June 06, 2024 20:45 EEST, Kees Cook wrote: > On Wed, Jun 05, 2024 at 07:49:31PM +0300, Adrian Ratiu wrote: > > + proc_mem.restrict_foll_force= [KNL] > > + Format: {all | ptracer} > > + Restricts the use of the FOLL_FORC

[PATCH v5 2/2] proc: restrict /proc/pid/mem

[1] Link: https://issues.chromium.org/issues/40089045 [2] Cc: Guenter Roeck Cc: Doug Anderson Cc: Kees Cook Cc: Jann Horn Cc: Andrew Morton Cc: Randy Dunlap Cc: Christian Brauner Cc: Jeff Xu Co-developed-by: Mike Frysinger Signed-off-by: Mike Frysinger Signed-off-by: Adrian Ratiu --- Changes in

[PATCH v5 1/2] proc: pass file instead of inode to proc_mem_open

inside it. Cc: Jann Horn Cc: Kees Cook Cc: Christian Brauner Cc: Jeff Xu Signed-off-by: Adrian Ratiu Reviewed-by: Kees Cook --- Changes in v5: * Fixed task_nommu.c 0day build error * Added Reviewed-by tag by Kees C. (thanks!) * Rebased on next-20240605 --- fs/proc/base.c | 6 +++--- fs/proc

Re: [PATCH v4 2/2] proc: restrict /proc/pid/mem

On Saturday, May 25, 2024 08:49 EEST, Randy Dunlap wrote: > Hi-- > > On 5/24/24 12:28 PM, Adrian Ratiu wrote: > > diff --git a/security/Kconfig b/security/Kconfig > > index 412e76f1575d..0cd73f848b5a 100644 > > --- a/security/Kconfig > > +++ b/security/Kconfi

[PATCH v4 2/2] proc: restrict /proc/pid/mem

[1] Link: https://issues.chromium.org/issues/40089045 [2] Cc: Guenter Roeck Cc: Doug Anderson Cc: Kees Cook Cc: Jann Horn Cc: Andrew Morton Cc: Randy Dunlap Cc: Christian Brauner Co-developed-by: Mike Frysinger Signed-off-by: Mike Frysinger Signed-off-by: Adrian Ratiu --- Changes in v4: * Rena

[PATCH v4 1/2] proc: pass file instead of inode to proc_mem_open

inside it. Cc: Jann Horn Cc: Kees Cook Cc: Christian Brauner Signed-off-by: Adrian Ratiu --- * New in v4 --- fs/proc/base.c | 6 +++--- fs/proc/internal.h | 2 +- fs/proc/task_mmu.c | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/fs/proc/base.c b/fs/proc/base.c index

Re: [PATCH v3 1/2] proc: restrict /proc/pid/mem access via param knobs

On Tuesday, May 14, 2024 02:50 EEST, Kees Cook wrote: > On Fri, May 03, 2024 at 11:57:56AM +0200, Christian Brauner wrote: > > On Fri, Apr 26, 2024 at 04:10:49PM -0700, Kees Cook wrote: > > > On Tue, Apr 09, 2024 at 08:57:49PM +0300, Adrian Ratiu wrote: > > > > Pr

Re: [PATCH v3 1/2] proc: restrict /proc/pid/mem access via param knobs

On Saturday, April 27, 2024 02:10 EEST, Kees Cook wrote: > On Tue, Apr 09, 2024 at 08:57:49PM +0300, Adrian Ratiu wrote: > > Prior to v2.6.39 write access to /proc//mem was restricted, > > after which it got allowed in commit 198214a7ee50 ("proc: enable > > writing

[PATCH v3 2/2] proc: add Kconfigs to restrict /proc/pid/mem access

assume most of systems will want to restrict at least the use of FOLL_FORCE. Cc: Guenter Roeck Cc: Doug Anderson Cc: Kees Cook Cc: Jann Horn Cc: Andrew Morton Cc: Randy Dunlap Cc: Christian Brauner Signed-off-by: Adrian Ratiu --- fs/proc/base.c | 33

[PATCH v3 1/2] proc: restrict /proc/pid/mem access via param knobs

Based on an initial patch by Mike Frysinger . Link: https://lwn.net/Articles/476947/ [1] Link: https://issues.chromium.org/issues/40089045 [2] Cc: Guenter Roeck Cc: Doug Anderson Cc: Kees Cook Cc: Jann Horn Cc: Andrew Morton Cc: Randy Dunlap Cc: Christian Brauner Co-developed-by: Mike Frysinger

Re: [PATCH v2] proc: allow restricting /proc/pid/mem writes

On Saturday, March 02, 2024 01:55 EET, Kees Cook wrote: > On Fri, Mar 01, 2024 at 11:34:42PM +0200, Adrian Ratiu wrote: > > Prior to v2.6.39 write access to /proc//mem was restricted, > > after which it got allowed in commit 198214a7ee50 ("proc: enable > > writing to /p

Re: [PATCH v2] proc: allow restricting /proc/pid/mem writes

On Saturday, March 02, 2024 01:55 EET, Kees Cook wrote: > On Fri, Mar 01, 2024 at 11:34:42PM +0200, Adrian Ratiu wrote: > > Prior to v2.6.39 write access to /proc//mem was restricted, > > after which it got allowed in commit 198214a7ee50 ("proc: enable > > writing to /p