procfs: make /proc/*/{stack,syscall,personality} 0400 - kernel

diff options

author	Djalal Harouni <[email protected]>	2014-04-07 22:38:36 +0000
committer	Linus Torvalds <[email protected]>	2014-04-07 23:36:04 +0000
commit	35a35046e4f9d8849e727b0e0f6edac0ece4ca6e (patch)
tree	40e3296460ebc388f4c1ce3f622c0858fae0a6e9 /fs/proc/array.c
parent	fs/proc/inode.c: use RCU_INIT_POINTER(x, NULL) (diff)
download	kernel-35a35046e4f9d8849e727b0e0f6edac0ece4ca6e.tar.gz kernel-35a35046e4f9d8849e727b0e0f6edac0ece4ca6e.zip

procfs: make /proc/*/{stack,syscall,personality} 0400

These procfs files contain sensitive information and currently their mode is 0444. Change this to 0400, so the VFS will be able to block unprivileged processes from getting file descriptors on arbitrary privileged /proc/*/{stack,syscall,personality} files. This reduces the scope of ASLR leaking and bypasses by protecting already running processes. Signed-off-by: Djalal Harouni <[email protected]> Acked-by: Kees Cook <[email protected]> Acked-by: Andy Lutomirski <[email protected]> Cc: Eric W. Biederman <[email protected]> Cc: Al Viro <[email protected]> Cc: Oleg Nesterov <[email protected]> Cc: Ingo Molnar <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>

Diffstat (limited to 'fs/proc/array.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: