Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3831357imm; Mon, 4 Jun 2018 09:58:12 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKy3WhvoY8B+DPFwslm5CA2BRou3fKLdQmkYMZdb08mwf6zPFYq+vSADxNkLFd3LXBaS4Mu X-Received: by 2002:a17:902:d697:: with SMTP id v23-v6mr14149140ply.193.1528131491977; Mon, 04 Jun 2018 09:58:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528131491; cv=none; d=google.com; s=arc-20160816; b=A+XDk7ZYXAGUmlt+XM9u3xv9DAOwa64k0ZPjImnEiWd154KviEKT+AIAGUa+lS1ABD BR8GywUw5pFT0HxvKpylhVz8ukTEKqsyMow8984ApC+IP8TPanR/szrCnt3oBLvFTeBr Xw10cxA/AZzdp2/qir2KBqcsOQchJnqBChpBGP7E1jwqb+M7lpQN9O4vPmYFxjeBPpsm 3se69oubvc4aJAqxX8GFhw8tMwToeSl5YUtGtzeENxqxVK474GjSJZyvBK8ybesDNyTG 4I4Ln5RCa0HvobBhE9k0rkVduN45lUjf0uIYAlp3e7XMX24+lNwpy8sWv/4td1MuXT2Y dtDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:cc:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=i0zXg1PG0U/oGALkb1PXnfdLfkAGP+VvoqdrJ8itJJ8=; b=P9GhYqBhrNZPKrlUpXPmInIfmQO1cstWwkQpqVbGH8H1kYn8BvEp3NLJnuSIINmths yVIAZNpLPmDrBsbSahcTL/AAdM/lLgM7jNYMQqBpkojthO2bH78Q6XeehsS7rv5b2cyZ Ypu2N/8wZJlFdnt9hoVr+BMPtxfXfGbmUr3Ke7YdeCR2RQtuPJJCuxk0FLIzHZfZ8fu8 aoVZv2pyR0XUjuxTeEGlN4MYWYSYpFOkPQiWOOTYWf+w+S/KNY0Bf7UZlst+7oqO8T2U 9CKXIKib2t1GUZJGle+IrRS4G/Bvj30tKOkmXyNWVGT8AJdqERdLbLjaP25V3IfgmTOT JVKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=MuEjVdEh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w12-v6si45993659pld.46.2018.06.04.09.57.57; Mon, 04 Jun 2018 09:58:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=MuEjVdEh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751375AbeFDQ50 (ORCPT + 99 others); Mon, 4 Jun 2018 12:57:26 -0400 Received: from mail-wm0-f65.google.com ([74.125.82.65]:39044 "EHLO mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751042AbeFDQ5Z (ORCPT ); Mon, 4 Jun 2018 12:57:25 -0400 Received: by mail-wm0-f65.google.com with SMTP id p11-v6so14765191wmc.4 for ; Mon, 04 Jun 2018 09:57:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:cc; bh=i0zXg1PG0U/oGALkb1PXnfdLfkAGP+VvoqdrJ8itJJ8=; b=MuEjVdEhCDXtM5D6Ku532D4eRqyRJRnn/WJDkwmq07nrQJS2cXCuqgsqEMBPnCrB8/ KlGSeSb9Al5BbKYYsYRuVpmO0wZPCyHRh3JtsFFe+roxUD763Kxw2y39n6NxTC4YK1Up a5GG09fs/EnEomFWDMT+J7LqsGPZhxGPNLcOB15KVyUbVL6qHrpAMfSNhj+gY13LwsOw snKUOhmg4h9kgO63xZZA50JfRcs6dtEcPStukuM75WD0QVBYkaLf2PmKyzcjIgk1t0LN U9xknG3x8Sdn+J4Y/BXdmP9J5X51QiFSuZaP7wkBhxM3pHFPSzmVk21f9iUiO+OnvQhg mffg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:cc; bh=i0zXg1PG0U/oGALkb1PXnfdLfkAGP+VvoqdrJ8itJJ8=; b=hdfBcCn0vVT9pRFAofPvSP1D+XfEiUadHGRKyPCfsE75YDqRv/hfSd9G9edfLwRZCR 5OOo7XGPtQ00+YOVAzlUPKp98EffNdyazuVKX4Q5y/eIZq6JJybPt+TD1LOmQf6syc33 PDAxTArS1KA6w1UQj9Sp5bHDMhVZjr2wt9B8jEP8CgP6ia9wJU4XoMdK2DxbNm5QQceb Awf/gj2ImBcUGArxbHU5YVWBngzsO6evnLFWLF0WZP0kr1fjDwLvnTEUyy1yzYjVJfUt 91TyjGlNxMK3aWC3744jb6vMJawZXSjVXdjpYOzbTQ5IAvX6LnfAOIXAcG4yVuXKEPSz 8jTQ== X-Gm-Message-State: APt69E072DBZh7b549czHas0f5cXQOCMmO2tmFarSbethwU9R1D6RF5n WPlKLthhVRT/2xFmiXvmLfq1g1G6ax5uvry+pFr6Dg== X-Received: by 2002:a50:b671:: with SMTP id c46-v6mt3710587ede.190.1528131443943; Mon, 04 Jun 2018 09:57:23 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a50:8954:0:0:0:0:0 with HTTP; Mon, 4 Jun 2018 09:57:23 -0700 (PDT) In-Reply-To: References: <1527346246-1334-1-git-send-email-s.mesoraca16@gmail.com> From: Steve Kemp Date: Mon, 4 Jun 2018 19:57:23 +0300 Message-ID: Subject: Re: [PATCH] proc: prevent a task from writing on its own /proc/*/mem Cc: Kernel Hardening , LSM List , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" To: unlisted-recipients:; (no To-header on input) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > A configurable LSM is probably the right way to do this. I wonder how many out of tree LSM there are? Looking at the mainline kernel the only "small" LSM bundled is YAMA, and it seems that most of the patches proposing new ones eventually die out. I appreciate that there are probably a lot of "toy" or "local" modules out there for specific fields, companies, or products, but it does seem odd that there are so few discussed publicly. (The last two I remember were S.A.R.A and something relating to xattr-attributes being used to whitelist execution.) Steve