Received: by 2002:a05:7208:9594:b0:7e:5202:c8b4 with SMTP id gs20csp1636784rbb; Mon, 26 Feb 2024 16:53:20 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUKozR46fDRD4+UbTNA5OYTiA+ousCbXPj0wilpUdWDemYkmgmdf1evcDDLHUM4ya3WnxM3WQtVRLeEwYs57serfZNW2cyiUl9ExQ2IGQ== X-Google-Smtp-Source: AGHT+IFGloyES1Z1wiCVCV3RAL2ePtQYW51PwHTYHhsWRQ8Ye5BXwx80wppkHfRadN5sMCp+cCUX X-Received: by 2002:a17:902:ea0b:b0:1dc:7101:58c0 with SMTP id s11-20020a170902ea0b00b001dc710158c0mr12352145plg.22.1708995199804; Mon, 26 Feb 2024 16:53:19 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708995199; cv=pass; d=google.com; s=arc-20160816; b=wtV2m9dS3cG/NiUvJNkvsoqjyF5t4lu1fSNyZAB+fvI+ghrGStS+m2kCYlEIFwmtFL zAzmS8/KcykJ0TbywFz29LAdgx3KJygY6VfBTquvijHj4Y1LcIGfycgFFQ4oiHYuntfx QKWf1gjBrog9BqQRYlA1J9GYhE2YEMP3iqD2fmLuapjzWT5gN5rXbt9Ypn+7SSt7Xi6R xZafkeesmAiHAZlsozvYBH1hzwNqy5aDpWEkKpsaF2QMxwGdecKYxjhRD2R+o3Q299cr ywJmK5rnanjgxhy1KXcGCiHj2RTBKZGTHtgLxeqraKkdaoqWfsLil4NA2P9Ie6sJJeLf 5XPQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=BZbMzkvIVzOfkFlvvubcJk0J0hloUqaH3xyhrZRKFHU=; fh=PSSIIlG4oquwsigTk665P3ZUwtM6/8JlczjpwVkDjXk=; b=S7zuVh/HQF43fRBmy87Eew36oBaLuhOJcnuJgRnUrJjL8QnX6oo4ybrCwBX9NorjLV BgQe3FRynTT8rpVY22Zr98+GK92FcgKCI55H1cx2F8xjEYGyFamCmKZafnAI8hANLuBr NtDV3hfIauxyx0dNFXR5/l1s++GRMtPN9i+/IVAww7R/OvHcB7rLjadRkMYbsGc9zzbI gDhg9jD/7gnTyx2mijO0FU6+cyjA4ODk4uaVaagVl3hAq105pt3uNctmT1lupaEUi6wk 5ELd1T5Js48ieDJgFOJYIQIiwIa7+Zml3tgUz3xeVVL5tKEvOZWGVOKN/MoAbhurXliB ONbw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=JRQIksFS; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-82488-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-82488-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id ma11-20020a170903094b00b001dc6b36b818si454455plb.35.2024.02.26.16.53.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Feb 2024 16:53:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-82488-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=JRQIksFS; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-82488-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-82488-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id BFB15B2179A for ; Tue, 27 Feb 2024 00:53:14 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4EEFF4A1E; Tue, 27 Feb 2024 00:53:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="JRQIksFS" Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 243AE184D for ; Tue, 27 Feb 2024 00:53:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.180 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708995183; cv=none; b=MROvU5k6OwwF7s4ZTlfxQA9OK9cv2UqqFaGkOwJ/HcXNvZaoE48y0qIbSiTnxQP7QX3TNR4jBs1CIx/MEvDtAy6g9RHITuY5AxJ++2yBLnsdzrvg9ObVvG3V72ydJuxw8zcSkCGzz0ZwVZ9Fsgu3akg18GZ9AQ9rjgJPR6soEiY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708995183; c=relaxed/simple; bh=V6A7al1ppGka0azTB8qp3lV4rogqK7JhSynkjAKsxYg=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=X1VciZ6l3uASBAABA9PaUgLPoS9R90tQsdQe5vhK5Y39avkzwFp+FAmfHy41mwudIa3DEHFBvIQ2Wb5R78k3WBIGYENu2dhNmz9WTFdOWnAf04IKHf8YMT0Ro5fTAKJK61ejtkXhekJT/VTrBqFufi/h1JlDKtMMgZgVAjtVReI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=JRQIksFS; arc=none smtp.client-ip=209.85.210.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-6e08dd0fa0bso3205373b3a.1 for ; Mon, 26 Feb 2024 16:53:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1708995181; x=1709599981; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=BZbMzkvIVzOfkFlvvubcJk0J0hloUqaH3xyhrZRKFHU=; b=JRQIksFSOBMZLWcmRlVGnx75hNRXVEmKBqY2aaDC1XffXWmuaTAmRIAPzuxdLzyVzj 9uRV+y4GAqDeOEXut+LFTDwtJyphzoT9IRwgVkA1PQxovXtPB9Up7OCF+m+AlWqUR+7S bw4ivt4B+D6xQlV126bErH9mRPtWuE0/frcHQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708995181; x=1709599981; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BZbMzkvIVzOfkFlvvubcJk0J0hloUqaH3xyhrZRKFHU=; b=YtVmPz52qFXHZH6nKlauIHwl9ySjzIfdmw5uswn73D9FID2xoUZU4mqYXvY6BkQT2T yh3NKhkPgK3B+jIbRKKSOckZ3GrQoRQGPn0CdblitAzfLU7WKbvCcuWPOAhAhxC2BcUN obM6mPsrXCYsq1XB2Yg/Yqsmc8lraJHEPsW0J5BOVlp8Lopt+wZMHw/jsSkzeCnx8io2 zDZ9z7Tq9K1xV0ZUhnMGPHrRAFwj8YDchuZMBBufA6Lush//5m1pB0oGVrHwx6+uvbho UVIVrOVmgc6IdUhptmvZ1jsJXPq98jw4yExBOrYoDfpBIgscvWkYQ/9abSNv6WEoArUe 7t+A== X-Forwarded-Encrypted: i=1; AJvYcCXXyglYdkFMIUDXsYk8gB7lNNPhrw5fUTnZbdjmyvq2Tt3kilmFRFwiH0c3C/JmJBxJX2Miu0hXSo158Lk1ocAgSbAZhm0GQWEe2ZJy X-Gm-Message-State: AOJu0YymCyREkU53qhrNjCBlwmoqbR0x/t5a/ImCPSaYjGkj5KU9bX1Z spz03meoj4b/QHSb74OZDKfsXjVFFlCCQsv/XZGJjGsIFZ2e1WMg8Gr3R9ifqQ== X-Received: by 2002:aa7:8883:0:b0:6e0:50cb:5f0a with SMTP id z3-20020aa78883000000b006e050cb5f0amr10992854pfe.12.1708995181484; Mon, 26 Feb 2024 16:53:01 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id 16-20020a056a00071000b006e3809da4fdsm4573143pfl.83.2024.02.26.16.53.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Feb 2024 16:53:01 -0800 (PST) Date: Mon, 26 Feb 2024 16:53:00 -0800 From: Kees Cook To: Doug Anderson Cc: Adrian Ratiu , jannh@google.com, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, kernel@collabora.com, Guenter Roeck , Mike Frysinger , linux-hardening@vger.kernel.org Subject: Re: [PATCH] proc: allow restricting /proc/pid/mem writes Message-ID: <202402261650.DE0601F01@keescook> References: <20240221210626.155534-1-adrian.ratiu@collabora.com> <202402261110.B8129C002@keescook> <202402261123.B2A1D0DE@keescook> <1405e4-65dd1180-3-7a785380@32026879> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Mon, Feb 26, 2024 at 02:37:29PM -0800, Doug Anderson wrote: > Hi, > > On Mon, Feb 26, 2024 at 2:33 PM Adrian Ratiu wrote: > > > > > > [...] > > > > +config SECURITY_PROC_MEM_RESTRICT_WRITES > > > > > > Instead of a build-time CONFIG, I'd prefer a boot-time config (or a > > > sysctl, but that's be harder given the perms). That this is selectable > > > by distro users, etc, and they don't need to rebuild their kernel to > > > benefit from it. > > > > Ack, I'll implement a cmdline arg in v2. > > Any objections to doing both? Have a CONFIG option for a default and a > cmdline to override it? This way if a distro wants to restrict writes > by default then don't need to jam more stuff into the kernel command > line. For an example, take a look at randomize_kstack_offset and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT. -- Kees Cook