| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Feb 2024 16:53:00 -0800 From: Kees Cook <keescook@...omium.org> To: Doug Anderson <dianders@...omium.org> Cc: Adrian Ratiu <adrian.ratiu@...labora.com>, jannh@...gle.com, linux-security-module@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, kernel@...labora.com, Guenter Roeck <groeck@...omium.org>, Mike Frysinger <vapier@...omium.org>, linux-hardening@...r.kernel.org Subject: Re: [PATCH] proc: allow restricting /proc/pid/mem writes On Mon, Feb 26, 2024 at 02:37:29PM -0800, Doug Anderson wrote: > Hi, > > On Mon, Feb 26, 2024 at 2:33 PM Adrian Ratiu <adrian.ratiu@...labora.com> wrote: > > > > > > [...] > > > > +config SECURITY_PROC_MEM_RESTRICT_WRITES > > > > > > Instead of a build-time CONFIG, I'd prefer a boot-time config (or a > > > sysctl, but that's be harder given the perms). That this is selectable > > > by distro users, etc, and they don't need to rebuild their kernel to > > > benefit from it. > > > > Ack, I'll implement a cmdline arg in v2. > > Any objections to doing both? Have a CONFIG option for a default and a > cmdline to override it? This way if a distro wants to restrict writes > by default then don't need to jam more stuff into the kernel command > line. For an example, take a look at randomize_kstack_offset and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT. -- Kees Cook
Powered by blists - more mailing lists