On Fri, May 10, 2019 at 1:41 PM Jann Horn <jannh@xxxxxxxxxx> wrote: > > On Tue, May 07, 2019 at 05:17:35AM +1000, Aleksa Sarai wrote: > > On 2019-05-06, Jann Horn <jannh@xxxxxxxxxx> wrote: > > > In my opinion, CVE-2019-5736 points out two different problems: > > > > > > The big problem: The __ptrace_may_access() logic has a special-case > > > short-circuit for "introspection" that you can't opt out of; this > > > makes it possible to open things in procfs that are related to the > > > current process even if the credentials of the process wouldn't permit > > > accessing another process like it. I think the proper fix to deal with > > > this would be to add a prctl() flag for "set whether introspection is > > > allowed for this process", and if userspace has manually un-set that > > > flag, any introspection special-case logic would be skipped. > > > > We could do PR_SET_DUMPABLE=3 for this, I guess? > > Hmm... I'd make it a new prctl() command, since introspection is > somewhat orthogonal to dumpability. Also, dumpability is per-mm, and I > think the introspection flag should be per-thread. I've lost track of the context here, but it seems to me that mitigating attacks involving accidental following of /proc links shouldn't depend on dumpability. What's the actual problem this is trying to solve again?