On Tue, Oct 2, 2012 at 10:37 PM, David Rientjes <rientjes@xxxxxxxxxx> wrote: > On Tue, 2 Oct 2012, Kees Cook wrote: > >> >> In the paranoid case of sysctl kernel.kptr_restrict=2, mask the kernel >> >> virtual addresses in /proc/vmallocinfo too. >> >> >> >> Reported-by: Brad Spengler <spender@xxxxxxxxxxxxxx> >> >> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> >> > >> > /proc/vmallocinfo is S_IRUSR, not S_IRUGO, so exactly what are you trying >> > to protect? >> >> Trying to block the root user from seeing virtual memory addresses >> (mode 2 of kptr_restrict). >> >> Documentation/sysctl/kernel.txt: >> "This toggle indicates whether restrictions are placed on >> exposing kernel addresses via /proc and other interfaces. When >> kptr_restrict is set to (0), there are no restrictions. When >> kptr_restrict is set to (1), the default, kernel pointers >> printed using the %pK format specifier will be replaced with 0's >> unless the user has CAP_SYSLOG. When kptr_restrict is set to >> (2), kernel pointers printed using %pK will be replaced with 0's >> regardless of privileges." >> >> Even though it's S_IRUSR, it still needs %pK for the paranoid case. > > So root does echo 0 > /proc/sys/kernel/kptr_restrict first. Again: what > are you trying to protect? Only CAP_SYS_ADMIN can change the setting. This is, for example, for containers, or other situations where a uid 0 process lacking CAP_SYS_ADMIN cannot see virtual addresses. It's a very paranoid case, yes, but it's part of how this feature was designed. Think of it as supporting the recent uid 0 vs ring 0 boundary. :) -Kees -- Kees Cook Chrome OS Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>