On Mon, Mar 9, 2015 at 5:11 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: > On Mon, Mar 9, 2015 at 2:11 PM, Kirill A. Shutemov <kirill@xxxxxxxxxxxxx> wrote: >> From: "Kirill A. Shutemov" <kirill.shutemov@xxxxxxxxxxxxxxx> >> >> As pointed by recent post[1] on exploiting DRAM physical imperfection, >> /proc/PID/pagemap exposes sensitive information which can be used to do >> attacks. >> >> This is RFC patch which disallow anybody without CAP_SYS_ADMIN to read >> the pagemap. >> >> Any comments? > > I prefer Dave Hansen's approach: > > http://www.spinics.net/lists/kernel/msg1941939.html > > This gives finer grained control without globally dropping the ability > of a non-root process to examine pagemap details (which is the whole > point of the interface). per-pidns like this is no good. You shouldn't be able to create a non-paranoid pidns if your parent is paranoid. Also, at some point we need actual per-ns controls. This mount option stuff is hideous. --Andy > > -Kees > >> >> [1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html >> >> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx> >> Cc: Pavel Emelyanov <xemul@xxxxxxxxxxxxx> >> Cc: Konstantin Khlebnikov <khlebnikov@xxxxxxxxxx> >> Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> >> Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> >> Cc: Mark Seaborn <mseaborn@xxxxxxxxxxxx> >> Cc: Andy Lutomirski <luto@xxxxxxxxxxxxxx> >> --- >> fs/proc/task_mmu.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c >> index 246eae84b13b..b72b36e64286 100644 >> --- a/fs/proc/task_mmu.c >> +++ b/fs/proc/task_mmu.c >> @@ -1322,6 +1322,9 @@ out: >> >> static int pagemap_open(struct inode *inode, struct file *file) >> { >> + /* do not disclose physical addresses: attack vector */ >> + if (!capable(CAP_SYS_ADMIN)) >> + return -EPERM; >> pr_warn_once("Bits 55-60 of /proc/PID/pagemap entries are about " >> "to stop being page-shift some time soon. See the " >> "linux/Documentation/vm/pagemap.txt for details.\n"); >> -- >> 2.3.1 >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> Please read the FAQ at http://www.tux.org/lkml/ > > > > -- > Kees Cook > Chrome OS Security -- Andy Lutomirski AMA Capital Management, LLC -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>