On Tue, Jul 07, 2020 at 05:45:04PM +0200, Christian Brauner wrote: ... > > Ok, so the original patch proposal was presented in [4] in 2014. The > final version of that patch added the PR_SET_MM_MAP we know today. The > initial version presented in [4] did not require _any_ privilege. > True. I still think that relyng on /proc/<pid>/exe being immutable (or guarded by caps) in a sake of security is a bit misleading, this link only a hint without any guarantees of what code is being executed once we pass cs:rip to userspace right after exec is completed. Nowadays I rather think we might need to call audit_log() here or something similar to point that exe link is changed (by criu or someone else) and simply notify node's administrator, that's all. But as you pointed tomoyo may be affected if we simply drops all caps from here. Thus I agree that the new cap won't make situation worse. Still I'm not in touch with kernel code for a couple of years already and might be missing something obvious here.
