Linux 6.11 To Allow Tightening Of /proc/[pid]/mem Access For Better Security

Written by Michael Larabel in Linux Security on 14 July 2024 at 08:36 AM EDT. 65 Comments
LINUX SECURITY
Linux engineer Christian Brauner at Microsoft sent out his various pull requests for areas of the kernel he oversees ahead of the Linux 6.11 merge window. One of the more interesting pull requests from Brauner this cycle are the "vfs procfs" updates that now allow restricting access to the /proc/[pid]/mem files of processes.

The new SECURITY_PROC_MEM_RESTRICT_WRITES Kconfig option allows restricting writes to the mem file of processes unless the current process ptraces to that given task.

SECURITY_PROC_MEM_RESTRICT_WRITES


Brauner explains in the pull request with the patches from Collabora's Adrian Ratiu:
"This contains work to allow restricting access to /proc/<pid>/mem. Over the years various exploits started abusing /proc/<pid>/mem (cf. [1] and [2]). Specifically [2] is interesting as it installed an arbitrary payload from noexec storage into a running process and then executed it. That payload itself included an ELF loader to run arbitrary code off of noexec storage.

The biggest problem is that /proc/<pid>/mem ignores page permissions by using FOLL_FORCE which was discussed several times on- and off-list.

Unfortunately there are various use-cases using /proc/<pid>/mem making it impossible to just turn it off. They at least include PTRACE_POKEDATA and the seccomp notifier which is used to emulate system calls.

So give userspace a way to restrict access to /proc/<pid>/mem via kernel command line options. Setting them to "all" restricts access for all processes while "ptracer" will allow access to ptracers:

(1) Restrict the use of FOLL_FORCE via proc_mem.restrict_foll_force
(2) Restrict opening /proc/<pid>/mem for reading.
(3) Restrict opening /proc/<pid>/mem for writing.
(4) Restrict writing to /proc/<pid>/mem.

---

The level of fine-grained management isn't my favorite as it requires distributions to have some level of knowledge around the implications of FOLL_FORCE and /proc/<pid>/mem access in general. But the use-cases where /proc/<pid>/mem access is needed do already imply a sophisticated knowledge around its implications. Especially when it comes to the seccomp notifier and gdb to inspect or emulate process state. So that ultimately swayed me to accept this. If we need something simpler I'm all ears."

This new security feature is now awaiting pulling by Linus Torvalds once the v6.11 merge window kicks off, which will begin tomorrow assuming no v6.10 release delays.

Update: Linus Torvalds pulled the feature but then decided against it in its current form. Linus wrote:
Ugh.

I pulled this, and looked at it, and then I decided I can't live with something this ugly.
Linus has made some suggestions for a new revision that he would be okay with for getting this feature into the kernel.
65 Comments
Related News
New Linux Patch Lets You Force CPU Bugs/Mitigations Even When Not Vulnerable
Linux To Allow Disabling TPM PCR Integrity Protection Due To Performance Bottleneck
OpenPaX Announced As "Open-Source Alternative To GrSecurity" With Free Kernel Patch
Unauthenticated RCE Flaw With CVSS 9.9 Rating For Linux Systems Affects CUPS
Landlock Sandboxing Now Supports More Controls Around Unix Sockets
Linux 6.12 Adds Build Options For Greater Control Over CPU Security Mitigations
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features