Linux 6.11 To Allow Tightening Of /proc/[PID]/mem Access For Better Security
Linux 6.11 will introduce a security feature tightening access to /proc/[pid]/mem files, proposed by Christian Brauner. It aims to restrict writes unless the current process ptraces to the task, addressing past exploits. Brauner emphasizes balancing security with legitimate use cases like debugging tools.
Read original articleLinux 6.11 will introduce a new security feature that allows for the tightening of access to the /proc/[pid]/mem files of processes. This update, proposed by Linux engineer Christian Brauner at Microsoft, aims to restrict writes to the mem file unless the current process ptraces to the given task. The new SECURITY_PROC_MEM_RESTRICT_WRITES Kconfig option will provide finer control over access to /proc//mem, addressing past exploits that abused this feature. By setting specific kernel command line options, users can now restrict access for all processes or allow access only to ptracers. While Brauner acknowledges the complexity of this fine-grained management, he emphasizes the necessity of balancing security with the legitimate use cases that require /proc//mem access, such as debugging tools like gdb and the seccomp notifier. This security enhancement is pending Linus Torvalds' approval for inclusion in the upcoming Linux 6.11 release.
Related
Memory sealing for the GNU C Library
The GNU C Library introduces mseal() system call for enhanced security by preventing address space changes. Adhemerval Zanella's patch series adds support, improving memory manipulation protection in upcoming releases.
The Dirty Pipe Vulnerability
The Dirty Pipe Vulnerability (CVE-2022-0847) in Linux kernel versions since 5.8 allowed unauthorized data overwriting in read-only files, fixed in versions 5.16.11, 5.15.25, and 5.10.102. Discovered through CRC errors in log files, it revealed systematic corruption linked to ZIP file headers due to a kernel bug in Linux 5.10. The bug's origin was pinpointed by replicating data transfer issues between processes using C programs, exposing the faulty commit. Changes in the pipe buffer code impacted data transfer efficiency, emphasizing the intricate nature of kernel development and software component interactions.
CVE-2021-4440: A Linux CNA Case Study
The Linux CNA mishandled CVE-2021-4440 in the 5.10 LTS kernel, causing information leakage and KASLR defeats. The issue affected Debian Bullseye and SUSE's 5.3.18 kernel, resolved in version 5.10.218.
Background of Linux's "file-max" and "nr_open" limits on file descriptors (2021)
The Unix background of Linux's 'file-max' and 'nr_open' kernel limits on file descriptors dates back to early Unix implementations like V7. These limits, set during kernel compilation, evolved to control resource allocation efficiently.
Linux Looking to Make 5-Level Paging Support Unconditional for x86_64 Builds
Intel introduces 5-level paging in Linux kernel for expanded memory sizes. Default in Linux 5.5 for Intel Ice Lake and AMD Zen 4 CPUs. Simplifies kernel configuration for modern hardware demands.
Edit: they've been added https://lore.kernel.org/lkml/20240715-absprachen-siedeln-858...
Related
Memory sealing for the GNU C Library
The GNU C Library introduces mseal() system call for enhanced security by preventing address space changes. Adhemerval Zanella's patch series adds support, improving memory manipulation protection in upcoming releases.
The Dirty Pipe Vulnerability
The Dirty Pipe Vulnerability (CVE-2022-0847) in Linux kernel versions since 5.8 allowed unauthorized data overwriting in read-only files, fixed in versions 5.16.11, 5.15.25, and 5.10.102. Discovered through CRC errors in log files, it revealed systematic corruption linked to ZIP file headers due to a kernel bug in Linux 5.10. The bug's origin was pinpointed by replicating data transfer issues between processes using C programs, exposing the faulty commit. Changes in the pipe buffer code impacted data transfer efficiency, emphasizing the intricate nature of kernel development and software component interactions.
CVE-2021-4440: A Linux CNA Case Study
The Linux CNA mishandled CVE-2021-4440 in the 5.10 LTS kernel, causing information leakage and KASLR defeats. The issue affected Debian Bullseye and SUSE's 5.3.18 kernel, resolved in version 5.10.218.
Background of Linux's "file-max" and "nr_open" limits on file descriptors (2021)
The Unix background of Linux's 'file-max' and 'nr_open' kernel limits on file descriptors dates back to early Unix implementations like V7. These limits, set during kernel compilation, evolved to control resource allocation efficiently.
Linux Looking to Make 5-Level Paging Support Unconditional for x86_64 Builds
Intel introduces 5-level paging in Linux kernel for expanded memory sizes. Default in Linux 5.5 for Intel Ice Lake and AMD Zen 4 CPUs. Simplifies kernel configuration for modern hardware demands.