* Writes to /proc/self/mem and file_mprotect() LSM hook
@ 2021-08-24 9:25 Igor Zhbanov
0 siblings, 0 replies; only message in thread
From: Igor Zhbanov @ 2021-08-24 9:25 UTC (permalink / raw)
To: linux-security-module, linux-integrity
Hello,
There are several ways to write data to write-protected page. For example,
a process can write to /proc/self/mem to change read-only or even executable
pages: https://offlinemark.com/2021/05/12/an-obscure-quirk-of-proc/
In this case, the kernel code will map the physical page with another access
mode and change the data (FOLL_FORCE flag will ignore the access check). The
problem is that no security hooks are called in this case. For example, the
file_mprotect() LSM hook was designed to intercept process' attempts to
remap memory pages. Particularly SELinux and IMA controlling, if a process
is trying to make a code page writable. And this method allows to bypass it.
Therefore, my question is, should all page modifications that ignores the
protection mode call LSM hook prior to temporarily remapping the page?
Thanks.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-08-24 9:25 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-24 9:25 Writes to /proc/self/mem and file_mprotect() LSM hook Igor Zhbanov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).