Re: [PATCH] proc: allow restricting /proc/pid/mem writes

[PATCH] proc: allow restricting /proc/pid/mem writes · Adrian Ratiu <hidden> · 2024-02-21
Re: [PATCH] proc: allow restricting /proc/pid/mem writes · Doug Anderson <dianders@chromium.org> · 2024-02-26
Re: [PATCH] proc: allow restricting /proc/pid/mem writes · Kees Cook <hidden> · 2024-02-26
Re: [PATCH] proc: allow restricting /proc/pid/mem writes · Kees Cook <hidden> · 2024-02-26
Re: [PATCH] proc: allow restricting /proc/pid/mem writes · Mike Frysinger <hidden> · 2024-02-26
Re: [PATCH] proc: allow restricting /proc/pid/mem writes · Adrian Ratiu <hidden> · 2024-02-26
Re: [PATCH] proc: allow restricting /proc/pid/mem writes · Doug Anderson <dianders@chromium.org> · 2024-02-26
Re: [PATCH] proc: allow restricting /proc/pid/mem writes · Kees Cook <hidden> · 2024-02-27

From: Doug Anderson <dianders@chromium.org>
Date: 2024-02-26 22:37:50
Also in: linux-fsdevel, linux-hardening, lkml

Hi,

On Mon, Feb 26, 2024 at 2:33 PM Adrian Ratiu [off-list ref] wrote:

quoted

[...]
+config SECURITY_PROC_MEM_RESTRICT_WRITES

Instead of a build-time CONFIG, I'd prefer a boot-time config (or a
sysctl, but that's be harder given the perms). That this is selectable
by distro users, etc, and they don't need to rebuild their kernel to
benefit from it.

Ack, I'll implement a cmdline arg in v2.

Any objections to doing both? Have a CONFIG option for a default and a
cmdline to override it? This way if a distro wants to restrict writes
by default then don't need to jam more stuff into the kernel command
line.

-Doug

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help