On Tue, Mar 6, 2018 at 10:03 AM, Alexey Dobriyan <adobri...@gmail.com> wrote:
> On Tue, Mar 06, 2018 at 08:42:19PM +0300, Alexey Dobriyan wrote:
>> On Mon, Mar 05, 2018 at 05:02:08PM -0800, Kees Cook wrote:
>> > On Mon, Mar 5, 2018 at 4:07 PM, <a...@linux-foundation.org> wrote:
>> > > It is more natural to check for read-from-memory permissions in case of
>> > > process_vm_readv() as PTRACE_MODE_ATTACH is equivalent to write
>> > > permissions.
>> > NAK, this weakens the existing permission model for reading
>> What if existing permission model is overezealous?
>> /proc/*/auxv, /proc/*/environ, /proc*/cmdline, /proc/*/mem opened
>> for reading and process_vm_readv(2) should do PTRACE_MODE_READ and
>> everything else should do PTRACE_MODE_ATTACH.
> Or in other words:
> what if there should be 3 levels:
> 1) permission to write to address space
> 2) permission to read arbitrarily from adress space
> 3) permission to read auxv, argv and envp
> Current code conflates (1) and (2).
There is also:
4) permission to read address layout (e.g. access to /proc/$pid/maps)
1 and 2 require ATTACH
3 and 4 require READ
ATTACH is a higher bar, and I think it is appropriate here, still, for
2, since being able to examine secrets in memory should be considered
a security boundary.
Is there something you're trying from userspace that is being blocked?