From mboxrd@z Thu Jan 1 00:00:00 1970 From: Djalal Harouni Subject: Re: [PATCH 0/9] proc: protect /proc//* files across execve Date: Sun, 11 Mar 2012 09:46:02 +0100 Message-ID: <20120311084602.GC4310@dztty> References: <1331421919-15499-1-git-send-email-tixxdz@opendz.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Andrew Morton , Al Viro , Alexey Dobriyan , "Eric W. Biederman" , Vasiliy Kulikov , Kees Cook , Solar Designer , WANG Cong , James Morris , Oleg Nesterov , linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Alan Cox , Greg KH , Ingo Molnar , Stephen Wilson , "Jason A. Donenfeld" To: Linus Torvalds Return-path: Content-Disposition: inline In-Reply-To: Sender: linux-security-module-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On Sat, Mar 10, 2012 at 04:01:09PM -0800, Linus Torvalds wrote: > I would in general suggest strongly against using exec_id for anything > that involves files. It isn't designed for that, it's designed for the > whole "check the parent exec_id" thing for ptrace, where that whole > "pass things around to another process" approach doesn't work. Yes exec_id for files can seem strange, but here we are speaking about virtual files that are related to the image of the process being run, these files are in reality just some portion of the process memory. Linus please check the patch: [PATCH 9/9] proc: improve and clean up /proc//mem protection I have explained why the current protection is not the best solution. The oom killer will kill other processes including getty,klogd,... even root owned ssh. -- tixxdz http://opendz.org