"ps -e" without procfs(5)
Mikolaj Golub
trociny at freebsd.org
Sun Dec 4 20:58:18 UTC 2011
On Sun, 4 Dec 2011 15:57:06 +0000 Robert N. M. Watson wrote:
RNMW> On 4 Dec 2011, at 14:31, Jilles Tjoelker wrote:
>> On Sat, Oct 29, 2011 at 01:32:39PM +0300, Mikolaj Golub wrote:
>>> [KERN_PROC_AUXV requires just p_cansee()]
>>
>> If we are ever going to do ASLR, the AUXV information tells an attacker
>> where the stack, executable and RTLD are located, which defeats much of
>> the point of randomizing the addresses in the first place.
>>
>> Given that the AUXV information seems to be used by debuggers only
>> anyway, I think it would be good to move it to p_candebug() now.
>>
>> The full virtual memory maps (KERN_PROC_VMMAP, procstat -v) are already
>> under p_candebug().
RNMW> Agreed. In general, my view is that p_cansee() should be used for very
RNMW> few of our process inspection APIs. I like your example of ASLR
RNMW> especially, as it illustrates how debugging information can aid even
RNMW> local attacks (i.e., user vs. setuid binary).
What do you think about recently added kern.proc.ps_strings, which returns
location of ps_strings structure? It uses p_cansee() too. The location is the
same for all processes of the same ABI, so this does not look like sensitive
information, on the other hand it also seems to be used by debuggers only.
--
Mikolaj Golub
More information about the freebsd-hackers
mailing list