"ps -e" without procfs(5)

Jilles Tjoelker jilles at stack.nl
Sun Dec 4 21:19:18 UTC 2011

On Sun, Dec 04, 2011 at 10:58:10PM +0200, Mikolaj Golub wrote:
>  RNMW> Agreed. In general, my view is that p_cansee() should be used for very
>  RNMW> few of our process inspection APIs. I like your example of ASLR
>  RNMW> especially, as it illustrates how debugging information can aid even
>  RNMW> local attacks (i.e., user vs. setuid binary).

> What do you think about recently added kern.proc.ps_strings, which
> returns location of ps_strings structure? It uses p_cansee() too. The
> location is the same for all processes of the same ABI, so this does
> not look like sensitive information, on the other hand it also seems
> to be used by debuggers only.

With stack ASLR, the address will not be the same for every process of
the same ABI and will be sensitive information. Therefore I think this
should be locked down too.

Jilles Tjoelker

More information about the freebsd-hackers mailing list