{"guid":"2dc340b4-8277-5885-9100-54e3b6f48a59","title":"Fixing an old Linux process memory security bug","subtitle":null,"slug":"all-systems-go-2024-286-fixing-an-old-linux-process-memory-security-bug","link":"https://cfp.all-systems-go.io/all-systems-go-2024/talk/9UVMR7/","description":"There is a well-known trade-off between security lockdowns and a user's abiliy to\ndebug/inspect a system. The Linux kernel is finally fixing an old proc/mem security\nbug which illustrates this trade-off nicely. The kernel will provide a mechanism,\nso distros need to implement a policy according to their own security needs, to\nrestrict proc/mem access (it gives userspace RW access to processes memory).\n\nThis talk goes into the what, why and how of getting this bug fixed, with some policies\nfor plugging the long-standing hole for different use-cases, without breaking\ndebuggers or container supervisors.\n\nThis talk is based the Linux patch series [1] which is extending the /proc/*/mem access\ncontrols beyond the normal file-based permissions, to restrict various access during\nkernel builds (Kconfig level) or early boot via static/read-only key parameters. It\nis expected to land in kernel v6.11, to be released in late Q3 / early Q4 2024.\nThe author is looking for opinions whether this should be backported to stable trees\nsince the patch is somewhere between a bugfix and a new feature.\n\n[1] https://patchwork.kernel.org/project/linux-fsdevel/patch/20240613133937.2352724-2-adrian.ratiu@collabora.com/\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Adrian Ratiu"],"tags":["286","asg2024","Dome","2024","Day 1"],"view_count":50,"promoted":false,"date":"2024-09-25T11:55:00.000+02:00","release_date":"2024-09-25T00:00:00.000+02:00","updated_at":"2026-03-31T04:15:02.967+02:00","length":1889,"duration":1889,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2024/286-2dc340b4-8277-5885-9100-54e3b6f48a59.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2024/286-2dc340b4-8277-5885-9100-54e3b6f48a59_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2024/286-2dc340b4-8277-5885-9100-54e3b6f48a59.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2024/286-2dc340b4-8277-5885-9100-54e3b6f48a59.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2024-286-fixing-an-old-linux-process-memory-security-bug","url":"https://api.media.ccc.de/public/events/2dc340b4-8277-5885-9100-54e3b6f48a59","conference_title":"All Systems Go! 2024","conference_url":"https://api.media.ccc.de/public/conferences/asg2024","related":[],"recordings":[{"size":69,"length":1889,"mime_type":"video/webm","language":"eng","filename":"asg2024-286-eng-Fixing_an_old_Linux_process_memory_security_bug_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2024-09-25T15:56:34.817+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2024/webm-sd/asg2024-286-eng-Fixing_an_old_Linux_process_memory_security_bug_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/80184","event_url":"https://api.media.ccc.de/public/events/2dc340b4-8277-5885-9100-54e3b6f48a59","conference_url":"https://api.media.ccc.de/public/conferences/asg2024"},{"size":150,"length":1889,"mime_type":"video/webm","language":"eng","filename":"asg2024-286-eng-Fixing_an_old_Linux_process_memory_security_bug_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2024-09-25T15:52:10.369+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2024/webm-hd/asg2024-286-eng-Fixing_an_old_Linux_process_memory_security_bug_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/80178","event_url":"https://api.media.ccc.de/public/events/2dc340b4-8277-5885-9100-54e3b6f48a59","conference_url":"https://api.media.ccc.de/public/conferences/asg2024"},{"size":52,"length":1889,"mime_type":"video/mp4","language":"eng","filename":"asg2024-286-eng-Fixing_an_old_Linux_process_memory_security_bug_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2024-09-25T15:35:55.862+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2024/h264-sd/asg2024-286-eng-Fixing_an_old_Linux_process_memory_security_bug_sd.mp4","url":"https://api.media.ccc.de/public/recordings/80170","event_url":"https://api.media.ccc.de/public/events/2dc340b4-8277-5885-9100-54e3b6f48a59","conference_url":"https://api.media.ccc.de/public/conferences/asg2024"},{"size":18,"length":1889,"mime_type":"audio/opus","language":"eng","filename":"asg2024-286-eng-Fixing_an_old_Linux_process_memory_security_bug_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2024-09-25T15:33:36.408+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2024/opus/asg2024-286-eng-Fixing_an_old_Linux_process_memory_security_bug_opus.opus","url":"https://api.media.ccc.de/public/recordings/80167","event_url":"https://api.media.ccc.de/public/events/2dc340b4-8277-5885-9100-54e3b6f48a59","conference_url":"https://api.media.ccc.de/public/conferences/asg2024"},{"size":28,"length":1889,"mime_type":"audio/mpeg","language":"eng","filename":"asg2024-286-eng-Fixing_an_old_Linux_process_memory_security_bug_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2024-09-25T15:33:06.540+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2024/mp3/asg2024-286-eng-Fixing_an_old_Linux_process_memory_security_bug_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/80166","event_url":"https://api.media.ccc.de/public/events/2dc340b4-8277-5885-9100-54e3b6f48a59","conference_url":"https://api.media.ccc.de/public/conferences/asg2024"},{"size":149,"length":1889,"mime_type":"video/mp4","language":"eng","filename":"asg2024-286-eng-Fixing_an_old_Linux_process_memory_security_bug_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2024-09-25T15:32:51.782+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2024/h264-hd/asg2024-286-eng-Fixing_an_old_Linux_process_memory_security_bug_hd.mp4","url":"https://api.media.ccc.de/public/recordings/80165","event_url":"https://api.media.ccc.de/public/events/2dc340b4-8277-5885-9100-54e3b6f48a59","conference_url":"https://api.media.ccc.de/public/conferences/asg2024"}]}