Re: [kernel-hardening] Re: [PATCH v3 3/3] SROP mitigation: Add sysctl to disable SROP protection.

From: Kees Cook
Date: Thu Mar 10 2016 - 01:36:33 EST


On Tue, Mar 8, 2016 at 1:00 PM, One Thousand Gnomes
<gnomes@xxxxxxxxxxxxxxxxxxx> wrote:
> On Tue, 8 Mar 2016 13:47:55 -0700
> Scott Bauer <sbauer@xxxxxxxxxxxx> wrote:
>
>> This patch adds a sysctl argument to disable SROP protection.
>
> Shouldn't it be a sysctl to enable it irrevocably, otherwise if I have DAC
> capability I can turn off SROP and attack something to get to higher
> capability levels ?
>
> (The way almost all distros are set up its kind of academic but for a
> properly secured system it might matter).

Perhaps use proc_dointvec_minmax_sysadmin instead to tie changes
strictly to CAP_SYS_ADMIN?

-Kees

>
> Alan



--
Kees Cook
Chrome OS & Brillo Security