diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2026-04-13 09:12:37 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2026-04-13 09:12:37 -0700 |
| commit | 599bbba5a36f6de57ab14c373c25881e2b5273f5 (patch) | |
| tree | e69affa0713cebd297975ff0d13608a1037b7857 /security | |
| parent | fdcbb1bc06508eb7ad961b3876b16382ae678ef8 (diff) | |
| download | linux-next-history-599bbba5a36f6de57ab14c373c25881e2b5273f5.tar.gz | |
proc: make PROC_MEM_FORCE_PTRACE the Kconfig default
This kconfig option was introduced 18 months ago, with the historical
default of always allowing forcing memory permission overrides in order
to not change any existing behavior.
But it was documented as "for now", and this is a gentle nudge to people
that you probably _should_ be using PROC_MEM_FORCE_PTRACE. I've had
that in my local kernel config since the option was introduced.
Anybody who just does "make oldconfig" will pick up their old
configuration with no change, so this is still meant to not change any
existing system behavior, but at least gently prod people into trying
it.
I'd love to get rid of FOLL_FORCE entirely (see commit 8ee74a91ac30
"proc: try to remove use of FOLL_FORCE entirely" from roughly a decade
ago), but sadly that is likely not a realistic option (see commit
f511c0b17b08 "Yes, people use FOLL_FORCE ;)" three weeks later).
But at least let's make it more obvious that you have the choice to
limit it and force people to at least be a bit more conscious about
their use of FOLL_FORCE, since judging from a recent discussion people
weren't even aware of this one.
Reminded-by: Vova Tokarev <vladimirelitokarev@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/Kconfig | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/security/Kconfig b/security/Kconfig index 6a4393fce9a17..f7bf6cdc6229e 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -21,16 +21,14 @@ config SECURITY_DMESG_RESTRICT choice prompt "Allow /proc/pid/mem access override" - default PROC_MEM_ALWAYS_FORCE + default PROC_MEM_FORCE_PTRACE help Traditionally /proc/pid/mem allows users to override memory permissions for users like ptrace, assuming they have ptrace capability. This allows people to limit that - either never override, or - require actual active ptrace attachment. - - Defaults to the traditional behavior (for now) + require actual active ptrace attachment (default). config PROC_MEM_ALWAYS_FORCE bool "Traditional /proc/pid/mem behavior" |