Hardening procfs and linprocfs

The published exploit for the sftp configuration vulnerability can be easily mitigated outside of sshd/sftpd. grsecurity (aka, grsec), a popular third-party hardening patch for Linux, can restrict Linux's procfs to lock down /proc/pid/mem from being written to. Linux systems using that option, then, are unaffected by the sftp configuration vulnerability. While FreeBSD provides the procfs(5) pseudo-filesystem (that linprocfs(5) utilizes), not many use it on production systems. However, some people (especially those who run Linux applications that use linprocfs(5)) need and use procfs(5).

For those that do, HardenedBSD now provides the same protections that grsec provides for procfs(5). If you add the PAX_HARDENING option to your kernel, procfs(5) will be hardened to prevent modifying the memory of a process. A new sysctl(8) tunable has been added, hardening.procfs_harden, which defaults to 1 (hardening enabled).

When enabled, the following procfs(5) files are protected from writes:

  • /proc/pid/dbregs
  • /proc/pid/fpregs
  • /proc/pid/regs
  • /proc/pid/mem

New builds of HardenedBSD going forward will have the PAX_HARDENING kernel option enabled, thereby enabling these protections by default. Reads will still be permitted, but writes will set errno to EPERM.