summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthew Garrett <matthewgarrett@google.com>2019-04-19 13:08:32 -0700
committerDaiki Ueno <dueno@src.gnome.org>2019-04-20 08:29:34 +0200
commite6822428ebfe3b61bfa5df7e04a5e1af7f2048ca (patch)
tree9e0b86547749c30acfc41a0f3d3ed788e1072781
parent91bc9368ca2eedef0dec3f5aa81f641ced07a9b6 (diff)
downloadgnome-keyring-e6822428ebfe3b61bfa5df7e04a5e1af7f2048ca.tar.gz
egg: Request that secure memory not be dumped to disk
Linux 3.4 added support for the MADV_DONTDUMP option to madvise(), which requests that the covered memory not be included in coredumps. It makes sense to use this to prevent cases where application crashes could result in secrets being persisted to disk or included in dumps that are uploaded to remote servers for analysis. I've avoided making this fatal since there's a chance this code could be built on systems that have MADV_DONTDUMP but run on systems that don't.
Diffstat
-rw-r--r--configure.ac8
-rw-r--r--egg/egg-secure-memory.c13
2 files changed, 21 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 4b836641..de0c759b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -184,6 +184,14 @@ AC_CHECK_FUNCS(gettimeofday fsync)
AC_CHECK_FUNCS(mlock)
# --------------------------------------------------------------------
+# Prevent memory from being included in core dumps
+#
+
+AC_CHECK_DEFINE([sys/mman.h],[MADV_DONTDUMP],
+ AC_DEFINE([HAVE_MADV_DONTDUMP], [1],
+ [Define if madvise knows about MADV_DONTDUMP]))
+
+# --------------------------------------------------------------------
# socket()
#
diff --git a/egg/egg-secure-memory.c b/egg/egg-secure-memory.c
index bc82184a..3dca8fb5 100644
--- a/egg/egg-secure-memory.c
+++ b/egg/egg-secure-memory.c
@@ -885,6 +885,19 @@ sec_acquire_pages (size_t *sz,
DEBUG_ALLOC ("gkr-secure-memory: new block ", *sz);
+#if defined(HAVE_MADV_DONTDUMP)
+ if (madvise (pages, *sz, MADV_DONTDUMP) < 0) {
+ if (show_warning && egg_secure_warnings) {
+ /*
+ * Not fatal - this was added in Linux 3.4 and older
+ * kernels will legitimately fail this at runtime
+ */
+ fprintf (stderr, "couldn't MADV_DONTDUMP %lu bytes of memory (%s): %s\n",
+ (unsigned long)*sz, during_tag, strerror (errno));
+ }
+ }
+#endif
+
show_warning = 1;
return pages;
View Lorry Controller Status