diff options
author | Matthew Garrett <matthewgarrett@google.com> | 2019-04-19 13:08:32 -0700 |
---|---|---|
committer | Daiki Ueno <dueno@src.gnome.org> | 2019-04-20 08:29:34 +0200 |
commit | e6822428ebfe3b61bfa5df7e04a5e1af7f2048ca (patch) | |
tree | 9e0b86547749c30acfc41a0f3d3ed788e1072781 | |
parent | 91bc9368ca2eedef0dec3f5aa81f641ced07a9b6 (diff) | |
download | gnome-keyring-e6822428ebfe3b61bfa5df7e04a5e1af7f2048ca.tar.gz |
egg: Request that secure memory not be dumped to disk
Linux 3.4 added support for the MADV_DONTDUMP option to madvise(), which
requests that the covered memory not be included in coredumps. It makes
sense to use this to prevent cases where application crashes could
result in secrets being persisted to disk or included in dumps that are
uploaded to remote servers for analysis. I've avoided making this fatal
since there's a chance this code could be built on systems that have
MADV_DONTDUMP but run on systems that don't.
-rw-r--r-- | configure.ac | 8 | ||||
-rw-r--r-- | egg/egg-secure-memory.c | 13 |
2 files changed, 21 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 4b836641..de0c759b 100644 --- a/configure.ac +++ b/configure.ac @@ -184,6 +184,14 @@ AC_CHECK_FUNCS(gettimeofday fsync) AC_CHECK_FUNCS(mlock) # -------------------------------------------------------------------- +# Prevent memory from being included in core dumps +# + +AC_CHECK_DEFINE([sys/mman.h],[MADV_DONTDUMP], + AC_DEFINE([HAVE_MADV_DONTDUMP], [1], + [Define if madvise knows about MADV_DONTDUMP])) + +# -------------------------------------------------------------------- # socket() # diff --git a/egg/egg-secure-memory.c b/egg/egg-secure-memory.c index bc82184a..3dca8fb5 100644 --- a/egg/egg-secure-memory.c +++ b/egg/egg-secure-memory.c @@ -885,6 +885,19 @@ sec_acquire_pages (size_t *sz, DEBUG_ALLOC ("gkr-secure-memory: new block ", *sz); +#if defined(HAVE_MADV_DONTDUMP) + if (madvise (pages, *sz, MADV_DONTDUMP) < 0) { + if (show_warning && egg_secure_warnings) { + /* + * Not fatal - this was added in Linux 3.4 and older + * kernels will legitimately fail this at runtime + */ + fprintf (stderr, "couldn't MADV_DONTDUMP %lu bytes of memory (%s): %s\n", + (unsigned long)*sz, during_tag, strerror (errno)); + } + } +#endif + show_warning = 1; return pages; |