fix(security): extend /proc read block to smaps, smaps_rollup, numa_maps, mem

PR #4609 blocked /proc/*/maps to prevent ASLR layout leakage, but the
endswith("/maps") check does not match /proc/*/smaps or
/proc/*/smaps_rollup — both expose the same virtual-address layout and
bypass the guard.  /proc/*/numa_maps carries the same data with NUMA
annotations and is equally bypassed.  /proc/*/mem (raw process memory)
is added as defence-in-depth; it requires address knowledge to exploit
but is blocked for consistency.

Extends the endswith tuple in _is_blocked_device_path() to cover all
four variants and adds regression assertions for all new paths to
test_proc_sensitive_pseudo_files_blocked.

Partially addresses #4427.
This commit is contained in:
AhmetArif0 2026-05-25 23:34:46 +03:00 committed by Teknium
parent 275e293f54
commit 64e6b98ba8
2 changed files with 15 additions and 4 deletions

View file

@ -93,7 +93,7 @@ class TestDevicePathBlocking(unittest.TestCase):
self.assertFalse(_is_blocked_device_path("/proc/self/fd/3"))
def test_proc_sensitive_pseudo_files_blocked(self):
"""environ/cmdline/maps under /proc/<pid> must be blocked (issue #4427)."""
"""environ/cmdline/maps (and maps variants) under /proc/<pid> must be blocked (issue #4427)."""
for path in (
"/proc/self/environ",
"/proc/12345/environ",
@ -101,6 +101,14 @@ class TestDevicePathBlocking(unittest.TestCase):
"/proc/99/cmdline",
"/proc/self/maps",
"/proc/1/maps",
"/proc/self/smaps",
"/proc/12345/smaps",
"/proc/self/smaps_rollup",
"/proc/99/smaps_rollup",
"/proc/self/numa_maps",
"/proc/1/numa_maps",
"/proc/self/mem",
"/proc/12345/mem",
):
self.assertTrue(_is_blocked_device(path), f"{path} should be blocked")

View file

@ -362,10 +362,13 @@ def _is_blocked_device_path(path: str) -> bool:
("/fd/0", "/fd/1", "/fd/2")
):
return True
# /proc/*/environ, /proc/*/cmdline, /proc/*/maps can leak secrets,
# command-line args, and memory layout from the host process (issue #4427)
# /proc/*/environ, /proc/*/cmdline, /proc/*/maps (and the maps variants
# smaps, smaps_rollup, numa_maps) can leak secrets, command-line args, and
# memory layout (ASLR bypass) from the host process (issue #4427).
# /proc/*/mem exposes raw process memory; block it as defense-in-depth even
# though it requires address knowledge to exploit usefully.
if normalized.startswith("/proc/") and normalized.endswith(
("/environ", "/cmdline", "/maps")
("/environ", "/cmdline", "/maps", "/smaps", "/smaps_rollup", "/numa_maps", "/mem")
):
return True
return False