diff --git a/tests/tools/test_file_read_guards.py b/tests/tools/test_file_read_guards.py index 3a8e2a0c1ab..ad12dc78a2f 100644 --- a/tests/tools/test_file_read_guards.py +++ b/tests/tools/test_file_read_guards.py @@ -93,7 +93,7 @@ class TestDevicePathBlocking(unittest.TestCase): self.assertFalse(_is_blocked_device_path("/proc/self/fd/3")) def test_proc_sensitive_pseudo_files_blocked(self): - """environ/cmdline/maps under /proc/ must be blocked (issue #4427).""" + """environ/cmdline/maps (and maps variants) under /proc/ must be blocked (issue #4427).""" for path in ( "/proc/self/environ", "/proc/12345/environ", @@ -101,6 +101,14 @@ class TestDevicePathBlocking(unittest.TestCase): "/proc/99/cmdline", "/proc/self/maps", "/proc/1/maps", + "/proc/self/smaps", + "/proc/12345/smaps", + "/proc/self/smaps_rollup", + "/proc/99/smaps_rollup", + "/proc/self/numa_maps", + "/proc/1/numa_maps", + "/proc/self/mem", + "/proc/12345/mem", ): self.assertTrue(_is_blocked_device(path), f"{path} should be blocked") diff --git a/tools/file_tools.py b/tools/file_tools.py index e138fe6e537..b85ab9726de 100644 --- a/tools/file_tools.py +++ b/tools/file_tools.py @@ -362,10 +362,13 @@ def _is_blocked_device_path(path: str) -> bool: ("/fd/0", "/fd/1", "/fd/2") ): return True - # /proc/*/environ, /proc/*/cmdline, /proc/*/maps can leak secrets, - # command-line args, and memory layout from the host process (issue #4427) + # /proc/*/environ, /proc/*/cmdline, /proc/*/maps (and the maps variants + # smaps, smaps_rollup, numa_maps) can leak secrets, command-line args, and + # memory layout (ASLR bypass) from the host process (issue #4427). + # /proc/*/mem exposes raw process memory; block it as defense-in-depth even + # though it requires address knowledge to exploit usefully. if normalized.startswith("/proc/") and normalized.endswith( - ("/environ", "/cmdline", "/maps") + ("/environ", "/cmdline", "/maps", "/smaps", "/smaps_rollup", "/numa_maps", "/mem") ): return True return False