procfs: unset MS_RDONLY for proc handle

cyphar · cyphar · commit a52051e21da2 · 2025-06-24T02:41:56.000+10:00
When the procfs API was only used internally, it made sense for us to
set MS_RDONLY to reduce the attack surface of a leaked file descriptor.
However, now that we expose the procfs API users will want to write to
procfs files. subset=pids is the best protection we can offer for
fsopen(2) procfs handles.

Maybe there is an argument that we should try to unset MS_RDONLY for
open_tree(2) procfs handles but this is just going to lead to possible
complications (if the flag is set on the superblock then you would need
to fspick(2) and FSCONFIG_RECONFIGURE to unset it on the superblock,
which is probably not even desirable behaviour).

Signed-off-by: Aleksa Sarai &lt;cyphar@cyphar.com&gt;
diff --git a/procfs_linux.go b/procfs_linux.go
@@ -122,7 +122,7 @@ func newPrivateProcMount() (*os.File, error) {
 	if err := unix.FsconfigCreate(int(procfsCtx.Fd())); err != nil {
 		return nil, os.NewSyscallError("fsconfig create procfs", err)
 	}
-	return fsmount(procfsCtx, unix.FSMOUNT_CLOEXEC, unix.MS_RDONLY|unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_NOSUID)
+	return fsmount(procfsCtx, unix.FSMOUNT_CLOEXEC, unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_NOSUID)
 }
 
 func openTree(dir *os.File, path string, flags uint) (*os.File, error) {

Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,7 @@ func newPrivateProcMount() (*os.File, error) {`
`122`	`122`	`if err := unix.FsconfigCreate(int(procfsCtx.Fd())); err != nil {`
`123`	`123`	`return nil, os.NewSyscallError("fsconfig create procfs", err)`
`124`	`124`	`}`
`125`		`- return fsmount(procfsCtx, unix.FSMOUNT_CLOEXEC, unix.MS_RDONLY\|unix.MS_NODEV\|unix.MS_NOEXEC\|unix.MS_NOSUID)`
	`125`	`+ return fsmount(procfsCtx, unix.FSMOUNT_CLOEXEC, unix.MS_NODEV\|unix.MS_NOEXEC\|unix.MS_NOSUID)`
`126`	`126`	`}`
`127`	`127`
`128`	`128`	`func openTree(dir os.File, path string, flags uint) (os.File, error) {`