Don't dump areas flagged with MADV_DONTDUMP

[gabrielesvelto]

The madvise() syscall has the ability to exclude regions of memories from core dumps. This is achieved by setting the MADV_DONTDUMP flag on those regions. One of its uses is keeping sensitive data out of core dumps (such as encryption keys). This would require some changes as the flag set by MADV_DONTDUMP is not surfaced in /proc/<pid>/maps, but it does appear in /proc/<pid>/smaps, here's an example:

7ffe540ad000-7ffe540b1000 r--p 00000000 00:00 0                          [vvar]
Size:                 16 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Rss:                   0 kB
Pss:                   0 kB
Pss_Dirty:             0 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:            0 kB
Anonymous:             0 kB
KSM:                   0 kB
LazyFree:              0 kB
AnonHugePages:         0 kB
ShmemPmdMapped:        0 kB
FilePmdMapped:         0 kB
Shared_Hugetlb:        0 kB
Private_Hugetlb:       0 kB
Swap:                  0 kB
SwapPss:               0 kB
Locked:                0 kB
THPeligible:           0
VmFlags: rd mr pf io de dd sd

Notice the dd entry in the VmFlags? That means the memory area shouldn't be dumped. We'd have to switch the way we parse memory mappings from /proc/<pid>/maps to /proc/<pid>/smaps. This isn't urgent BTW, but I wanted to write it down so I don't forget.

[medioxor]

would it be possible to choose if MADV_DONTDUMP should be honoured via some config flag or the like instead of making it default? for example i'm using this crate for memory acquisition during forensic analysis and its really important that i'm getting the full picture of all memory

[gabrielesvelto]

I'd like this to be the default behavior but we can definitely have an opt-out.

[medioxor]

perfect thank you :)