SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List [RFC][PATCH 1/2] Further SELinux restrictions on mprotect This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ Next in thread ] [ Replies ] From: Lorenzo Hernández García-Hierro <lorenzo_at_gnu.org> Date: Wed, 20 Apr 2005 19:18:00 +0200 Hi, The following patch set implements additional SELinux permission checks on making memory executable via mprotect based on prior suggestions by Ulrich Drepper and follow-up discussions by Roland McGrath and Ingo Molnar, and some guidance/feedback from Stephen Smalley. In order to properly test the effects of this patch set (aside from checking the return value of mprotect calls), one needs an underlying no-execute technology, whether software-based like exec-shield or PAX or hardware-based. As paxtest performs a real test of the executability of the memory and doesn't just bail out on a failed mprotect call, you need the NX mechanism when testing with it. The patch(es) need testing before deciding about their future regarding mainline merging or whatever else that could be appropriate. This means that we need to identify and test applications where we need to allow execmem e.g. for runtime-code generation but can still prevent making the stack executable or heap executable without loss in functionality. Note that there may be an issue with respect to the current handling of PT_GNU_STACK for such applications, e.g. they may be set up with an executable stack in the first place and thus the mprotect restrictions may never come into play. Example candidates for testing are Valgrind, Java (jit-like compilers), ... I encourage those interested in these patches or just with some free time to "waste", to make such testing and give back the results, suggest and make any critics or comments. I've made available a regression test suite, simplistic (doesn't do any fixed outputting, available at http://pearls.tuxedo-es.org/patches/selinux/execstack-regression-0.1.tar.gz) which could be used, but I recommend to use a "de-sabotaged" or just fixed, paxtest. The patches are known to work but have been tested only on i386 (IA-32). The first patch, included inline below, adds an execstack permission check that controls the ability to make the main process stack executable so that attempts to make the stack executable can still be prevented even if the process is allowed the existing execmem permission in order to e.g. perform runtime code generation. Note that this does not yet address thread stacks. Note also that unlike the execmem check, the execstack check is only applied on mprotect calls, not mmap calls, as the current security_file_mmap hook is not passed the necessary information presently. The original author of the code that makes the distinction of the stack region, is Ingo Molnar, who wrote it within his patch for /proc/<pid>/maps markers. (http://marc.theaimsgroup.com/?l=linux-kernel&m=110719881508591&w=2) The patches also can be found at: http://pearls.tuxedo-es.org/patches/selinux/policy-execstack.patch http://pearls.tuxedo-es.org/patches/selinux/kernel-execstack.patch policy-execstack.patch is the patch that needs to be applied to the policy in order to support the execstack permission and exclude it from general_domain_access within macros/core_macros.te. kernel-execstack.patch adds such permission to the SELinux code within the kernel and adds the proper permission check to the selinux_file_mprotect() hook. Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> --- linux-2.6-20050404-lorenzo/security/selinux/hooks.c \| 10 ++++++++++ linux-2.6-20050404-lorenzo/security/selinux/include/av_perm_to_string.h \| 1 + linux-2.6-20050404-lorenzo/security/selinux/include/av_permissions.h \| 1 + 3 files changed, 12 insertions(+) diff -puN security/selinux/include/av_permissions.h~kernel-execstack security/selinux/include/av_permissions.h --- linux-2.6-20050404/security/selinux/include/av_permissions.h~kernel-execstack 2005-04-20 18:13:57.552588928 +0200 +++ linux-2.6-20050404-lorenzo/security/selinux/include/av_permissions.h 2005-04-20 18:13:57.563587256 +0200 @@ -465,6 +465,7 @@ #define PROCESS__DYNTRANSITION 0x00800000UL #define PROCESS__SETCURRENT 0x01000000UL #define PROCESS__EXECMEM 0x02000000UL +#define PROCESS__EXECSTACK 0x04000000UL #define IPC__CREATE 0x00000001UL #define IPC__DESTROY 0x00000002UL diff -puN security/selinux/include/av_perm_to_string.h~kernel-execstack security/selinux/include/av_perm_to_string.h --- linux-2.6-20050404/security/selinux/include/av_perm_to_string.h~kernel-execstack 2005-04-20 18:13:57.554588624 +0200 +++ linux-2.6-20050404-lorenzo/security/selinux/include/av_perm_to_string.h 2005-04-20 18:13:57.563587256 +0200 @@ -70,6 +70,7 @@ S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition") S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent") S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem") + S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack") S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue") S_(SECCLASS_MSG, MSG__SEND, "send") S_(SECCLASS_MSG, MSG__RECEIVE, "receive") diff -puN security/selinux/hooks.c~kernel-execstack security/selinux/hooks.c --- linux-2.6-20050404/security/selinux/hooks.c~kernel-execstack 2005-04-20 18:13:57.558588016 +0200 +++ linux-2.6-20050404-lorenzo/security/selinux/hooks.c 2005-04-20 18:14:19.424263928 +0200 @@ -2478,6 +2478,16 @@ static int selinux_file_mprotect(struct if (rc) return rc; } + if (!vma->vm_file && (prot & PROT_EXEC) && + vma->vm_start <= vma->vm_mm->start_stack && + vma->vm_end >= vma->vm_mm->start_stack) { + /* Attempt to make the process stack executable. + * This has an additional execstack check. + / + rc = task_has_perm(current, current, PROCESS__EXECSTACK); + if (rc) + return rc; + } #endif* return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); _ -- Lorenzo Hernández García-Hierro <lorenzo@gnu.org> [1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org] -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. application/pgp-signature attachment: This is a digitally signed message part Received on Wed 20 Apr 2005 - 14:05:35 EDT This message: [ Message body ] Next message: jrdesai18-tech_at_yahoo.com: "Re: selinux-policy-mls is now available for your testing pleasure." Previous message: Lorenzo Hernández García-Hierro: "[RFC][PATCH 2/2] Further SELinux restrictions on mprotect" Next in thread: Stephen Smalley: "Re: [RFC][PATCH 1/2] Further SELinux restrictions on mprotect" Reply: Stephen Smalley: "Re: [RFC][PATCH 1/2] Further SELinux restrictions on mprotect" Maybe reply: Lorenzo Hernández García-Hierro: "Re: [RFC][PATCH 1/2] Further SELinux restrictions on mprotect" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom