Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List[RFC][PATCH 1/2] Further SELinux restrictions on mprotect
From: Lorenzo Hernández García-Hierro <lorenzo_at_gnu.org>
Date: Wed, 20 Apr 2005 19:18:00 +0200
The following patch set implements additional SELinux permission checks on making memory executable via mprotect based on prior suggestions by Ulrich Drepper and follow-up discussions by Roland McGrath and Ingo Molnar, and some guidance/feedback from Stephen Smalley. In order to properly test the effects of this patch set (aside from checking the return value of mprotect calls), one needs an underlying no-execute technology, whether software-based like exec-shield or PAX or hardware-based. As paxtest performs a real test of the executability of the memory and doesn't just bail out on a failed mprotect call, you need the NX mechanism when testing with it. The patch(es) need testing before deciding about their future regarding mainline merging or whatever else that could be appropriate. This means that we need to identify and test applications where we need to allow execmem e.g. for runtime-code generation but can still prevent making the stack executable or heap executable without loss in functionality. Note that there may be an issue with respect to the current handling of PT_GNU_STACK for such applications, e.g. they may be set up with an executable stack in the first place and thus the mprotect restrictions may never come into play. Example candidates for testing are Valgrind, Java (jit-like compilers), ... I encourage those interested in these patches or just with some free time to "waste", to make such testing and give back the results, suggest and make any critics or comments.
I've made available a regression test suite, simplistic (doesn't do any
fixed outputting, available at
The patches are known to work but have been tested only on i386 (IA-32). The first patch, included inline below, adds an execstack permission check that controls the ability to make the main process stack executable so that attempts to make the stack executable can still be prevented even if the process is allowed the existing execmem permission in order to e.g. perform runtime code generation. Note that this does not yet address thread stacks. Note also that unlike the execmem check, the execstack check is only applied on mprotect calls, not mmap calls, as the current security_file_mmap hook is not passed the necessary information presently.
The original author of the code that makes the distinction of the stack
region, is Ingo Molnar, who wrote it within his patch for
/proc/<pid>/maps markers.
The patches also can be found at:
policy-execstack.patch is the patch that needs to be applied to the policy in order to support the execstack permission and exclude it from general_domain_access within macros/core_macros.te. kernel-execstack.patch adds such permission to the SELinux code within the kernel and adds the proper permission check to the selinux_file_mprotect() hook. Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> --- linux-2.6-20050404-lorenzo/security/selinux/hooks.c | 10 ++++++++++ linux-2.6-20050404-lorenzo/security/selinux/include/av_perm_to_string.h | 1 + linux-2.6-20050404-lorenzo/security/selinux/include/av_permissions.h | 1 + 3 files changed, 12 insertions(+) diff -puN security/selinux/include/av_permissions.h~kernel-execstack security/selinux/include/av_permissions.h --- linux-2.6-20050404/security/selinux/include/av_permissions.h~kernel-execstack 2005-04-20 18:13:57.552588928 +0200 +++ linux-2.6-20050404-lorenzo/security/selinux/include/av_permissions.h 2005-04-20 18:13:57.563587256 +0200 @@ -465,6 +465,7 @@Received on Wed 20 Apr 2005 - 14:05:35 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |