| Message ID | 1497286620-15027-6-git-send-email-s.mesoraca16@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
On 6/12/2017 9:56 AM, Salvatore Mesoraca wrote: > Creation of a new LSM hook to check if a given configuration of vmflags, > for a new memory allocation request, should be allowed or not. > It's placed in "do_mmap", "do_brk_flags" and "__install_special_mapping". > > Signed-off-by: Salvatore Mesoraca <s.mesoraca16@gmail.com> > Cc: linux-mm@kvack.org > --- > include/linux/lsm_hooks.h | 6 ++++++ > include/linux/security.h | 6 ++++++ > mm/mmap.c | 9 +++++++++ > security/security.c | 5 +++++ > 4 files changed, 26 insertions(+) > > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index cc0937e..6934cc5 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -483,6 +483,10 @@ > * @reqprot contains the protection requested by the application. > * @prot contains the protection that will be applied by the kernel. > * Return 0 if permission is granted. > + * @check_vmflags: > + * Check if the requested @vmflags are allowed. > + * @vmflags contains requested the vmflags. > + * Return 0 if the operation is allowed to continue. > * @file_lock: > * Check permission before performing file locking operations. > * Note: this hook mediates both flock and fcntl style locks. > @@ -1482,6 +1486,7 @@ > unsigned long prot, unsigned long flags); > int (*file_mprotect)(struct vm_area_struct *vma, unsigned long reqprot, > unsigned long prot); > + int (*check_vmflags)(vm_flags_t vmflags); > int (*file_lock)(struct file *file, unsigned int cmd); > int (*file_fcntl)(struct file *file, unsigned int cmd, > unsigned long arg); > @@ -1753,6 +1758,7 @@ struct security_hook_heads { > struct list_head mmap_addr; > struct list_head mmap_file; > struct list_head file_mprotect; > + struct list_head check_vmflags; > struct list_head file_lock; > struct list_head file_fcntl; > struct list_head file_set_fowner; > diff --git a/include/linux/security.h b/include/linux/security.h > index 19bc364..67e33b6 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -302,6 +302,7 @@ int security_mmap_file(struct file *file, unsigned long prot, > int security_mmap_addr(unsigned long addr); > int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, > unsigned long prot); > +int security_check_vmflags(vm_flags_t vmflags); > int security_file_lock(struct file *file, unsigned int cmd); > int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg); > void security_file_set_fowner(struct file *file); > @@ -830,6 +831,11 @@ static inline int security_file_mprotect(struct vm_area_struct *vma, > return 0; > } > > +static inline int security_check_vmflags(vm_flags_t vmflags) > +{ > + return 0; > +} > + > static inline int security_file_lock(struct file *file, unsigned int cmd) > { > return 0; > diff --git a/mm/mmap.c b/mm/mmap.c > index f82741e..e19f04e 100644 > --- a/mm/mmap.c > +++ b/mm/mmap.c > @@ -1363,6 +1363,9 @@ unsigned long do_mmap(struct file *file, unsigned long addr, > vm_flags |= calc_vm_prot_bits(prot, pkey) | calc_vm_flag_bits(flags) | > mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; > > + if (security_check_vmflags(vm_flags)) > + return -EPERM; > + Have the hook return a value and return that rather than -EPERM. That way a security module can choose an error that it determines is appropriate. It is possible that a module might want to deny the access for a reason other than lack of privilege. > if (flags & MAP_LOCKED) > if (!can_do_mlock()) > return -EPERM; > @@ -2833,6 +2836,9 @@ static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long > return -EINVAL; > flags |= VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; > > + if (security_check_vmflags(flags)) > + return -EPERM; > + Same here > error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED); > if (offset_in_page(error)) > return error; > @@ -3208,6 +3214,9 @@ static struct vm_area_struct *__install_special_mapping( > int ret; > struct vm_area_struct *vma; > > + if (security_check_vmflags(vm_flags)) > + return ERR_PTR(-EPERM); > + And here. > vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); > if (unlikely(vma == NULL)) > return ERR_PTR(-ENOMEM); > diff --git a/security/security.c b/security/security.c > index e390f99..25d58f0 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -905,6 +905,11 @@ int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, > return call_int_hook(file_mprotect, 0, vma, reqprot, prot); > } > > +int security_check_vmflags(vm_flags_t vmflags) > +{ > + return call_int_hook(check_vmflags, 0, vmflags); > +} > + > int security_file_lock(struct file *file, unsigned int cmd) > { > return call_int_hook(file_lock, 0, file, cmd);
On Mon, Jun 12, 2017 at 06:56:54PM +0200, Salvatore Mesoraca wrote: > Creation of a new LSM hook to check if a given configuration of vmflags, > for a new memory allocation request, should be allowed or not. > It's placed in "do_mmap", "do_brk_flags" and "__install_special_mapping". Please always post the whole series including the users, thanks.
2017-06-13 8:34 GMT+02:00 Christoph Hellwig <hch@infradead.org>:
> Please always post the whole series including the users, thanks.
I'm sorry for the inconvenience, it won't happen again.
Thank you for your comment.
2017-06-12 23:31 GMT+02:00 Casey Schaufler <casey@schaufler-ca.com>: > Have the hook return a value and return that rather > than -EPERM. That way a security module can choose an > error that it determines is appropriate. It is possible > that a module might want to deny the access for a reason > other than lack of privilege. > [...] > > Same here > > [...] > > And here. Yes, I think you are right. I'll fix it in the next version. Thank you very much for taking the time to review my patch.
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index cc0937e..6934cc5 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -483,6 +483,10 @@ * @reqprot contains the protection requested by the application. * @prot contains the protection that will be applied by the kernel. * Return 0 if permission is granted. + * @check_vmflags: + * Check if the requested @vmflags are allowed. + * @vmflags contains requested the vmflags. + * Return 0 if the operation is allowed to continue. * @file_lock: * Check permission before performing file locking operations. * Note: this hook mediates both flock and fcntl style locks. @@ -1482,6 +1486,7 @@ unsigned long prot, unsigned long flags); int (*file_mprotect)(struct vm_area_struct *vma, unsigned long reqprot, unsigned long prot); + int (*check_vmflags)(vm_flags_t vmflags); int (*file_lock)(struct file *file, unsigned int cmd); int (*file_fcntl)(struct file *file, unsigned int cmd, unsigned long arg); @@ -1753,6 +1758,7 @@ struct security_hook_heads { struct list_head mmap_addr; struct list_head mmap_file; struct list_head file_mprotect; + struct list_head check_vmflags; struct list_head file_lock; struct list_head file_fcntl; struct list_head file_set_fowner; diff --git a/include/linux/security.h b/include/linux/security.h index 19bc364..67e33b6 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -302,6 +302,7 @@ int security_mmap_file(struct file *file, unsigned long prot, int security_mmap_addr(unsigned long addr); int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, unsigned long prot); +int security_check_vmflags(vm_flags_t vmflags); int security_file_lock(struct file *file, unsigned int cmd); int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg); void security_file_set_fowner(struct file *file); @@ -830,6 +831,11 @@ static inline int security_file_mprotect(struct vm_area_struct *vma, return 0; } +static inline int security_check_vmflags(vm_flags_t vmflags) +{ + return 0; +} + static inline int security_file_lock(struct file *file, unsigned int cmd) { return 0; diff --git a/mm/mmap.c b/mm/mmap.c index f82741e..e19f04e 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1363,6 +1363,9 @@ unsigned long do_mmap(struct file *file, unsigned long addr, vm_flags |= calc_vm_prot_bits(prot, pkey) | calc_vm_flag_bits(flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; + if (security_check_vmflags(vm_flags)) + return -EPERM; + if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; @@ -2833,6 +2836,9 @@ static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long return -EINVAL; flags |= VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; + if (security_check_vmflags(flags)) + return -EPERM; + error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED); if (offset_in_page(error)) return error; @@ -3208,6 +3214,9 @@ static struct vm_area_struct *__install_special_mapping( int ret; struct vm_area_struct *vma; + if (security_check_vmflags(vm_flags)) + return ERR_PTR(-EPERM); + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (unlikely(vma == NULL)) return ERR_PTR(-ENOMEM); diff --git a/security/security.c b/security/security.c index e390f99..25d58f0 100644 --- a/security/security.c +++ b/security/security.c @@ -905,6 +905,11 @@ int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, return call_int_hook(file_mprotect, 0, vma, reqprot, prot); } +int security_check_vmflags(vm_flags_t vmflags) +{ + return call_int_hook(check_vmflags, 0, vmflags); +} + int security_file_lock(struct file *file, unsigned int cmd) { return call_int_hook(file_lock, 0, file, cmd);
Creation of a new LSM hook to check if a given configuration of vmflags, for a new memory allocation request, should be allowed or not. It's placed in "do_mmap", "do_brk_flags" and "__install_special_mapping". Signed-off-by: Salvatore Mesoraca <s.mesoraca16@gmail.com> Cc: linux-mm@kvack.org --- include/linux/lsm_hooks.h | 6 ++++++ include/linux/security.h | 6 ++++++ mm/mmap.c | 9 +++++++++ security/security.c | 5 +++++ 4 files changed, 26 insertions(+)