From patchwork Thu Nov  3 03:04:46 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jann Horn <jann@thejh.net>
X-Patchwork-Id: 9410091
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	04A83601C2
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu,  3 Nov 2016 03:05:28 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EAE5D2A6BA
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu,  3 Nov 2016 03:05:27 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id DF9AB2A6D8; Thu,  3 Nov 2016 03:05:27 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 431582A6BA
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu,  3 Nov 2016 03:05:27 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751072AbcKCDFC (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Wed, 2 Nov 2016 23:05:02 -0400
Received: from thejh.net ([37.221.195.125]:35376 "EHLO thejh.net"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751019AbcKCDE5 (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Wed, 2 Nov 2016 23:04:57 -0400
Received: from pc.thejh.net (pc.vpn [192.168.44.2])
	by thejh.net (Postfix) with ESMTPSA id 5D7F1180A42;
	Thu,  3 Nov 2016 04:04:55 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=thejh.net; s=s2016;
	t=1478142295; bh=bfhtkGE5izrJsB13LNLCTdTPv1mRDcfcL5q769kdIWI=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=QozY0jVL0LsT1R23GMXQl6V8hsw0qSliZR4xt7hsUoGGmKTIEkMaU2dAYG9LInQu1
	GSTC1L7bRaTBdT55b2p23NUpAv3Yzu4RzF55R3RIPiy6xINgFNKVB8Q1+cHvFje+Vv
	S2peRsGqP67jOm/+HBac0IrIAJ4bDzf8ac3oR9GJZ7B58NcXI2PIX1UD1kfKN1bcnl
	e8A95go9a22TuCXqNBNTwgefe03jrPs/lgWUEI6l1pf7IbSzVspiu994fKpRVFEkV9
	9iQq5RWqOMGI34DW2AYyEAdILp6Yb3tTKAM0QIe3nO79BD58UYU5s0XgntEKFFcuw+
	K+ivpJzt5s0Aw==
From: Jann Horn <jann@thejh.net>
To: security@kernel.org, Alexander Viro <viro@zeniv.linux.org.uk>,
	Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>,
	Eric Paris <eparis@parisplace.org>,
	James Morris <james.l.morris@oracle.com>,
	"Serge E. Hallyn" <serge@hallyn.com>, mchong@google.com,
	Andy Lutomirski <luto@amacapital.net>, Ingo Molnar <mingo@kernel.org>,
	Oleg Nesterov <oleg@redhat.com>, Nick Kralevich <nnk@google.com>,
	Janis Danisevskis <jdanis@google.com>
Cc: linux-security-module@vger.kernel.org, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH v3 3/3] selinux: require EXECMEM for forced ptrace poke
Date: Thu,  3 Nov 2016 04:04:46 +0100
Message-Id: <1478142286-18427-6-git-send-email-jann@thejh.net>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1478142286-18427-1-git-send-email-jann@thejh.net>
References: <1478142286-18427-1-git-send-email-jann@thejh.net>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

This restricts forced writes to private R+X mappings using the EXECMEM
permission. To avoid a breaking change, a new policy capability needs to
be enabled before the new restrictions take effect.

Unlike most other SELinux hooks, this one takes the subject credentials as
an argument instead of looking up current_cred(). This is done because the
security_forced_write() LSM hook can be invoked from within the write
handler of /proc/$pid/mem, where current_cred() is pretty useless.

Changed in v3:
 - minor: symmetric comment (Ingo Molnar)
 - use helper struct (Ingo Molnar)
 - add new policy capability for enabling forced write checks
   (Stephen Smalley)

Signed-off-by: Jann Horn <jann@thejh.net>
---
 security/selinux/hooks.c            | 15 +++++++++++++++
 security/selinux/include/security.h |  2 ++
 security/selinux/selinuxfs.c        |  3 ++-
 security/selinux/ss/services.c      |  3 +++
 4 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 09fd6108e421..cdd9c53db2ed 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2144,6 +2144,20 @@ static int selinux_ptrace_traceme(struct task_struct *parent)
 	return task_has_perm(parent, current, PROCESS__PTRACE);
 }
 
+static int selinux_forced_write(struct vm_area_struct *vma,
+				const struct gup_creds *creds)
+{
+	/*
+	 * Permitting a write to readonly memory is fine - making the readonly
+	 * memory executable afterwards would require EXECMOD permission because
+	 * anon_vma would be non-NULL.
+	 */
+	if (!selinux_policycap_forcedwrite || (vma->vm_flags & VM_EXEC) == 0)
+		return 0;
+
+	return cred_has_perm(creds->subject, creds->object, PROCESS__EXECMEM);
+}
+
 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
 {
@@ -6085,6 +6099,7 @@ static struct security_hook_list selinux_hooks[] = {
 
 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
+	LSM_HOOK_INIT(forced_write, selinux_forced_write),
 	LSM_HOOK_INIT(capget, selinux_capget),
 	LSM_HOOK_INIT(capset, selinux_capset),
 	LSM_HOOK_INIT(capable, selinux_capable),
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 308a286c6cbe..87228f0ff09c 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -71,6 +71,7 @@ enum {
 	POLICYDB_CAPABILITY_OPENPERM,
 	POLICYDB_CAPABILITY_REDHAT1,
 	POLICYDB_CAPABILITY_ALWAYSNETWORK,
+	POLICYDB_CAPABILITY_FORCEDWRITE,
 	__POLICYDB_CAPABILITY_MAX
 };
 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
@@ -78,6 +79,7 @@ enum {
 extern int selinux_policycap_netpeer;
 extern int selinux_policycap_openperm;
 extern int selinux_policycap_alwaysnetwork;
+extern int selinux_policycap_forcedwrite;
 
 /*
  * type_datum properties
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 72c145dd799f..a646cb801242 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -46,7 +46,8 @@ static char *policycap_names[] = {
 	"network_peer_controls",
 	"open_perms",
 	"redhat1",
-	"always_check_network"
+	"always_check_network",
+	"forced_write"
 };
 
 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 082b20c78363..4017810030d6 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -73,6 +73,7 @@
 int selinux_policycap_netpeer;
 int selinux_policycap_openperm;
 int selinux_policycap_alwaysnetwork;
+int selinux_policycap_forcedwrite;
 
 static DEFINE_RWLOCK(policy_rwlock);
 
@@ -1990,6 +1991,8 @@ static void security_load_policycaps(void)
 						  POLICYDB_CAPABILITY_OPENPERM);
 	selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
 						  POLICYDB_CAPABILITY_ALWAYSNETWORK);
+	selinux_policycap_forcedwrite = ebitmap_get_bit(&policydb.policycaps,
+						  POLICYDB_CAPABILITY_FORCEDWRITE);
 }
 
 static int security_preserve_bools(struct policydb *p);