From patchwork Mon Sep 11 19:50:24 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Salvatore Mesoraca X-Patchwork-Id: 9948011 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 94A63603F4 for ; Mon, 11 Sep 2017 19:53:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8D42B28D31 for ; Mon, 11 Sep 2017 19:53:03 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 818DF28D38; Mon, 11 Sep 2017 19:53:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 867F628D40 for ; Mon, 11 Sep 2017 19:53:01 +0000 (UTC) Received: (qmail 3211 invoked by uid 550); 11 Sep 2017 19:52:03 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 2021 invoked from network); 11 Sep 2017 19:51:57 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=qjXjkYcknWNDE6dwVThUdo8+g0CAZyzYAkXApaBsPAE=; b=LnzM+dSowiASI4oEaicRg3oK1ZsGHjqskoKSD8dwHQ0M02PdrXdB9IU9+wLSt7aIgU nuPFzwzicExag2zLr0/QuWFSHX3Sf1B2H6TYr9TtRYT6cH2BVm/CF2+zcx4iEVidaigN PwjH8RuTdPajEz6KkIXevqmUjhTHGpTtpUUI9Lqziq0+NoRFdd2eRQ9YpmQl5P5AjEgS lG2z6DdubTeVagUxouRSh7tS1byYVNCarza4lP4AxZ/aUjtoWAs8GfNQqIcxhei7Sp5l 2xROpgQHAfcKJMd+rYLYTDXpu4DeId/aSgD2wJwbqLImgBfCrTYSeSRB65Nr04BHxq/X HUrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=qjXjkYcknWNDE6dwVThUdo8+g0CAZyzYAkXApaBsPAE=; b=J9z6ov7UKoX1ZCfaC4H7uouS9QbYa5yU8OiceAlx9Z9KOAbxEej1IPzs5nioD9OmR3 NdwM3cd6YqvzO0pyaT997zgeNU9+yZOELM+OGfSw71wSfojJOJlTF+9VSj1SrTVMj4fh ARIjzW9rzprD4StJc6BfcvKqBMDwIaxSRCr7edNlIaC/Plc4v/sN+nuaYUPKnAKHHEft uk8RMJl6UE1jxl50cUd3khmeySSvwxauJ9Lmm2TdKgS2IHdw0EDYrEwJYTFFr2TXHz4P eE5nNoKUP8YxA9V3qxG2X5MdXq873adInsbEsqcjjhbmsjq9UWctya+LSVkQJZRwU1f4 u7og== X-Gm-Message-State: AHPjjUhU41iBpKZuaLnMVBwCsoQM7vVXJsFSPbSxRdQP10jliRkxDWCx f47J6iBDd0LHgA== X-Google-Smtp-Source: AOwi7QAAN5zW1z27g4ggyRenA1nr9+XURrILBlfD4b39051J0qO+t9e2J6xqX1MZe7RnsvVKaU40hQ== X-Received: by 10.28.92.136 with SMTP id q130mr8269140wmb.104.1505159506502; Mon, 11 Sep 2017 12:51:46 -0700 (PDT) From: Salvatore Mesoraca To: linux-kernel@vger.kernel.org Cc: linux-security-module@vger.kernel.org, kernel-hardening@lists.openwall.com, Salvatore Mesoraca , Brad Spengler , PaX Team , Casey Schaufler , Kees Cook , James Morris , "Serge E. Hallyn" Date: Mon, 11 Sep 2017 21:50:24 +0200 Message-Id: <1505159427-11747-7-git-send-email-s.mesoraca16@gmail.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1505159427-11747-1-git-send-email-s.mesoraca16@gmail.com> References: <1505159427-11747-1-git-send-email-s.mesoraca16@gmail.com> Subject: [kernel-hardening] [RFC v3 6/9] Creation of "pagefault_handler" LSM hook X-Virus-Scanned: ClamAV using ClamSMTP Creation of a new hook to let LSM modules handle user-space pagefaults on x86. It can be used to avoid segfaulting the originating process. If it's the case it can modify process registers before returning. This is not a security feature by itself, it's a way to soften some unwanted side-effects of restrictive security features. In particular this is used by S.A.R.A. to implement what PaX call "trampoline emulation" that, in practice, allows for some specific code sequences to be executed even if they are in non executable memory. This may look like a bad thing at first, but you have to consider that: - This allows for strict memory restrictions (e.g. W^X) to stay on even when they should be turned off. And, even if this emulation makes those features less effective, it's still better than having them turned off completely. - The only code sequences emulated are trampolines used to make function calls. In many cases, when you have the chance to make arbitrary memory writes, you can already manipulate the control flow of the program by overwriting function pointers or return values. So, in many cases, "trampoline emulation" doesn't introduce new exploit vectors. - It's a feature that can be turned on only if needed, on a per executable file basis. Signed-off-by: Salvatore Mesoraca --- arch/Kconfig | 6 ++++++ arch/x86/Kconfig | 1 + arch/x86/mm/fault.c | 6 ++++++ include/linux/lsm_hooks.h | 12 ++++++++++++ include/linux/security.h | 11 +++++++++++ security/security.c | 11 +++++++++++ 6 files changed, 47 insertions(+) diff --git a/arch/Kconfig b/arch/Kconfig index 1aafb4e..4146f79 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -229,6 +229,12 @@ config ARCH_HAS_FORTIFY_SOURCE An architecture should select this when it can successfully build and run with CONFIG_FORTIFY_SOURCE. +config ARCH_HAS_LSM_PAGEFAULT + bool + help + An architecture should select this if it supports + "pagefault_handler" LSM hook. + # Select if arch has all set_memory_ro/rw/x/nx() functions in asm/cacheflush.h config ARCH_HAS_SET_MEMORY bool diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index a3e6e61..a62bf85 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -53,6 +53,7 @@ config X86 select ARCH_HAS_FORTIFY_SOURCE select ARCH_HAS_GCOV_PROFILE_ALL select ARCH_HAS_KCOV if X86_64 + select ARCH_HAS_LSM_PAGEFAULT select ARCH_HAS_MMIO_FLUSH select ARCH_HAS_PMEM_API if X86_64 # Causing hangs/crashes, see the commit that added this change for details. diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c index b836a72..96fbd63 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -15,6 +15,7 @@ #include /* prefetchw */ #include /* exception_enter(), ... */ #include /* faulthandler_disabled() */ +#include /* security_pagefault_handler */ #include /* boot_cpu_has, ... */ #include /* dotraplinkage, ... */ @@ -1358,6 +1359,11 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs) local_irq_enable(); } + if (unlikely(security_pagefault_handler(regs, + error_code, + address))) + return; + perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address); if (error_code & PF_WRITE) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 2fb5c51f..601cf42 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -489,6 +489,14 @@ * @vmflags contains the requested vmflags. * Return 0 if the operation is allowed to continue otherwise return * the appropriate error code. + * @pagefault_handler: + * Handle pagefaults on supported architectures, that is any architecture + * which defines CONFIG_ARCH_HAS_LSM_PAGEFAULT. + * @regs contains process' registers. + * @error_code contains error code for the pagefault. + * @address contains the address that caused the pagefault. + * Return 0 to let the kernel handle the pagefault as usually, any other + * value to let the process continue its execution. * @file_lock: * Check permission before performing file locking operations. * Note: this hook mediates both flock and fcntl style locks. @@ -1502,6 +1510,9 @@ int (*file_mprotect)(struct vm_area_struct *vma, unsigned long reqprot, unsigned long prot); int (*check_vmflags)(vm_flags_t vmflags); + int (*pagefault_handler)(struct pt_regs *regs, + unsigned long error_code, + unsigned long address); int (*file_lock)(struct file *file, unsigned int cmd); int (*file_fcntl)(struct file *file, unsigned int cmd, unsigned long arg); @@ -1780,6 +1791,7 @@ struct security_hook_heads { struct list_head mmap_file; struct list_head file_mprotect; struct list_head check_vmflags; + struct list_head pagefault_handler; struct list_head file_lock; struct list_head file_fcntl; struct list_head file_set_fowner; diff --git a/include/linux/security.h b/include/linux/security.h index 59840a5..0761c89 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -310,6 +310,9 @@ int security_mmap_file(struct file *file, unsigned long prot, int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, unsigned long prot); int security_check_vmflags(vm_flags_t vmflags); +int __maybe_unused security_pagefault_handler(struct pt_regs *regs, + unsigned long error_code, + unsigned long address); int security_file_lock(struct file *file, unsigned int cmd); int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg); void security_file_set_fowner(struct file *file); @@ -850,6 +853,14 @@ static inline int security_check_vmflags(vm_flags_t vmflags) return 0; } +static inline int __maybe_unused security_pagefault_handler( + struct pt_regs *regs, + unsigned long error_code, + unsigned long address) +{ + return 0; +} + static inline int security_file_lock(struct file *file, unsigned int cmd) { return 0; diff --git a/security/security.c b/security/security.c index 484143f..4f50dc5 100644 --- a/security/security.c +++ b/security/security.c @@ -943,6 +943,17 @@ int security_check_vmflags(vm_flags_t vmflags) return call_int_hook(check_vmflags, 0, vmflags); } +int __maybe_unused security_pagefault_handler(struct pt_regs *regs, + unsigned long error_code, + unsigned long address) +{ + return call_int_hook(pagefault_handler, + 0, + regs, + error_code, + address); +} + int security_file_lock(struct file *file, unsigned int cmd) { return call_int_hook(file_lock, 0, file, cmd);