From patchwork Tue Nov 21 18:26:12 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Salvatore Mesoraca X-Patchwork-Id: 10068721 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C5C556022E for ; Tue, 21 Nov 2017 18:28:46 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BBA07298B7 for ; Tue, 21 Nov 2017 18:28:46 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B035C298B9; Tue, 21 Nov 2017 18:28:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 6844C298B7 for ; Tue, 21 Nov 2017 18:28:45 +0000 (UTC) Received: (qmail 32630 invoked by uid 550); 21 Nov 2017 18:27:03 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 32521 invoked from network); 21 Nov 2017 18:27:02 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=/dkTaVvhj9PLnq6oIQXHrhf1ZIBVE6sYPolu/VHjZvM=; b=DO/+G3zGcSuj0ictHBCN4WtNGYIRLUQ4z5IP5D84osKhymKEjMqmIeKYzi4ySujNXs X/sedbR1KSytKk1CVlaVIzz7q/ORRFVCmDi89fAFI4DNEeGHILE3pKcb/lcVT8KpRtxK Sk1jnuHRmrg/x/Mybu8/PyI9P1xJWdHq8WoteFBu/U/EPs9++/tqKwdLcuoG20bImbKp MCxYz8V24/7z40/s5IBvcjBaQ7gSAXwb0c/NqGLYIO9Vw2eHiPSuCyJq+uvl7rOlsysi m+mMLfEW/1LRjtWdZUAGbBn6KygyQ7lF1tAurCodVV8lB5Zo6c3WLUbJOMi2YHuRz83Z LXZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=/dkTaVvhj9PLnq6oIQXHrhf1ZIBVE6sYPolu/VHjZvM=; b=cjdV/kEIOL0xdan2HmUWMS4vS5d34EX55KTgIKOtdOqgRDH66+GfRwE0byvdK5aTpD HzZ/mk2zDj2HicMrvVV2W9g2b53tvnJ9dFRHWJxG3waPTt72XW9X9ip9XYBSKVpXmh0W VfwgBTGg4JkoZu5PlD5aBK87IPIlultv25Zi32xxS8qTfEzPU7nJAxDNLY9/36Y3rSrC 8kM3YB9ZeI9u+uNsss935QYRo5ulblzahXZDeBnrsAo414suDNmkcYI/WTO8bgEl0pqf 1aKEZzMnM8sbPa0FLKsp+6uqzeJ5gRJtk5MSceXXKVjKXFgh75ZVhnJuFTezyfFCTDX+ I6eg== X-Gm-Message-State: AJaThX7j5VatfYtFg0Uw3ULVqJu/m99C0Bd8ReRnnQ/eEcw+4pJ5shq3 UqVh28xRPgL0qWTGe0zTaQA= X-Google-Smtp-Source: AGs4zMY4Fo7YkROD8POuDNNFOywOUeiK2ENzMN83bwMJXY/+kaYOGB2yod1kEgfOR8NnlDAnqRUINw== X-Received: by 10.223.166.103 with SMTP id k94mr15533884wrc.22.1511288810836; Tue, 21 Nov 2017 10:26:50 -0800 (PST) From: Salvatore Mesoraca To: linux-kernel@vger.kernel.org Cc: linux-security-module@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, Salvatore Mesoraca , Alexander Viro , Brad Spengler , Casey Schaufler , Christoph Hellwig , James Morris , Jann Horn , Kees Cook , PaX Team , Thomas Gleixner , "Serge E. Hallyn" Date: Tue, 21 Nov 2017 19:26:12 +0100 Message-Id: <1511288772-19308-11-git-send-email-s.mesoraca16@gmail.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1511288772-19308-1-git-send-email-s.mesoraca16@gmail.com> References: <1511288772-19308-1-git-send-email-s.mesoraca16@gmail.com> Subject: [kernel-hardening] [RFC v4 10/10] XATTRs support X-Virus-Scanned: ClamAV using ClamSMTP Adds support for extended filesystem attributes in security and user namespaces. They can be used to override flags set via the centralized configuration, even when S.A.R.A. configuration is locked or saractl is not used at all. Signed-off-by: Salvatore Mesoraca --- Documentation/admin-guide/LSM/SARA.rst | 20 +++++ Documentation/admin-guide/kernel-parameters.txt | 16 ++++ include/uapi/linux/xattr.h | 4 + security/sara/Kconfig | 22 ++++++ security/sara/wxprot.c | 97 +++++++++++++++++++++++++ 5 files changed, 159 insertions(+) diff --git a/Documentation/admin-guide/LSM/SARA.rst b/Documentation/admin-guide/LSM/SARA.rst index de41b78..a6f32e5 100644 --- a/Documentation/admin-guide/LSM/SARA.rst +++ b/Documentation/admin-guide/LSM/SARA.rst @@ -53,6 +53,8 @@ WX Protection. In particular: To extend the scope of the above features, despite the issues that they may cause, they are complemented by **/proc/PID/attr/sara/wxprot** interface and **trampoline emulation**. +It's also possible to override the centralized configuration via `Extended +filesystem attributes`_. At the moment, WX Protection (unless specified otherwise) should work on any architecture supporting the NX bit, including, but not limited to: @@ -119,6 +121,24 @@ in your project or copy/paste parts of it. To make things simpler `libsara` is the only part of S.A.R.A. released under *CC0 - No Rights Reserved* license. +Extended filesystem attributes +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +When this functionality is enabled, it's possible to override +WX Protection flags set in the main configuration via extended attributes, +even when S.A.R.A.'s configuration is in "locked" mode. +If the user namespace is also enabled, its attributes will override settings +configured via the security namespace. +The xattrs currently in use are: + +- security.sara.wxprot +- user.sara.wxprot + +They can be manually set to the desired value as a decimal, hexadecimal or +octal number. When this functionality is enabled, S.A.R.A. can be easily used +without the help of its userspace tools. Though the preferred way to change +these attributes is `sara-xattr` which is part of `saractl` [2]_. + + Trampoline emulation ^^^^^^^^^^^^^^^^^^^^ Some programs need to generate part of their code at runtime. Luckily enough, diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 20c9114..b58dcce 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -3841,6 +3841,22 @@ See S.A.R.A. documentation. Default value is set via kernel config option. + sara.wxprot_xattrs_enabled= [SARA] + Enable support for security xattrs. + Format: { "0" | "1" } + See security/sara/Kconfig help text + 0 -- disable. + 1 -- enable. + Default value is set via kernel config option. + + sara.wxprot_xattrs_user= [SARA] + Enable support for user xattrs. + Format: { "0" | "1" } + See security/sara/Kconfig help text + 0 -- disable. + 1 -- enable. + Default value is set via kernel config option. + serialnumber [BUGS=X86-32] shapers= [NET] diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h index c1395b5..45c0333 100644 --- a/include/uapi/linux/xattr.h +++ b/include/uapi/linux/xattr.h @@ -77,5 +77,9 @@ #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default" #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT +#define XATTR_SARA_SUFFIX "sara." +#define XATTR_SARA_WXP_SUFFIX XATTR_SARA_SUFFIX "wxp" +#define XATTR_NAME_SEC_SARA_WXP XATTR_SECURITY_PREFIX XATTR_SARA_WXP_SUFFIX +#define XATTR_NAME_USR_SARA_WXP XATTR_USER_PREFIX XATTR_SARA_WXP_SUFFIX #endif /* _UAPI_LINUX_XATTR_H */ diff --git a/security/sara/Kconfig b/security/sara/Kconfig index b68c246..60f629f 100644 --- a/security/sara/Kconfig +++ b/security/sara/Kconfig @@ -113,6 +113,28 @@ config SECURITY_SARA_WXPROT_EMUTRAMP If unsure, answer y. +config SECURITY_SARA_WXPROT_XATTRS_ENABLED + bool "xattrs support enabled by default." + depends on SECURITY_SARA_WXPROT + default n + help + If you say Y here it will be possible to override WX protection + configuration via extended attributes in the security namespace. + Even when S.A.R.A.'s configuration has been locked. + + If unsure, answer N. + +config CONFIG_SECURITY_SARA_WXPROT_XATTRS_USER + bool "'user' namespace xattrs support enabled by default." + depends on SECURITY_SARA_WXPROT_XATTRS_ENABLED + default n + help + If you say Y here it will be possible to override WX protection + configuration via extended attributes in the user namespace. + Even when S.A.R.A.'s configuration has been locked. + + If unsure, answer N. + config SECURITY_SARA_WXPROT_DISABLED bool "WX protection will be disabled at boot." depends on SECURITY_SARA_WXPROT diff --git a/security/sara/wxprot.c b/security/sara/wxprot.c index c14ad27..2c8ca58 100644 --- a/security/sara/wxprot.c +++ b/security/sara/wxprot.c @@ -23,6 +23,7 @@ #include #include #include +#include #include "include/sara.h" #include "include/sara_data.h" @@ -88,6 +89,18 @@ struct wxprot_config_container { static const bool wxprot_emutramp; #endif +#ifdef CONFIG_SECURITY_SARA_WXPROT_XATTRS_ENABLED +static bool wxprot_xattrs_enabled __read_mostly = true; +#else +static bool wxprot_xattrs_enabled __read_mostly; +#endif + +#ifdef CONFIG_SECURITY_SARA_WXPROT_XATTRS_USER +static bool wxprot_xattrs_user __read_mostly = true; +#else +static bool wxprot_xattrs_user __read_mostly; +#endif + static void pr_wxp(char *msg) { char *buf, *path; @@ -138,6 +151,12 @@ static bool are_flags_valid(u16 flags) module_param(wxprot_enabled, bool, 0); MODULE_PARM_DESC(wxprot_enabled, "Disable or enable S.A.R.A. WX Protection at boot time."); +module_param(wxprot_xattrs_enabled, bool, 0); +MODULE_PARM_DESC(wxprot_xattrs_enabled, "Disable or enable S.A.R.A. WXP extended attributes interfaces."); + +module_param(wxprot_xattrs_user, bool, 0); +MODULE_PARM_DESC(wxprot_xattrs_user, "Allow normal users to override S.A.R.A. WXP settings via extended attributes."); + static int param_set_wxpflags(const char *val, const struct kernel_param *kp) { u16 flags; @@ -240,6 +259,65 @@ static inline int is_relro_page(const struct vm_area_struct *vma) } /* + * Extended attributes handling + */ +static int sara_wxprot_xattrs_name(struct dentry *d, + const char *name, + u16 *flags) +{ + int rc; + char buffer[10]; + u16 tmp; + + if (!(d->d_inode->i_opflags & IOP_XATTR)) + return -EOPNOTSUPP; + + rc = __vfs_getxattr(d, d->d_inode, name, buffer, sizeof(buffer)); + if (rc > 0) { + buffer[rc] = '\0'; + rc = kstrtou16(buffer, 0, &tmp); + if (rc) + return rc; + if (!are_flags_valid(tmp)) + return -EINVAL; + *flags = tmp; + return 0; + } else if (rc < 0) + return rc; + + return -ENODATA; +} + +#define sara_xattrs_may_return(RC, XATTRNAME, FNAME) do { \ + if (RC == -EINVAL || RC == -ERANGE) \ + pr_info_ratelimited( \ + "WXP: malformed xattr '%s' on '%s'\n", \ + XATTRNAME, \ + FNAME); \ + else if (RC == 0) \ + return 0; \ +} while (0) + +static inline int sara_wxprot_xattrs(struct dentry *d, + u16 *flags) +{ + int rc; + + if (!wxprot_xattrs_enabled) + return 1; + if (wxprot_xattrs_user) { + rc = sara_wxprot_xattrs_name(d, XATTR_NAME_USR_SARA_WXP, + flags); + sara_xattrs_may_return(rc, XATTR_NAME_USR_SARA_WXP, + d->d_name.name); + } + rc = sara_wxprot_xattrs_name(d, XATTR_NAME_SEC_SARA_WXP, flags); + sara_xattrs_may_return(rc, XATTR_NAME_SEC_SARA_WXP, d->d_name.name); + return 1; +} + + +/* * LSM hooks */ static int sara_bprm_set_creds(struct linux_binprm *bprm) @@ -262,6 +340,10 @@ static int sara_bprm_set_creds(struct linux_binprm *bprm) if (!sara_enabled || !wxprot_enabled) return 0; + if (sara_wxprot_xattrs(bprm->file->f_path.dentry, + &sara_wxp_flags) == 0) + goto flags_set; + /* * SARA_WXP_TRANSFER means that the parent * wants this child to inherit its flags. @@ -295,6 +377,7 @@ static int sara_bprm_set_creds(struct linux_binprm *bprm) } else path = (char *) bprm->interp; +flags_set: if (sara_wxp_flags != default_flags && sara_wxp_flags & SARA_WXP_VERBOSE) pr_debug_ratelimited("WXP: '%s' run with flags '0x%x'.\n", @@ -843,6 +926,10 @@ static int config_hash(char **buf) static DEFINE_SARA_SECFS_BOOL_FLAG(wxprot_enabled_data, wxprot_enabled); +static DEFINE_SARA_SECFS_BOOL_FLAG(wxprot_xattrs_enabled_data, + wxprot_xattrs_enabled); +static DEFINE_SARA_SECFS_BOOL_FLAG(wxprot_xattrs_user_data, + wxprot_xattrs_user); static struct sara_secfs_fptrs fptrs __ro_after_init = { .load = config_load, @@ -886,6 +973,16 @@ static DEFINE_SARA_SECFS_BOOL_FLAG(wxprot_enabled_data, .type = SARA_SECFS_CONFIG_HASH, .data = &fptrs, }, + { + .name = "xattr_enabled", + .type = SARA_SECFS_BOOL, + .data = (void *) &wxprot_xattrs_enabled_data, + }, + { + .name = "xattr_user_allowed", + .type = SARA_SECFS_BOOL, + .data = (void *) &wxprot_xattrs_user_data, + }, };