From patchwork Tue Nov 21 18:26:08 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Salvatore Mesoraca <s.mesoraca16@gmail.com>
X-Patchwork-Id: 10068697
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	BE5406022E
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue, 21 Nov 2017 18:27:54 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B4188298B7
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue, 21 Nov 2017 18:27:54 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A8A5B298B8; Tue, 21 Nov 2017 18:27:54 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_HI,T_DKIM_INVALID
	autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 29BB2298AC
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue, 21 Nov 2017 18:27:54 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751234AbdKUS0s (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Tue, 21 Nov 2017 13:26:48 -0500
Received: from mail-wm0-f68.google.com ([74.125.82.68]:43800 "EHLO
	mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751384AbdKUS0o (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Tue, 21 Nov 2017 13:26:44 -0500
Received: by mail-wm0-f68.google.com with SMTP id x63so5373997wmf.2;
	Tue, 21 Nov 2017 10:26:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=eGjuX1kkfPVIIDH711j300wHAoo/+3/m2z5YOv1CYOk=;
	b=EhSS865G7CmgmGUSqTyShTIKLbJruItH/DgZOG/UyOshvZsKOsdczpmh3WWr4XK+5b
	jw8QIf95ypV4hcF2qsUKjACjUOJyfJviKQV2e5fJR41VxMqxiQ01GxEDwMFWvykjRGPk
	L8CdrAHkAv0tWuPf9nPIYkJZ7pm1v32a+WbmcmhKi+ZfPG+Lu2GHTs4GBqTCiw1l3vv6
	qlv3M6aO/J9tsZsjwb1WqcoZ7xWVrUXZldhNI67ZBCERhaPm94WoH5ZiVr5NCXAoAzlC
	QYhorCDBDS7e+mvLBoX5Ck6Ml1PsZmAmxJqj4A6dfiGtw2qCqZkCF9bSRgW1PApKS4+9
	Cx4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=eGjuX1kkfPVIIDH711j300wHAoo/+3/m2z5YOv1CYOk=;
	b=VZpBsBcj3PihnOnV38ehqmuGMTjyaM6V62NPfkfljPtwquJo8tGqL4aSOawACAMzoQ
	TcYJ0kD4KcApWunbMDySVOik99J6n18cmp7qStSPoB9ED712YL3vG/BG8CShO2BU+cX8
	NzPLdMZstASk/JCjsUUlCmeIEv3TsPVYGWv0ny3Pzk3sAbIiGO2lYauSBhj/CttUTJ2i
	4wwv8i4YQgic89byxp4xXaGXJI8tqzYDpbgzAGmibZ1K7vJTz8A2ENN4zQ9EiiZFdlYN
	aappNXF91Htf3lqWUiAvpZTDWafYv0FFc2mxcoO6yNjcRxW/wungy7Y5Bfzpxc4thTvU
	EHVw==
X-Gm-Message-State: AJaThX6XIgITtClCeukZSyOlMsGlqPMywyu1grGV0lRY6YuPmKQSXW1+
	As3G4CtddXhe75qHqT8WbL2XhrqpnRkx0Q==
X-Google-Smtp-Source: 
 AGs4zMbEF1PE8MfQU18jd9R9xFEo0nNH1qGsxFptqZYDVLSDEWAp2FbxVBp2iv934KNnF5qhscNk0Q==
X-Received: by 10.28.49.195 with SMTP id x186mr2082455wmx.116.1511288802916;
	Tue, 21 Nov 2017 10:26:42 -0800 (PST)
Received: from localhost ([37.180.48.100]) by smtp.gmail.com with ESMTPSA id
	n143sm3533217wmd.31.2017.11.21.10.26.41
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 21 Nov 2017 10:26:42 -0800 (PST)
From: Salvatore Mesoraca <s.mesoraca16@gmail.com>
To: linux-kernel@vger.kernel.org
Cc: linux-security-module@vger.kernel.org,
	kernel-hardening@lists.openwall.com, linux-mm@kvack.org,
	Salvatore Mesoraca <s.mesoraca16@gmail.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Brad Spengler <spender@grsecurity.net>,
	Casey Schaufler <casey@schaufler-ca.com>,
	Christoph Hellwig <hch@infradead.org>,
	James Morris <james.l.morris@oracle.com>, Jann Horn <jannh@google.com>,
	Kees Cook <keescook@chromium.org>, PaX Team <pageexec@freemail.hu>,
	Thomas Gleixner <tglx@linutronix.de>,
	"Serge E. Hallyn" <serge@hallyn.com>
Subject: [RFC v4 06/10] Creation of "pagefault_handler" LSM hook
Date: Tue, 21 Nov 2017 19:26:08 +0100
Message-Id: <1511288772-19308-7-git-send-email-s.mesoraca16@gmail.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1511288772-19308-1-git-send-email-s.mesoraca16@gmail.com>
References: <1511288772-19308-1-git-send-email-s.mesoraca16@gmail.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Creation of a new hook to let LSM modules handle user-space pagefaults on
x86.
It can be used to avoid segfaulting the originating process.
If it's the case it can modify process registers before returning.
This is not a security feature by itself, it's a way to soften some
unwanted side-effects of restrictive security features.
In particular this is used by S.A.R.A. to implement what PaX call
"trampoline emulation" that, in practice, allows for some specific
code sequences to be executed even if they are in non executable memory.
This may look like a bad thing at first, but you have to consider
that:
- This allows for strict memory restrictions (e.g. W^X) to stay on even
  when they should be turned off. And, even if this emulation
  makes those features less effective, it's still better than having
  them turned off completely.
- The only code sequences emulated are trampolines used to make
  function calls. In many cases, when you have the chance to
  make arbitrary memory writes, you can already manipulate the
  control flow of the program by overwriting function pointers or
  return values. So, in many cases, "trampoline emulation"
  doesn't introduce new exploit vectors.
- It's a feature that can be turned on only if needed, on a per
  executable file basis.

Signed-off-by: Salvatore Mesoraca <s.mesoraca16@gmail.com>
---
 arch/Kconfig              |  6 ++++++
 arch/x86/Kconfig          |  1 +
 arch/x86/mm/fault.c       |  6 ++++++
 include/linux/lsm_hooks.h | 12 ++++++++++++
 include/linux/security.h  | 11 +++++++++++
 security/security.c       | 11 +++++++++++
 6 files changed, 47 insertions(+)

diff --git a/arch/Kconfig b/arch/Kconfig
index 400b9e1..5481cc6 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -230,6 +230,12 @@ config ARCH_HAS_FORTIFY_SOURCE
 	  An architecture should select this when it can successfully
 	  build and run with CONFIG_FORTIFY_SOURCE.
 
+config ARCH_HAS_LSM_PAGEFAULT
+	bool
+	help
+	  An architecture should select this if it supports
+	  "pagefault_handler" LSM hook.
+
 # Select if arch has all set_memory_ro/rw/x/nx() functions in asm/cacheflush.h
 config ARCH_HAS_SET_MEMORY
 	bool
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index df3276d..3f52f3d 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -54,6 +54,7 @@ config X86
 	select ARCH_HAS_FORTIFY_SOURCE
 	select ARCH_HAS_GCOV_PROFILE_ALL
 	select ARCH_HAS_KCOV			if X86_64
+	select ARCH_HAS_LSM_PAGEFAULT
 	select ARCH_HAS_PMEM_API		if X86_64
 	# Causing hangs/crashes, see the commit that added this change for details.
 	select ARCH_HAS_REFCOUNT
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 78ca9a8..5443170 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -16,6 +16,7 @@
 #include <linux/prefetch.h>		/* prefetchw			*/
 #include <linux/context_tracking.h>	/* exception_enter(), ...	*/
 #include <linux/uaccess.h>		/* faulthandler_disabled()	*/
+#include <linux/security.h>		/* security_pagefault_handler	*/
 
 #include <asm/cpufeature.h>		/* boot_cpu_has, ...		*/
 #include <asm/traps.h>			/* dotraplinkage, ...		*/
@@ -1332,6 +1333,11 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs)
 			local_irq_enable();
 	}
 
+	if (unlikely(security_pagefault_handler(regs,
+						error_code,
+						address)))
+		return;
+
 	perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
 
 	if (error_code & X86_PF_WRITE)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 8d7ccbd..1ca405d 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -489,6 +489,14 @@
  *	@vmflags contains the requested vmflags.
  *	Return 0 if the operation is allowed to continue otherwise return
  *	the appropriate error code.
+ * @pagefault_handler:
+ *	Handle pagefaults on supported architectures, that is any architecture
+ *	which defines CONFIG_ARCH_HAS_LSM_PAGEFAULT.
+ *	@regs contains process' registers.
+ *	@error_code contains error code for the pagefault.
+ *	@address contains the address that caused the pagefault.
+ *	Return 0 to let the kernel handle the pagefault as usually, any other
+ *	value to let the process continue its execution.
  * @file_lock:
  *	Check permission before performing file locking operations.
  *	Note: this hook mediates both flock and fcntl style locks.
@@ -1531,6 +1539,9 @@
 	int (*file_mprotect)(struct vm_area_struct *vma, unsigned long reqprot,
 				unsigned long prot);
 	int (*check_vmflags)(vm_flags_t vmflags);
+	int (*pagefault_handler)(struct pt_regs *regs,
+				 unsigned long error_code,
+				 unsigned long address);
 	int (*file_lock)(struct file *file, unsigned int cmd);
 	int (*file_fcntl)(struct file *file, unsigned int cmd,
 				unsigned long arg);
@@ -1819,6 +1830,7 @@ struct security_hook_heads {
 	struct list_head mmap_file;
 	struct list_head file_mprotect;
 	struct list_head check_vmflags;
+	struct list_head pagefault_handler;
 	struct list_head file_lock;
 	struct list_head file_fcntl;
 	struct list_head file_set_fowner;
diff --git a/include/linux/security.h b/include/linux/security.h
index ac16262..ba018a3 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -312,6 +312,9 @@ int security_mmap_file(struct file *file, unsigned long prot,
 int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
 			   unsigned long prot);
 int security_check_vmflags(vm_flags_t vmflags);
+int __maybe_unused security_pagefault_handler(struct pt_regs *regs,
+					      unsigned long error_code,
+					      unsigned long address);
 int security_file_lock(struct file *file, unsigned int cmd);
 int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg);
 void security_file_set_fowner(struct file *file);
@@ -851,6 +854,14 @@ static inline int security_check_vmflags(vm_flags_t vmflags)
 	return 0;
 }
 
+static inline int __maybe_unused security_pagefault_handler(
+						struct pt_regs *regs,
+						unsigned long error_code,
+						unsigned long address)
+{
+	return 0;
+}
+
 static inline int security_file_lock(struct file *file, unsigned int cmd)
 {
 	return 0;
diff --git a/security/security.c b/security/security.c
index 0df8988..21cd07e 100644
--- a/security/security.c
+++ b/security/security.c
@@ -944,6 +944,17 @@ int security_check_vmflags(vm_flags_t vmflags)
 	return call_int_hook(check_vmflags, 0, vmflags);
 }
 
+int __maybe_unused security_pagefault_handler(struct pt_regs *regs,
+					      unsigned long error_code,
+					      unsigned long address)
+{
+	return call_int_hook(pagefault_handler,
+			     0,
+			     regs,
+			     error_code,
+			     address);
+}
+
 int security_file_lock(struct file *file, unsigned int cmd)
 {
 	return call_int_hook(file_lock, 0, file, cmd);