From patchwork Thu Feb 25 04:42:28 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Lan Zheng (lanzheng)" <lanzheng@cisco.com>
X-Patchwork-Id: 12103869
Return-Path: 
 <SRS0=Xu7G=H3=lists.openwall.com=kernel-hardening-return-20830-kernel-hardening=archiver.kernel.org@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-23.2 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,
	USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7C1D1C433E0
	for <kernel-hardening@archiver.kernel.org>;
 Thu, 25 Feb 2021 10:50:39 +0000 (UTC)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.kernel.org (Postfix) with SMTP id 1F96364E21
	for <kernel-hardening@archiver.kernel.org>;
 Thu, 25 Feb 2021 10:50:37 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1F96364E21
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=quarantine dis=none) header.from=cisco.com
Authentication-Results: mail.kernel.org;
 spf=pass
 smtp.mailfrom=kernel-hardening-return-20830-kernel-hardening=archiver.kernel.org@lists.openwall.com
Received: (qmail 3214 invoked by uid 550); 25 Feb 2021 10:50:29 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Received: (qmail 30435 invoked from network); 25 Feb 2021 04:42:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=cisco.com; i=@cisco.com; l=2510; q=dns/txt; s=iport;
  t=1614228164; x=1615437764;
  h=from:to:cc:subject:date:message-id:content-id:
   content-transfer-encoding:mime-version;
  bh=0pt6nK4HPm6RnR8G3dZ9F1akDuDmfHZQQZs2+n9g6Ag=;
  b=E80obxX1fcS2ZFz9CO9TaFLU799dKSemQ9HQp3neftLGHI9VJ87JmlxJ
   RvhbcG8ZpK2iCVU7yVnuQeBNsc1OD8er34nXWLz7twMEFiTCnEXjGYbZG
   vS/vbkk1vMrNJLExDlxkZaf7HDxZtZ3WE6RzJcydBD9qaZ1bj8SgYW1ud
   0=;
IronPort-PHdr: 
 9a23:xyqwSxxn/qMPyQvXCy+N+z0EezQntrPoPwUc9psgjfdUf7+++4j5ZRaHt/5tlljMXJjerfVehLmev6PhXDkG5pCM+DAHfYdXXhAIwcMRg0Q7AcGDBEG6SZyibyEzEMlYElMw+Xa9PBteGNz5YlzPpzu19zFBUhn6PBB+c+LyHIOahs+r1ue0rpvUZQgAhDe0bb5oahusqgCEvcgNiowkIaE0mRY=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A0DGAACwKTdg/4wNJK1iHAEBAQEBAQcBARIBAQQEAQFAgTwGAQELAQGBUVEHdlo2MQoBhDaDSAOFOYg3JZUehAWBLoElA1QLAQEBDQEBJA4CBAEBhE0ZgWACJTUIDgIDAQELAQEFAQEBAgEGBHGFYQ1DARABhW8BKREMAQE3AREBGQMBAgMCJgIEMBUICgQBDQWCcAGCVQMuAaRYAooldoEygwQBAQaFIxiCEgmBDioBgnWECIZEJhyBQUKBEScMEIdqgn80giuCSgFZNoFtURgak36lYQqCfIk+klwDH4M0kEePTy2UH50ThQACAgICBAUCDgEBBoFWAjaBV3AVZQGCPglHFwINjh+Db4pZczgCBgoBAQMJfIFgiCgBgQ4BAQ
X-IronPort-AV: E=Sophos;i="5.81,203,1610409600";
   d="scan'208,223";a="840367067"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=JwnPUKao9kG+kvlezBOpJ/11gaM3pqi4yO9kBHqVO1KNPC1CEgYQsJIh15GmS8YuknvNISzZ4OV1az06nFm6NKbJPZR/oW/Nk+YrHGkAT/N7wI8Vm8xTzThEAaRnT2/Xb1qr5v4Sz8m8AVvEnRpYmEta4GOUf3SShB0ELAzM8CbE5IW2FRwn+FHlYZBpMLF2Xn/LxNgN/+aERyhiHABybCLYtAIHvQtltq0Oc4PlLWHkbvLHL+51A4b7A3xVcXWvbMFuuHBJMhIZlnyZAP4fKTfira/tob6T6hhP6Lj5OTzark5adsJY6gXPEYrWuHFiJ0o+2vQIL+WGeZXZjRcThA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=0pt6nK4HPm6RnR8G3dZ9F1akDuDmfHZQQZs2+n9g6Ag=;
 b=I77AASt5uk+a7SAs24T1+bNN1ke2pwULadH5r7kNg8LHePKUjEkbmb/qY2qJYWp9EN0PloM0nxsrzMNHCxm9k0T49vO/Xd9Ky7ecfnleCAd4spa/0PX3/VZ1jNWbbF6arGEnC04sHr1Lym2hfrlXvkxi+WUPPcgliP7587X81zzVYRX7YoeijTUgJ1B00x4D01PrSjvUtEjKVuc5+oqZxCqqXpdRHZ7kFrg4HdvcyeTiBMcp+a6U0pxg3as+fDq5TTwIEGgp+xfJJKR9Yxh+IcUT14aCygHfFVuaQeqjmPtzgsDzP6L+EWcWdtqgPcQb1A4x6OILI9rTqQCuwKHS0g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com;
 dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com;
 s=selector2-cisco-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=0pt6nK4HPm6RnR8G3dZ9F1akDuDmfHZQQZs2+n9g6Ag=;
 b=J7K5B2iaObc1ZIgInAmuOcSjsLMxVYqtvMg4QAluNLd1CzzdaKavlglPQEglwCO8LWtoFdXLe4turbxi2BaVOxbGnR+sgyFIO6qi3UJx++ih44B+ql2wS4e56cNq/kIwA5D0+Q5uKkyFPbTAdr14N17JXuZ+aGKYzvAQ/YVcdOA=
From: "Lan Zheng (lanzheng)" <lanzheng@cisco.com>
To: Kees Cook <keescook@chromium.org>,
        "kernel-hardening@lists.openwall.com"
	<kernel-hardening@lists.openwall.com>,
        "linux-kernel@vger.kernel.org"
	<linux-kernel@vger.kernel.org>
CC: "Lan Zheng (lanzheng)" <lanzheng@cisco.com>
Subject: [PATCH v1 1/1] Kernel Config to make randomize_va_space read-only.
Thread-Topic: [PATCH v1 1/1] Kernel Config to make randomize_va_space
 read-only.
Thread-Index: AQHXCzCf6Zy89ILuRUyyRgkScToHXA==
Date: Thu, 25 Feb 2021 04:42:28 +0000
Message-ID: <FA94F19F-2AB2-4983-8CEC-D89287D91E20@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/16.46.21021202
authentication-results: chromium.org; dkim=none (message not signed)
 header.d=none;chromium.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [73.167.134.62]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dd436e3f-b1ab-455f-50c3-08d8d947c1d7
x-ms-traffictypediagnostic: DM6PR11MB4361:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: 
 <DM6PR11MB4361DB0F83E18A9CBF8757B8DD9E9@DM6PR11MB4361.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 
 Cu2EiYhTdvoOlPXLXkTaMTbxt7xVlQ+hXUoqg4iiEuR54/k4jbbIwFYHR+ahrIEkLVWNetRbJjDhsuoCWeTgUbR9HSosW84+DE+kkQXCS4c6Z3SrYm5/qEhNvk4Ym8aaRroqHnxNIY5NDG9ogF+bU00fntMNiG9i6xc46DyVWmRhxw0G2i3O6WwRLHoVxxet+cs/zz9CS2LV0fpSapDJtLt8jiD8x0AaHRu9JNZLujt5mY/2KzfEVu2eZOTPVZz/7z0KPXWnvXA9h93jP5fXcD7ZNITapyIEY9/TgXni1iRd4tAg4wBx1pxfM38LO0j7NXyzbxg+jdi6vUsCsQdlrTkYtBUAaxg7Qsu+HJ6Q4eROYPkdXh0hYmk2fQMOtvCg87u2FXUzCL9qWL8mlxtEmu0b2Kbo/KXlnsFUMp4ltMaGg6bp/NUsXlXRzfNdTxc6BIjM/kRXU29eWaaRJ8Km4erV2WJC4MADsARiOIb6rckCPxTuN40wwpTJWoTzhC46G5/tR/5do6EyTVM8Tnj1ty2r/ihzMmwtrP/c/5V1hVXTQA/ja0fS7wtpGn6Ijr3vdhDmp8sIfeTq3ez0K2o2Qg==
x-forefront-antispam-report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR11MB3787.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(396003)(39860400002)(136003)(376002)(346002)(66446008)(4326008)(76116006)(53546011)(66946007)(6486002)(83380400001)(33656002)(6512007)(86362001)(26005)(107886003)(478600001)(6506007)(8936002)(64756008)(8676002)(66476007)(316002)(36756003)(110136005)(66556008)(2616005)(186003)(5660300002)(2906002)(71200400001)(91956017)(45980500001);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?q?qMcOTbVvmszEP2yFUAqe3p0G/k9oin?=
	=?utf-8?q?n+9MwfN026tU2nrG8tJb2/v8YMhRg5I+DNIIFv6rRJgWfMh4uP2oEMMmny6IC8bqk?=
	=?utf-8?q?W2Sq4SgngbhaVZxU/Ke80xfhF/BeTL2P110sW8Ka6gFwHJKZsm7fiy6VmnH8A7N//?=
	=?utf-8?q?2j11SDCTutTbMuYe73m9EK/cmPjsQHUsXayGSqvXveGkExWR1ORpwzwldLJeau62e?=
	=?utf-8?q?d/NiHng+hMGeFiPR7v5AI4GnKCAvY0i3Wtnswy5yJKVEya+0en2vZ9zHZKc2ansXK?=
	=?utf-8?q?Z1KUmCfwsFoaVtG1IoaJLO/OPQ8W0Ayv3FSq0QzUUGk+OixzmW4pgDVz8Pfzt8pYU?=
	=?utf-8?q?rK3FM32ghsEM5BrB7m9nZ5NDrqCAAfqJev3o9bZ/m6YYsDyHubwf5TDPudPw2KEWE?=
	=?utf-8?q?OJMhDwGnfKgNwOSrImDJogNVmTX1pwBwPdHGV/4+iA3iHTRIdCmfP+D0Mpj1saILq?=
	=?utf-8?q?wOBQTgCh7UftA8JL0+a5Q0E7n5i/XYVHoPaDH6Xw9YzTjEkPEaZ8W8Y/R6A8Mjs4E?=
	=?utf-8?q?UIqUwj5gvYjaz0MlmtxKa+PVZu1RBJsrihMPt5q5JB0sGNFa9TIjGsc/4CC0Vhs2B?=
	=?utf-8?q?BKuXSjBDnbdhXF/zXw8dkm/Fox25SBnNCLdBZkqote8P2XkFcKN/06LOUn8P+syeS?=
	=?utf-8?q?n3qNFRfZ5Yu3tw77ccuKMbC2igiuk8K9fSI0ukVLytTgJ+8zPEaLBSHbsk7bAk85N?=
	=?utf-8?q?QX0MdwrBFDfqqORnJRD4HyG4QZkJWqNFEo2fqcC5oID/zoRfLUys15oZgHjLnNxu1?=
	=?utf-8?q?HvnxoDcH1PH3e/7Q1HpDeuW9J+akmsIyKHbW3//8ZTusYoxshVW7sxswUSzHIPhj9?=
	=?utf-8?q?mjDCjTmJ30/BpwxZe8kPL8Us7NeluuOhwm6QEsHexFSFgvGLml/9oNz4ZHxjjDNFU?=
	=?utf-8?q?ReHCcABIEFNakF/EMf6F5aRyC02dsVPpO8iDfIlOEbVAbGFNdvQ7fZKPJsPwFF7z1?=
	=?utf-8?q?F0yoW23WS/uokwRFxJ5On8InEsHpvDWZt2J+dhJoG5HdzaXlbK//UjsU6fqtrRdq1?=
	=?utf-8?q?ADAtLvCOXPWgG4n78N/TsgHGWnneuc/NCO9OngrLZYVHdlUS2KVal/N3noatt1Zuc?=
	=?utf-8?q?Sd4YVCGvUVUm/Qox3ynk8xteLcaoD5yS/0vXiAaKnZK07cz8XY2YAYRD1FT17FlKj?=
	=?utf-8?q?0FpwrMMPfIgFG6/0mIg34W4EdItmQhic35GKDDUtMDMIJeo6ItA91YDj/hWBb3UJW?=
	=?utf-8?q?Z/IDfTCPipFX1wEggGPlyTzTUaOM8B38rfunq3gzTzpRv8iIZ5GXdgliSS7FTUDnP?=
	=?utf-8?q?935jGmNIERirZMf1uY47jCLww9JoEjoiBdiw=3D=3D?=
Content-ID: <74838927C50EB94F943E6ACEA9A9C5BC@namprd11.prod.outlook.com>
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB3787.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 dd436e3f-b1ab-455f-50c3-08d8d947c1d7
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Feb 2021 04:42:28.9924
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 
 NExHXQNc64s+sLuaDVIt0MC6RWFrTECJw4ItiSWN2Z5m5xz704XvuHvEYexHeKy4ugs6zUlutxvz9CARtKhhBA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4361
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.18, xbe-aln-003.cisco.com
X-Outbound-Node: alln-core-7.cisco.com

From ba2ec52f170a8e69d6c44238bb578f9518a7e3b7 Mon Sep 17 00:00:00 2001
From: lanzheng <lanzheng@cisco.com>
Date: Tue, 23 Feb 2021 22:49:34 -0500
Subject: [PATCH] This patch adds a kernel build config knob that disallows
 changes to the sysctl variable randomize_va_space.It makes harder for
 attacker to disable ASLR and reduces security risks.
 
Signed-off-by: lanzheng <lanzheng@cisco.com>
Reviewed-by: Yongkui Han <yonhan@cisco.com>
Tested-by: Nirmala Arumugam <niarumug@cisco.com>
---
 kernel/sysctl.c  | 4 ++++
 security/Kconfig | 8 ++++++++
 2 files changed, 12 insertions(+)
 
--

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index c9fbdd848138..2aa9bc8044c7 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2426,7 +2426,11 @@ static struct ctl_table kern_table[] = {
                .procname       = "randomize_va_space",
                .data           = &randomize_va_space,
                .maxlen         = sizeof(int),
+#if defined(CONFIG_RANDOMIZE_VA_SPACE_READONLY)
+               .mode           = 0444,
+#else
                .mode           = 0644,
+#endif
                .proc_handler   = proc_dointvec,
        },
 #endif
diff --git a/security/Kconfig b/security/Kconfig
index 7561f6f99f1d..18b9dff4648c 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -7,6 +7,14 @@ menu "Security options"
 
 source "security/keys/Kconfig"
 
+config RANDOMIZE_VA_SPACE_READONLY
+       bool "Disallow change of randomize_va_space"
+       default y
+       help
+         If you say Y here, /proc/sys/kernel/randomize_va_space can not
+         be changed by any user, including root, this will help prevent
+         disablement of ASLR.
+
 config SECURITY_DMESG_RESTRICT
        bool "Restrict unprivileged access to the kernel syslog"
        default n