lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20161103103922.GD13748@pc.thejh.net>
Date:   Thu, 3 Nov 2016 11:39:23 +0100
From:   Jann Horn <jann@...jh.net>
To:     security@...nel.org, Alexander Viro <viro@...iv.linux.org.uk>,
        Paul Moore <paul@...l-moore.com>,
        Stephen Smalley <sds@...ho.nsa.gov>,
        Eric Paris <eparis@...isplace.org>,
        James Morris <james.l.morris@...cle.com>,
        "Serge E. Hallyn" <serge@...lyn.com>, mchong@...gle.com,
        Andy Lutomirski <luto@...capital.net>,
        Ingo Molnar <mingo@...nel.org>,
        Oleg Nesterov <oleg@...hat.com>,
        Nick Kralevich <nnk@...gle.com>,
        Janis Danisevskis <jdanis@...gle.com>
Cc:     linux-security-module@...r.kernel.org, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/3] mm: add LSM hook for writes to readonly memory

On Thu, Nov 03, 2016 at 04:04:42AM +0100, Jann Horn wrote:
> SELinux attempts to make it possible to whitelist trustworthy sources of
> code that may be mapped into memory, and Android makes use of this feature.
> To prevent an attacker from bypassing this by modifying R+X memory through
> /proc/$pid/mem, PTRACE_POKETEXT or DMA, it is necessary to call a security
> hook in check_vma_flags().
> 
> PTRACE_POKETEXT can also be mitigated by blocking ptrace access, and
> /proc/$pid/mem can also be blocked at the VFS layer, but DMA is harder to
> deal with: Some driver functions (e.g. videobuf_dma_init_user_locked)
> write to user-specified DMA mappings even if those mappings are readonly
> or R+X.
> 
> The new security hook security_forced_write() takes three arguments:
> 
>  - The modified VMA, so the security check can e.g. test for executability.
>  - The subject performing the access. For remote accesses, this may be
>    different from the target of the access. This can e.g. be used to create
>    a security policy that permits a privileged debugger to set software
>    breakpoints in the address space of a sandboxed process.
>  - The target of the access. This is useful if only a subset of the
>    processes on the system should be prevented from executing arbitrary
>    code, as is the case on Android.
> 
> changed in v2:
>  - fix comment (Janis Danisevsk)
>  - simplify code a bit (Janis Danisevsk)
> 
> changed in v3:
>  - rebase
>  - no need to pass in creds in populate_vma_page_range()
>  - reword check_vma_flags() comment (Ingo Molnar)
>  - use helper struct gup_creds (Ingo Molnar)

I introduced some bugs here again, as the kernel test robot points out.

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ