[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170710150603.387-1-igor.stoppa@huawei.com>
Date: Mon, 10 Jul 2017 18:06:00 +0300
From: Igor Stoppa <igor.stoppa@...wei.com>
To: <jglisse@...hat.com>, <keescook@...omium.org>, <mhocko@...nel.org>,
<jmorris@...ei.org>, <penguin-kernel@...ove.SAKURA.ne.jp>,
<labbott@...hat.com>, <hch@...radead.org>
CC: <paul@...l-moore.com>, <sds@...ho.nsa.gov>,
<casey@...aufler-ca.com>, <linux-security-module@...r.kernel.org>,
<linux-mm@...ck.org>, <linux-kernel@...r.kernel.org>,
<kernel-hardening@...ts.openwall.com>,
"Igor Stoppa" <igor.stoppa@...wei.com>
Subject: [PATCH v10 0/3] mm: security: ro protection for dynamic data
Hi,
please consider this patch-set for inclusion.
This patch-set introduces the possibility of protecting memory that has
been allocated dynamically.
The memory is managed in pools: when a memory pool is turned into R/O,
all the memory that is part of it, will become R/O.
A R/O pool can be destroyed, to recover its memory, but it cannot be
turned back into R/W mode.
This is intentional. This feature is meant for data that doesn't need
further modifications after initialization.
However the data might need to be released, as part of module unloading.
To do this, the memory must first be freed, then the pool can be destroyed.
An example is provided, showing how to turn into a boot-time option the
writable state of the security hooks.
Prior to this patch, it was a compile-time option.
This is made possible, thanks to Tetsuo Handa's rework of the hooks
structure (included in the patchset).
Changes since the v9 version:
- drop page flag to mark pmalloc pages and use page->private & bit
as followup to Jerome Glisse's advice to use existing fields.
- introduce non-API header mm/pmalloc_usercopy.h for usercopy test
Question still open:
- should it be possibile to unprotect a pool for rewrite?
The only cases found for this topic are:
- protecting the LSM header structure between creation and insertion of a
security module that was not built as part of the kernel
(but the module can protect the headers after it has loaded)
- unloading SELinux from RedHat, if the system has booted, but no policy
has been loaded yet - this feature is going away, according to Casey.
Regarding the last point, there was a comment from Christoph Hellwig,
for which I asked for clarifications, but it's still pending:
https://marc.info/?l=linux-mm&m=149863848120692&w=2
Notes:
- The patch is larg-ish, but I was not sure what criteria to use for
splitting it. If it helps the reviewing, please do let me know how I
should split it and I will comply.
- I had to rebase Tetsuo Handa's patch because it didn't apply cleanly
anymore, I would appreciate an ACK to that or a revised patch, whatever
comes easier.
Igor Stoppa (2):
Protectable memory support
Make LSM Writable Hooks a command line option
Tetsuo Handa (1):
LSM: Convert security_hook_heads into explicit array of struct
list_head
arch/Kconfig | 1 +
include/linux/lsm_hooks.h | 420 +++++++++++++++++++++++-----------------------
include/linux/pmalloc.h | 127 ++++++++++++++
lib/Kconfig | 1 +
mm/Makefile | 1 +
mm/pmalloc.c | 372 ++++++++++++++++++++++++++++++++++++++++
mm/pmalloc.h | 17 ++
mm/pmalloc_usercopy.h | 38 +++++
mm/usercopy.c | 23 ++-
security/security.c | 49 ++++--
10 files changed, 815 insertions(+), 234 deletions(-)
create mode 100644 include/linux/pmalloc.h
create mode 100644 mm/pmalloc.c
create mode 100644 mm/pmalloc.h
create mode 100644 mm/pmalloc_usercopy.h
--
2.9.3
Powered by blists - more mailing lists