lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1557161824-6623-4-git-send-email-zohar@linux.ibm.com>
Date:   Mon,  6 May 2019 12:57:04 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     linux-integrity@...r.kernel.org
Cc:     linux-kernel@...r.kernel.org,
        Igor Zhbanov <i.zhbanov@...russia.ru>,
        Jordan Glover <Golden_Miller83@...tonmail.ch>,
        Al Viro <viro@...iv.linux.org.uk>,
        Mimi Zohar <zohar@...ux.ibm.com>
Subject: [PATCH 3/3] ima: prevent a file already mmap'ed read|execute to be mmap'ed write

The kernel calls deny_write_access() to prevent a file already opened
for write from being executed and also prevents files being executed
from being opened for write.  For some reason this does not extend to
files being mmap'ed execute.

This patch prevents allowing a file in policy, already mmap'ed
read|execute or read, from being mmap'ed shared write.  It should
differentiate between read|execute and read.

Signed-off-by: Mimi Zohar <zohar@...ux.ibm.com>
---
 include/linux/ima.h               |  6 ++++--
 security/integrity/ima/ima_main.c | 21 ++++++++++++++++++++-
 security/security.c               |  4 ++--
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/include/linux/ima.h b/include/linux/ima.h
index dc12fbcf484c..04444895b4f2 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -20,7 +20,8 @@ extern int ima_bprm_check(struct linux_binprm *bprm);
 extern int ima_file_check(struct file *file, int mask);
 extern void ima_post_create_tmpfile(struct inode *inode);
 extern void ima_file_free(struct file *file);
-extern int ima_file_mmap(struct file *file, unsigned long prot);
+extern int ima_file_mmap(struct file *file, unsigned long prot,
+		unsigned long flags);
 extern int ima_load_data(enum kernel_load_data_id id);
 extern int ima_read_file(struct file *file, enum kernel_read_file_id id);
 extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
@@ -66,7 +67,8 @@ static inline void ima_file_free(struct file *file)
 	return;
 }
 
-static inline int ima_file_mmap(struct file *file, unsigned long prot)
+static inline int ima_file_mmap(struct file *file, unsigned long prot,
+		unsigned long flags)
 {
 	return 0;
 }
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index ae77d13cb43c..d13e4efa8599 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -354,6 +354,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
  * ima_file_mmap - based on policy, collect/store measurement.
  * @file: pointer to the file to be measured (May be NULL)
  * @prot: contains the protection that will be applied by the kernel.
+ * @flags:
  *
  * Measure files being mmapped executable based on the ima_must_measure()
  * policy decision.
@@ -361,8 +362,9 @@ static int process_measurement(struct file *file, const struct cred *cred,
  * On success return 0.  On integrity appraisal error, assuming the file
  * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
  */
-int ima_file_mmap(struct file *file, unsigned long prot)
+int ima_file_mmap(struct file *file, unsigned long prot, unsigned long flags)
 {
+	struct inode *inode;
 	u32 secid;
 
 	if (file && (prot & PROT_EXEC)) {
@@ -371,6 +373,23 @@ int ima_file_mmap(struct file *file, unsigned long prot)
 					   0, MAY_EXEC, MMAP_CHECK);
 	}
 
+	/*
+	 * Prevent a file, in policy, mapped read|execute, from being mapped
+	 * write shared. (Should differentiate between read and read|execute.)
+	 */
+	if (file && (prot & PROT_WRITE) && ((flags & MAP_TYPE) == MAP_SHARED) &&
+	    mapping_mapped(file->f_mapping) &&
+	    !mapping_writably_mapped(file->f_mapping)) {
+		inode = file_inode(file);
+
+		if (!ima_must_appraise(inode, MAY_ACCESS, MMAP_CHECK))
+			return 0;
+
+		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
+				    file_dentry(file)->d_iname,
+				    "mmap_file", "mmapped_readers", -EACCES, 0);
+		return -EACCES;
+	}
 	return 0;
 }
 
diff --git a/security/security.c b/security/security.c
index 98ce27933e72..e64d9c5b2e1a 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1400,7 +1400,7 @@ int security_mmap_file(struct file *file, unsigned long prot,
 					mmap_prot(file, prot), flags);
 	if (ret)
 		return ret;
-	return ima_file_mmap(file, prot);
+	return ima_file_mmap(file, prot, flags);
 }
 
 int security_mmap_addr(unsigned long addr)
@@ -1416,7 +1416,7 @@ int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
 	ret = call_int_hook(file_mprotect, 0, vma, reqprot, prot);
 	if (ret)
 		return ret;
-	return ima_file_mmap(vma->vm_file, prot);
+	return ima_file_mmap(vma->vm_file, prot, 0);
 }
 
 int security_file_lock(struct file *file, unsigned int cmd)
-- 
2.7.5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ