| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 1 Nov 2020 13:41:30 +0200
From: Topi Miettinen <toiwoton@...il.com>
To: David Hildenbrand <david@...hat.com>,
David Laight <David.Laight@...LAB.COM>,
Michal Hocko <mhocko@...e.com>,
Kees Cook <keescook@...omium.org>
Cc: "akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] mm: optionally disable brk()
On 5.10.2020 15.18, David Hildenbrand wrote:
> On 05.10.20 13:21, David Laight wrote:
>> From: David Hildenbrand
>>> Sent: 05 October 2020 10:55
>> ...
>>>> If hardening and compatibility are seen as tradeoffs, perhaps there
>>>> could be a top level config choice (CONFIG_HARDENING_TRADEOFF) for this.
>>>> It would have options
>>>> - "compatibility" (default) to gear questions for maximum compatibility,
>>>> deselecting any hardening options which reduce compatibility
>>>> - "hardening" to gear questions for maximum hardening, deselecting any
>>>> compatibility options which reduce hardening
>>>> - "none/manual": ask all questions like before
>>>
>>> I think the general direction is to avoid an exploding set of config
>>> options. So if there isn't a *real* demand, I guess gluing this to a
>>> single option ("CONFIG_SECURITY_HARDENING") might be good enough.
>>
>> Wouldn't that be better achieved by run-time clobbering
>> of the syscall vectors?
>
> You mean via something like a boot parameter? Possibly yes.
>
This may be obvious, but a global seccomp filter which doesn't affect
NNP can be installed in initrd with a simple program with no changes to
kernel:
#include <errno.h>
#include <seccomp.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char **argv) {
if (argc < 3) {
fprintf(stderr, "Usage: %s syscall [syscall]...
program\n", argv[0]);
return EXIT_FAILURE;
}
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL) {
fprintf(stderr, "failed to init filter\n");
return EXIT_FAILURE;
}
int r;
r = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
if (r != 0) {
fprintf(stderr, "failed to disable NNP\n");
return EXIT_FAILURE;
}
fprintf(stderr, "filtering");
for (int i = 1; i < argc - 1; i++) {
const char *syscall = argv[i];
int syscall_nr = seccomp_syscall_resolve_name(syscall);
if (syscall_nr == __NR_SCMP_ERROR) {
//fprintf(stderr, "unknown syscall %s,
ignoring\n", syscall);
continue;
}
r = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(ENOSYS),
syscall_nr, 0);
if (r != 0) {
//fprintf(stderr, "failed to filter syscall %s,
ignoring\n", syscall);
continue;
}
fprintf(stderr, " %s", syscall);
}
fprintf(stderr, "\n");
r = seccomp_load(ctx);
if (r != 0) {
fprintf(stderr, "failed to apply filter\n");
return EXIT_FAILURE;
}
seccomp_release(ctx);
char *program = argv[argc - 1];
char *new_argv[] = { program, NULL };
execv(program, new_argv);
fprintf(stderr, "failed to exec %s\n", program);
return EXIT_FAILURE;
}
This can be inserted in initrd to disable some obsolete and old system
calls like this:
#!/bin/sh
exec /usr/local/sbin/seccomp-exec _sysctl afs_syscall bdflush break
create_module ftime get_kernel_syms getpmsg gtty idle lock mpx prof
profil putpmsg query_module security sgetmask ssetmask stty sysfs
tuxcall ulimit uselib ustat vserver epoll_ctl_old epoll_wait_old
old_adjtimex old_getpagesize oldfstat oldlstat oldolduname oldstat
oldumount olduname osf_old_creat osf_old_fstat osf_old_getpgrp
osf_old_killpg osf_old_lstat osf_old_open osf_old_sigaction
osf_old_sigblock osf_old_sigreturn osf_old_sigsetmask osf_old_sigvec
osf_old_stat osf_old_vadvise osf_old_vtrace osf_old_wait osf_oldquota
vm86old brk /init
-Topi
Powered by blists - more mailing lists