linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Randy Dunlap <rdunlap@infradead.org>
To: Salvatore Mesoraca <s.mesoraca16@gmail.com>,
	linux-kernel@vger.kernel.org
Cc: kernel-hardening@lists.openwall.com, linux-mm@kvack.org,
	linux-security-module@vger.kernel.org,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Brad Spengler <spender@grsecurity.net>,
	Casey Schaufler <casey@schaufler-ca.com>,
	Christoph Hellwig <hch@infradead.org>,
	James Morris <james.l.morris@oracle.com>,
	Jann Horn <jannh@google.com>, Kees Cook <keescook@chromium.org>,
	PaX Team <pageexec@freemail.hu>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH v5 06/12] S.A.R.A.: WX protection
Date: Sat, 6 Jul 2019 08:38:39 -0700	[thread overview]
Message-ID: <fcbf55e9-78dc-fb1a-e893-4fea8ebdc202@infradead.org> (raw)
In-Reply-To: <1562410493-8661-7-git-send-email-s.mesoraca16@gmail.com>

On 7/6/19 3:54 AM, Salvatore Mesoraca wrote:
> diff --git a/security/sara/Kconfig b/security/sara/Kconfig
> index b98cf27..54a96e0 100644
> --- a/security/sara/Kconfig
> +++ b/security/sara/Kconfig
> @@ -60,3 +60,77 @@ config SECURITY_SARA_NO_RUNTIME_ENABLE
>  
>  	  If unsure, answer Y.
>  
> +config SECURITY_SARA_WXPROT
> +	bool "WX Protection: W^X and W!->X protections"
> +	depends on SECURITY_SARA
> +	default y
> +	help
> +	  WX Protection aims to improve user-space programs security by applying:
> +	    - W^X memory restriction
> +	    - W!->X (once writable never executable) mprotect restriction
> +	    - Executable MMAP prevention
> +	  See Documentation/admin-guide/LSM/SARA.rst. for further information.

	                                        .rst for further information.

> +
> +	  If unsure, answer Y.
> +
> +choice
> +	prompt "Default action for W^X and W!->X protections"
> +	depends on SECURITY_SARA
> +	depends on SECURITY_SARA_WXPROT
> +	default SECURITY_SARA_WXPROT_DEFAULT_FLAGS_ALL_COMPLAIN_VERBOSE
> +
> +        help

Use tab instead of spaces for indentation above.

> +	  Choose the default behaviour of WX Protection when no config
> +	  rule matches or no rule is loaded.
> +	  For further information on available flags and their meaning
> +	  see Documentation/admin-guide/LSM/SARA.rst.
> +
> +	config SECURITY_SARA_WXPROT_DEFAULT_FLAGS_ALL_COMPLAIN_VERBOSE
> +		bool "Protections enabled but not enforced."
> +		help
> +		  All features enabled except "Executable MMAP prevention",
> +		  verbose reporting, but no actual enforce: it just complains.
> +		  Its numeric value is 0x3f, for more information see
> +		  Documentation/admin-guide/LSM/SARA.rst.
> +
> +        config SECURITY_SARA_WXPROT_DEFAULT_FLAGS_ALL_ENFORCE_VERBOSE
> +		bool "Full protection, verbose."
> +		help
> +		  All features enabled except "Executable MMAP prevention".
> +		  The enabled features will be enforced with verbose reporting.
> +		  Its numeric value is 0x2f, for more information see
> +		  Documentation/admin-guide/LSM/SARA.rst.
> +
> +        config SECURITY_SARA_WXPROT_DEFAULT_FLAGS_ALL_ENFORCE
> +		bool "Full protection, quiet."
> +		help
> +		  All features enabled except "Executable MMAP prevention".
> +		  The enabled features will be enforced quietly.
> +		  Its numeric value is 0xf, for more information see
> +		  Documentation/admin-guide/LSM/SARA.rst.
> +
> +	config SECURITY_SARA_WXPROT_DEFAULT_FLAGS_NONE
> +		bool "No protection at all."
> +		help
> +		  All features disabled.
> +		  Its numeric value is 0, for more information see
> +		  Documentation/admin-guide/LSM/SARA.rst.
> +endchoice
> +
> +config SECURITY_SARA_WXPROT_DISABLED
> +	bool "WX protection will be disabled at boot."
> +	depends on SECURITY_SARA_WXPROT
> +	default n

Omit "default n" please.

> +	help
> +	  If you say Y here WX protection won't be enabled at startup. You can
> +	  override this option via user-space utilities or at boot time via
> +	  "sara.wxprot_enabled=[0|1]" kernel parameter.
> +
> +	  If unsure, answer N.
> +
> +config SECURITY_SARA_WXPROT_DEFAULT_FLAGS
> +	hex
> +	default "0x3f" if SECURITY_SARA_WXPROT_DEFAULT_FLAGS_ALL_COMPLAIN_VERBOSE
> +	default "0x2f" if SECURITY_SARA_WXPROT_DEFAULT_FLAGS_ALL_ENFORCE_VERBOSE
> +	default "0xf" if SECURITY_SARA_WXPROT_DEFAULT_FLAGS_ALL_ENFORCE
> +	default "0" if SECURITY_SARA_WXPROT_DEFAULT_FLAGS_NONE


-- 
~Randy

  reply	other threads:[~2019-07-06 15:39 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-06 10:54 [PATCH v5 00/12] S.A.R.A. a new stacked LSM Salvatore Mesoraca
2019-07-06 10:54 ` [PATCH v5 01/12] S.A.R.A.: add documentation Salvatore Mesoraca
2019-07-06 17:14   ` Randy Dunlap
2019-07-06 17:32     ` Salvatore Mesoraca
2019-07-13  0:14   ` James Morris
2019-07-06 10:54 ` [PATCH v5 02/12] S.A.R.A.: create framework Salvatore Mesoraca
2019-07-06 15:29   ` Randy Dunlap
2019-07-06 10:54 ` [PATCH v5 03/12] S.A.R.A.: cred blob management Salvatore Mesoraca
2019-07-12 23:35   ` James Morris
2019-07-06 10:54 ` [PATCH v5 04/12] S.A.R.A.: generic DFA for string matching Salvatore Mesoraca
2019-07-06 18:32   ` Jann Horn
2019-07-07 16:01     ` Salvatore Mesoraca
2019-07-08 17:37       ` Jann Horn
2019-10-06 16:49       ` Salvatore Mesoraca
2019-10-07 12:40         ` Jann Horn
2019-07-06 10:54 ` [PATCH v5 05/12] LSM: creation of "check_vmflags" LSM hook Salvatore Mesoraca
2019-07-06 10:54 ` [PATCH v5 06/12] S.A.R.A.: WX protection Salvatore Mesoraca
2019-07-06 15:38   ` Randy Dunlap [this message]
2019-07-06 19:28   ` Al Viro
2019-07-07 15:49     ` Salvatore Mesoraca
2019-07-09  4:51       ` Kees Cook
2019-07-08 12:42   ` David Laight
2019-07-06 10:54 ` [PATCH v5 07/12] LSM: creation of "pagefault_handler" LSM hook Salvatore Mesoraca
2019-07-06 10:54 ` [PATCH v5 08/12] S.A.R.A.: trampoline emulation Salvatore Mesoraca
2019-07-06 15:31   ` Randy Dunlap
2019-07-06 10:54 ` [PATCH v5 09/12] S.A.R.A.: WX protection procattr interface Salvatore Mesoraca
2019-07-06 10:54 ` [PATCH v5 10/12] S.A.R.A.: XATTRs support Salvatore Mesoraca
2019-07-06 10:54 ` [PATCH v5 11/12] S.A.R.A.: /proc/*/mem write limitation Salvatore Mesoraca
2019-07-06 18:20   ` Jann Horn
2019-07-07 16:15     ` Salvatore Mesoraca
2019-07-06 10:54 ` [PATCH v5 12/12] MAINTAINERS: take maintainership for S.A.R.A Salvatore Mesoraca
2019-07-06 14:33 ` [PATCH v5 00/12] S.A.R.A. a new stacked LSM Jordan Glover
2019-07-06 15:02   ` Salvatore Mesoraca
2019-07-07  1:16 ` James Morris
2019-07-07 15:40   ` Salvatore Mesoraca

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=fcbf55e9-78dc-fb1a-e893-4fea8ebdc202@infradead.org \
    --to=rdunlap@infradead.org \
    --cc=casey@schaufler-ca.com \
    --cc=hch@infradead.org \
    --cc=james.l.morris@oracle.com \
    --cc=jannh@google.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=pageexec@freemail.hu \
    --cc=s.mesoraca16@gmail.com \
    --cc=serge@hallyn.com \
    --cc=spender@grsecurity.net \
    --cc=tglx@linutronix.de \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).