[RFC][PATCH] Control ability to have a writable executable mapping

[RFC][PATCH] Control ability to have a writable executable mapping

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 2860 bytes --]

At present, SELinux only applies permission checks to mmap/mprotect for
file mappings, and it only checks write permission to the file if the
mapping is shared, as the caller does not truly require write permission
to the file for a private copy-on-write mapping nor would we want to
grant write permission to all processes that perform such mappings. 
Consequently, SELinux does not currently provide policy control over the
ability of a process to have a writable executable anonymous mapping or
a writable executable private file mapping.  

The attached kernel patch adds a new task->self wxpage permission check
for wx private file mappings and for wx anonymous mappings to address
this gap.  The task->file execute permission check is still applied to
private file mappings even when the wxpage check is performed for
consistency (ensure that policy always allows rx mapping whenever it
allows rwx mapping).  There is also a small change to avc_audit() to
help in policy debugging for these checks, as the exe= information is
suppressed due to the mmap_sem being held by the caller.  Note that
writable executable shared file mappings are still controlled based on
the file write and execute permission checks, not this new check.

The attached policy patch excludes wxpage permission from the
general_domain_access() macro so that it will not be allowed by default
to most domains and adds the wxpage permission selectively to a few
domains based on very preliminary experimentation with this new check. 
You may also find it necessary to uncomment the rule added to
base_user_macros.te by the patch to allow user domains this permission,
as they will otherwise be unable to load DSOs that require an executable
stack (e.g. preliminary experimentation with this check prevented many
gnome applications from running at all due to the inability to load a
particular DSO).

I know that the PAX/selinux integration patch approaches this
differently, applying a check based on the executable file type rather
than the process domain, but I would favor a domain-based check for its
greater generality (ability to handle multiple instances of the same
program in different ways) and more direct representation of the actual
operation (can this process perform this action?).  Admittedly, the
domain-based check does impose a cost on policy writers - you have to
define separate domains vs. just separate file types in order to
selectively allow this permission.  But I believe that this cost is
justified.

Please note that this patch does NOT provide the functionality of PAX,
exec-shield, NX support, etc.  It merely provides SELinux policy control
over the ability to create an executable mapping that can contain data
not covered by file permission checks.

Constructive comments welcome.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency

[-- Attachment #2: sel-wxpage.patch --]
[-- Type: text/x-patch, Size: 3737 bytes --]

Index: linux-2.6/security/selinux/avc.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/avc.c,v
retrieving revision 1.47
diff -u -p -r1.47 avc.c
--- linux-2.6/security/selinux/avc.c	27 Oct 2004 20:09:53 -0000	1.47
+++ linux-2.6/security/selinux/avc.c	8 Nov 2004 21:20:29 -0000
@@ -576,6 +576,8 @@ void avc_audit(u32 ssid, u32 tsid,
 					vma = vma->vm_next;
 				}
 				up_read(&mm->mmap_sem);
+			} else {
+				audit_log_format(ab, " comm=%s", tsk->comm);
 			}
 			if (tsk != current)
 				mmput(mm);
Index: linux-2.6/security/selinux/hooks.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v
retrieving revision 1.132
diff -u -p -r1.132 hooks.c
--- linux-2.6/security/selinux/hooks.c	25 Oct 2004 12:51:44 -0000	1.132
+++ linux-2.6/security/selinux/hooks.c	8 Nov 2004 20:22:41 -0000
@@ -2441,6 +2441,8 @@ static int selinux_file_ioctl(struct fil
 
 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
 {
+	int rc;
+
 	if (file) {
 		/* read access is always possible with a mapping */
 		u32 av = FILE__READ;
@@ -2448,12 +2450,29 @@ static int file_map_prot_check(struct fi
 		/* write access only matters if the mapping is shared */
 		if (shared && (prot & PROT_WRITE))
 			av |= FILE__WRITE;
-
-		if (prot & PROT_EXEC)
+	
+		if (prot & PROT_EXEC) {
 			av |= FILE__EXECUTE;
+			/*
+			 * Check ability to have a writable executable 
+			 * mapping.  In the shared mapping case, this 
+			 * is covered by the file-based checks. 
+			 */
+			if (!shared && (prot & PROT_WRITE)) {
+				rc = task_has_perm(current, current, PROCESS__WXPAGE);
+				if (rc)
+					return rc;
+				/* fall through to file-based checks */
+			}
+		}
 
 		return file_has_perm(current, file, av);
+	} else {
+		/* Check ability to have a writable executable mapping. */ 
+		if ((prot & PROT_EXEC) && (prot & PROT_WRITE))
+			return task_has_perm(current, current, PROCESS__WXPAGE);
 	}
+
 	return 0;
 }
 
Index: linux-2.6/security/selinux/include/av_perm_to_string.h
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_perm_to_string.h,v
retrieving revision 1.15
diff -u -p -r1.15 av_perm_to_string.h
--- linux-2.6/security/selinux/include/av_perm_to_string.h	5 Oct 2004 17:35:29 -0000	1.15
+++ linux-2.6/security/selinux/include/av_perm_to_string.h	8 Nov 2004 20:22:41 -0000
@@ -62,6 +62,7 @@
    S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh")
    S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit")
    S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
+   S_(SECCLASS_PROCESS, PROCESS__WXPAGE, "wxpage")
    S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
    S_(SECCLASS_MSG, MSG__SEND, "send")
    S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
Index: linux-2.6/security/selinux/include/av_permissions.h
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_permissions.h,v
retrieving revision 1.14
diff -u -p -r1.14 av_permissions.h
--- linux-2.6/security/selinux/include/av_permissions.h	5 Oct 2004 17:35:29 -0000	1.14
+++ linux-2.6/security/selinux/include/av_permissions.h	8 Nov 2004 20:22:41 -0000
@@ -456,6 +456,7 @@
 #define PROCESS__SIGINH                           0x00100000UL
 #define PROCESS__SETRLIMIT                        0x00200000UL
 #define PROCESS__RLIMITINH                        0x00400000UL
+#define PROCESS__WXPAGE                           0x00800000UL
 
 #define IPC__CREATE                               0x00000001UL
 #define IPC__DESTROY                              0x00000002UL

[-- Attachment #3: policy-wxpage.patch --]
[-- Type: text/x-patch, Size: 4454 bytes --]

Index: policy/domains/program/modutil.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/modutil.te,v
retrieving revision 1.25
diff -u -r1.25 modutil.te
--- policy/domains/program/modutil.te	8 Nov 2004 20:58:16 -0000	1.25
+++ policy/domains/program/modutil.te	9 Nov 2004 17:26:28 -0000
@@ -123,7 +123,7 @@
 allow insmod_t self:rawip_socket create_socket_perms;
 allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config };
 allow insmod_t domain:process signal;
-allow insmod_t self:process { fork signal_perms };
+allow insmod_t self:process { fork signal_perms wxpage };
 allow insmod_t device_t:dir search;
 allow insmod_t etc_runtime_t:file { getattr read };
 
Index: policy/domains/program/unused/prelink.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/prelink.te,v
retrieving revision 1.14
diff -u -r1.14 prelink.te
--- policy/domains/program/unused/prelink.te	8 Nov 2004 20:58:18 -0000	1.14
+++ policy/domains/program/unused/prelink.te	9 Nov 2004 17:26:29 -0000
@@ -11,6 +11,8 @@
 #
 daemon_base_domain(prelink, `, admin')
 
+allow prelink_t self:process wxpage;
+
 allow prelink_t fs_t:filesystem getattr;
 
 ifdef(`crond.te', `
Index: policy/domains/program/unused/udev.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/udev.te,v
retrieving revision 1.32
diff -u -r1.32 udev.te
--- policy/domains/program/unused/udev.te	8 Nov 2004 20:58:19 -0000	1.32
+++ policy/domains/program/unused/udev.te	9 Nov 2004 17:26:29 -0000
@@ -13,6 +13,9 @@
 
 general_domain_access(udev_t)
 
+# Why?
+allow udev_t self:process wxpage;
+
 etc_domain(udev)
 typealias udev_etc_t alias etc_udev_t;
 type udev_helper_exec_t, file_type, sysadmfile, exec_type;
Index: policy/flask/access_vectors
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/flask/access_vectors,v
retrieving revision 1.13
diff -u -r1.13 access_vectors
--- policy/flask/access_vectors	9 Sep 2004 12:01:52 -0000	1.13
+++ policy/flask/access_vectors	8 Nov 2004 16:27:39 -0000
@@ -240,6 +240,7 @@
 	siginh
 	setrlimit
 	rlimitinh
+	wxpage
 }
 
 
Index: policy/macros/base_user_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/base_user_macros.te,v
retrieving revision 1.34
diff -u -r1.34 base_user_macros.te
--- policy/macros/base_user_macros.te	8 Nov 2004 20:58:20 -0000	1.34
+++ policy/macros/base_user_macros.te	9 Nov 2004 17:45:54 -0000
@@ -33,6 +33,9 @@
 # Grant permissions within the domain.
 general_domain_access($1_t);
 
+# Uncomment to allow loading DSOs that require executable stack.
+#allow $1_t self:process wxpage;
+
 #
 # kdeinit wants this access
 #
Index: policy/macros/core_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/core_macros.te,v
retrieving revision 1.24
diff -u -r1.24 core_macros.te
--- policy/macros/core_macros.te	8 Nov 2004 20:58:20 -0000	1.24
+++ policy/macros/core_macros.te	9 Nov 2004 17:26:31 -0000
@@ -617,9 +617,9 @@
 #
 define(`general_domain_access',`
 # Access other processes in the same domain.
-# Omits ptrace, setexec, and setfscreate.  These must be granted 
-# separately if desired.
-allow $1 self:process ~{ptrace setexec setfscreate setrlimit};
+# Omits ptrace, setexec, setfscreate, setrlimit, and wxpage.  
+# These must be granted separately if desired.
+allow $1 self:process ~{ptrace setexec setfscreate setrlimit wxpage};
 
 # Access /proc/PID files for processes in the same domain.
 allow $1 self:dir r_dir_perms;
Index: policy/macros/program/xserver_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/program/xserver_macros.te,v
retrieving revision 1.37
diff -u -r1.37 xserver_macros.te
--- policy/macros/program/xserver_macros.te	8 Nov 2004 20:58:21 -0000	1.37
+++ policy/macros/program/xserver_macros.te	9 Nov 2004 17:26:31 -0000
@@ -56,6 +56,8 @@
 # for access within the domain
 general_domain_access($1_xserver_t)
 
+allow $1_xserver_t self:process wxpage;
+
 allow $1_xserver_t etc_runtime_t:file { getattr read };
 
 ifelse($1, xdm, `

Re: [RFC][PATCH] Control ability to have a writable executable mapping

[Stephen Smalley]

On Tue, 2004-11-09 at 13:40, Stephen Smalley wrote:
> Please note that this patch does NOT provide the functionality of PAX,
> exec-shield, NX support, etc.  It merely provides SELinux policy control
> over the ability to create an executable mapping that can contain data
> not covered by file permission checks.

Sorry, the last statement isn't accurate; this patch only provides
SELinux policy control over the ability to have a mapping that is
simultaneously writable and executable.  One could still create a rw
mapping and then later change its protection to rx.  For anonymous
mappings, the patch could be trivially modified to apply the check for
any PROT_EXEC mapping and thus prevent executable anonymous mappings
entirely except when explicitly allowed; that seems reasonable.  Private
file mappings are more problematic.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] Control ability to have a writable executable mapping

[Joshua Brindle]

Stephen Smalley wrote:

>I know that the PAX/selinux integration patch approaches this
>differently, applying a check based on the executable file type rather
>than the process domain, but I would favor a domain-based check for its
>greater generality (ability to handle multiple instances of the same
>program in different ways) and more direct representation of the actual
>operation (can this process perform this action?).  Admittedly, the
>domain-based check does impose a cost on policy writers - you have to
>define separate domains vs. just separate file types in order to
>selectively allow this permission.  But I believe that this cost is
>justified.
>  
>
I can't think of any circumstances where the domain which an application 
is in should have an impact on it's PaX flags.
In general we want whatever defaults (pageexec, mprotect, randmmap) on 
all the time except in cases where one or more of those flags don't work 
(eg, java doesn't like pageexec, nor does mono). The caller domain makes 
no difference in whether those will or will not function with PaX 
protection, nor should it make a difference in whether those are enabled.

That said, I know the current implementation breaks the current domain 
source, target object type model, and it would be better to make it the 
same for no better reason than consistancy.

On the other hand, you are right, it does impose a higher cost on policy 
writing. However, it isn't clear that SELinux facilitates this sort of 
flag setting via permissions well, since SELinux will deny by default 
all the flags would be off (!) which is less secure.

>Please note that this patch does NOT provide the functionality of PAX,
>exec-shield, NX support, etc.  It merely provides SELinux policy control
>over the ability to create an executable mapping that can contain data
>not covered by file permission checks.
>
>  
>
out of curiousity, is revocation handled?

>Constructive comments welcome.
>
>  
>
It seems like the whole purpose of this is to enforce a consistancy 
between filesystem permissions and mmaped files in memory?
Does this fall into the same category as PaX where denying the flag 
actually causes a less secure default?


Joshua Brindle

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] Control ability to have a writable executable mapping

[Stephen Smalley]

On Tue, 2004-11-09 at 18:15, Joshua Brindle wrote:
> That said, I know the current implementation breaks the current domain 
> source, target object type model, and it would be better to make it the 
> same for no better reason than consistancy.

Abstractly, you want to control what code can be executed by a given
domain.  Basing your check on the main executable file type (which may
not in fact even be the actual file that required a writable executable
mapping, as that can be triggered by loading a DSO) means that you have
to perform separate analysis of what domains can execute that file type
if you want to know what domains can execute runtime generated code. 
I'm also not entirely clear that it is necessarily a property of an
application under every usage scenario, e.g. if the application
dlopen()'s a shared object that requires executable stack, but only does
so for a certain mode of operation, you could possibly distinguish that
in policy.  As many applications use a single executable for multiple
purposes, it seems preferable to allow for this.

> out of curiousity, is revocation handled?

This doesn't change the status of revocation support in SELinux, i.e. we
revalidate upon certain operations, including mmap/mprotect/read/write,
but we do not presently revoke existing mappings upon a policy change or
file relabel.

> It seems like the whole purpose of this is to enforce a consistancy 
> between filesystem permissions and mmaped files in memory?

No, we already apply checking on mmap/mprotect for file-based mappings. 
The new check is just an attempt to provide policy control over creation
of executable mappings that wouldn't be covered by file permission
checks, e.g. anonymous mappings or private file mappings that are
writable or previously written.  Note that the patch didn't fully
address these cases; I'll post a new version shortly based on some other
feedback.

> Does this fall into the same category as PaX where denying the flag 
> actually causes a less secure default?

No, failure to grant this permission leads to an inability to perform
the mmap/mprotect (for the cases covered by the permission).  But note
that I had to include a change to general_domain_access() in the policy
patch to remove the permission by default, as most domains use that
macro and that macro typically gives all but a specific set of excluded
permissions for task->self:process.
  
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] Control ability to have a writable executable mapping

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 1427 bytes --]

On Tue, 2004-11-09 at 16:05, Stephen Smalley wrote:
> Sorry, the last statement isn't accurate; this patch only provides
> SELinux policy control over the ability to have a mapping that is
> simultaneously writable and executable.  One could still create a rw
> mapping and then later change its protection to rx.  For anonymous
> mappings, the patch could be trivially modified to apply the check for
> any PROT_EXEC mapping and thus prevent executable anonymous mappings
> entirely except when explicitly allowed; that seems reasonable.  Private
> file mappings are more problematic.

Ok, based on feedback and some sample code from Roland McGrath (but any
bugs are likely mine), here are revised kernel and policy patches with
the following changes:
- permission name has changed from wxpage to execmem to more accurately
represent the meaning,
- always check this permission for any executable anonymous mapping,
whether presently writable or not,
- check this permission not only for a writable executable private file
mapping, but also for an executable private file mapping that has been
previously written (based on whether a COW has occurred for the
mapping).

This brings the check closer to the goal of controlling the ability to
make executable a mapping that can contain data not covered by file
permission checks.

Constructive comments welcome.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency

[-- Attachment #2: sel-execmem.patch --]
[-- Type: text/x-patch, Size: 3526 bytes --]

Index: linux-2.6/security/selinux/avc.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/avc.c,v
retrieving revision 1.47
diff -u -r1.47 avc.c
--- linux-2.6/security/selinux/avc.c	27 Oct 2004 20:09:53 -0000	1.47
+++ linux-2.6/security/selinux/avc.c	10 Nov 2004 14:51:22 -0000
@@ -576,6 +576,8 @@
 					vma = vma->vm_next;
 				}
 				up_read(&mm->mmap_sem);
+			} else {
+				audit_log_format(ab, " comm=%s", tsk->comm);
 			}
 			if (tsk != current)
 				mmput(mm);
Index: linux-2.6/security/selinux/hooks.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v
retrieving revision 1.132
diff -u -r1.132 hooks.c
--- linux-2.6/security/selinux/hooks.c	25 Oct 2004 12:51:44 -0000	1.132
+++ linux-2.6/security/selinux/hooks.c	10 Nov 2004 14:45:22 -0000
@@ -2441,6 +2441,17 @@
 
 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
 {
+	if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
+		/*
+		 * We are making executable an anonymous mapping or a
+		 * private file mapping that will be writable or has been 
+		 * written before.  This has an additional check.
+		 */
+		int rc = task_has_perm(current, current, PROCESS__EXECMEM);
+		if (rc)
+			return rc;
+	}
+
 	if (file) {
 		/* read access is always possible with a mapping */
 		u32 av = FILE__READ;
@@ -2478,6 +2489,15 @@
 	if (rc)
 		return rc;
 
+	if (vma->vm_file != NULL && vma->anon_vma != NULL) {
+		/*
+		 * This is a file mapping that has had some COW done.
+		 * Since pages might have been written, apply the check
+		 * for having writable and executable anonymous pages.
+		 */
+		prot |= PROT_WRITE;
+	}
+
 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
 }
 
Index: linux-2.6/security/selinux/include/av_perm_to_string.h
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_perm_to_string.h,v
retrieving revision 1.15
diff -u -r1.15 av_perm_to_string.h
--- linux-2.6/security/selinux/include/av_perm_to_string.h	5 Oct 2004 17:35:29 -0000	1.15
+++ linux-2.6/security/selinux/include/av_perm_to_string.h	10 Nov 2004 14:45:22 -0000
@@ -62,6 +62,7 @@
    S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh")
    S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit")
    S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
+   S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
    S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
    S_(SECCLASS_MSG, MSG__SEND, "send")
    S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
Index: linux-2.6/security/selinux/include/av_permissions.h
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_permissions.h,v
retrieving revision 1.14
diff -u -r1.14 av_permissions.h
--- linux-2.6/security/selinux/include/av_permissions.h	5 Oct 2004 17:35:29 -0000	1.14
+++ linux-2.6/security/selinux/include/av_permissions.h	10 Nov 2004 14:45:22 -0000
@@ -456,6 +456,7 @@
 #define PROCESS__SIGINH                           0x00100000UL
 #define PROCESS__SETRLIMIT                        0x00200000UL
 #define PROCESS__RLIMITINH                        0x00400000UL
+#define PROCESS__EXECMEM                          0x00800000UL
 
 #define IPC__CREATE                               0x00000001UL
 #define IPC__DESTROY                              0x00000002UL

[-- Attachment #3: policy-execmem.patch --]
[-- Type: text/x-patch, Size: 4470 bytes --]

Index: policy/domains/program/modutil.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/modutil.te,v
retrieving revision 1.25
diff -u -r1.25 modutil.te
--- policy/domains/program/modutil.te	8 Nov 2004 20:58:16 -0000	1.25
+++ policy/domains/program/modutil.te	10 Nov 2004 15:02:16 -0000
@@ -123,7 +123,7 @@
 allow insmod_t self:rawip_socket create_socket_perms;
 allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config };
 allow insmod_t domain:process signal;
-allow insmod_t self:process { fork signal_perms };
+allow insmod_t self:process { fork signal_perms execmem };
 allow insmod_t device_t:dir search;
 allow insmod_t etc_runtime_t:file { getattr read };
 
Index: policy/domains/program/unused/prelink.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/prelink.te,v
retrieving revision 1.14
diff -u -r1.14 prelink.te
--- policy/domains/program/unused/prelink.te	8 Nov 2004 20:58:18 -0000	1.14
+++ policy/domains/program/unused/prelink.te	10 Nov 2004 15:02:38 -0000
@@ -11,6 +11,8 @@
 #
 daemon_base_domain(prelink, `, admin')
 
+allow prelink_t self:process execmem;
+
 allow prelink_t fs_t:filesystem getattr;
 
 ifdef(`crond.te', `
Index: policy/domains/program/unused/udev.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/udev.te,v
retrieving revision 1.32
diff -u -r1.32 udev.te
--- policy/domains/program/unused/udev.te	8 Nov 2004 20:58:19 -0000	1.32
+++ policy/domains/program/unused/udev.te	10 Nov 2004 15:02:47 -0000
@@ -13,6 +13,9 @@
 
 general_domain_access(udev_t)
 
+# Why?
+allow udev_t self:process execmem;
+
 etc_domain(udev)
 typealias udev_etc_t alias etc_udev_t;
 type udev_helper_exec_t, file_type, sysadmfile, exec_type;
Index: policy/flask/access_vectors
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/flask/access_vectors,v
retrieving revision 1.13
diff -u -r1.13 access_vectors
--- policy/flask/access_vectors	9 Sep 2004 12:01:52 -0000	1.13
+++ policy/flask/access_vectors	10 Nov 2004 12:15:55 -0000
@@ -240,6 +240,7 @@
 	siginh
 	setrlimit
 	rlimitinh
+	execmem	
 }
 
 
Index: policy/macros/base_user_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/base_user_macros.te,v
retrieving revision 1.34
diff -u -r1.34 base_user_macros.te
--- policy/macros/base_user_macros.te	8 Nov 2004 20:58:20 -0000	1.34
+++ policy/macros/base_user_macros.te	10 Nov 2004 14:54:00 -0000
@@ -33,6 +33,9 @@
 # Grant permissions within the domain.
 general_domain_access($1_t);
 
+# Uncomment to allow loading DSOs that require executable stack.
+#allow $1_t self:process execmem;
+
 #
 # kdeinit wants this access
 #
Index: policy/macros/core_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/core_macros.te,v
retrieving revision 1.24
diff -u -r1.24 core_macros.te
--- policy/macros/core_macros.te	8 Nov 2004 20:58:20 -0000	1.24
+++ policy/macros/core_macros.te	10 Nov 2004 14:54:14 -0000
@@ -617,9 +617,9 @@
 #
 define(`general_domain_access',`
 # Access other processes in the same domain.
-# Omits ptrace, setexec, and setfscreate.  These must be granted 
-# separately if desired.
-allow $1 self:process ~{ptrace setexec setfscreate setrlimit};
+# Omits ptrace, setexec, setfscreate, setrlimit, and execmem.  
+# These must be granted separately if desired.
+allow $1 self:process ~{ptrace setexec setfscreate setrlimit execmem};
 
 # Access /proc/PID files for processes in the same domain.
 allow $1 self:dir r_dir_perms;
Index: policy/macros/program/xserver_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/program/xserver_macros.te,v
retrieving revision 1.37
diff -u -r1.37 xserver_macros.te
--- policy/macros/program/xserver_macros.te	8 Nov 2004 20:58:21 -0000	1.37
+++ policy/macros/program/xserver_macros.te	10 Nov 2004 15:02:22 -0000
@@ -56,6 +56,8 @@
 # for access within the domain
 general_domain_access($1_xserver_t)
 
+allow $1_xserver_t self:process execmem;
+
 allow $1_xserver_t etc_runtime_t:file { getattr read };
 
 ifelse($1, xdm, `

Re: [RFC][PATCH] Control ability to have a writable executable mapping

[Russell Coker]

On Wednesday 10 November 2004 10:15, Joshua Brindle <jbrindle@tresys.com> 
wrote:
> I can't think of any circumstances where the domain which an application
> is in should have an impact on it's PaX flags.

Maybe instances of the application running in different domains will be 
permitted to load different DSOs such that one domain is permitted to load a 
DSO which wants write-execute access while another domain is not permitted to 
load such DSOs.

It's just a hypothetical, I don't know of an example of this happening.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] Control ability to have a writable executable mapping

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 1436 bytes --]

On Wed, 2004-11-10 at 10:35, Stephen Smalley wrote:
> Ok, based on feedback and some sample code from Roland McGrath (but any
> bugs are likely mine), here are revised kernel and policy patches with
> the following changes:
> - permission name has changed from wxpage to execmem to more accurately
> represent the meaning,
> - always check this permission for any executable anonymous mapping,
> whether presently writable or not,
> - check this permission not only for a writable executable private file
> mapping, but also for an executable private file mapping that has been
> previously written (based on whether a COW has occurred for the
> mapping).
> 
> This brings the check closer to the goal of controlling the ability to
> make executable a mapping that can contain data not covered by file
> permission checks.
> 
> Constructive comments welcome.

I've attached the final form of the kernel patch (and a corresponding
policy patch) that is being committed to our tree.  This patch differs
from the previous version in that it splits the single execmem
permission check into two separate permission checks:
1) a task->self execmem check for making executable anonymous mappings
and for making writable executable private file mappings, and
2) a task->file execmod check for making executable previously written
private file mappings (e.g. text relocations).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency

[-- Attachment #2: 05-execmem.patch --]
[-- Type: text/x-patch, Size: 3963 bytes --]

Index: linux-2.6/security/selinux/hooks.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v
retrieving revision 1.139
diff -u -p -r1.139 hooks.c
--- linux-2.6/security/selinux/hooks.c	30 Nov 2004 17:39:08 -0000	1.139
+++ linux-2.6/security/selinux/hooks.c	30 Nov 2004 21:30:04 -0000
@@ -2465,6 +2465,17 @@ static int selinux_file_ioctl(struct fil
 
 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
 {
+	if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
+		/*
+		 * We are making executable an anonymous mapping or a
+		 * private file mapping that will also be writable.
+		 * This has an additional check.
+		 */
+		int rc = task_has_perm(current, current, PROCESS__EXECMEM);
+		if (rc)
+			return rc;
+	}
+
 	if (file) {
 		/* read access is always possible with a mapping */
 		u32 av = FILE__READ;
@@ -2502,6 +2513,18 @@ static int selinux_file_mprotect(struct 
 	if (rc)
 		return rc;
 
+	if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
+		/*
+		 * We are making executable a file mapping that has 
+		 * had some COW done. Since pages might have been written, 
+		 * check ability to execute the possibly modified content.
+		 * This typically should only occur for text relocations.
+		 */
+		int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
+		if (rc)
+			return rc;		
+	}
+
 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
 }
 
Index: linux-2.6/security/selinux/include/av_perm_to_string.h
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_perm_to_string.h,v
retrieving revision 1.18
diff -u -p -r1.18 av_perm_to_string.h
--- linux-2.6/security/selinux/include/av_perm_to_string.h	29 Nov 2004 21:37:36 -0000	1.18
+++ linux-2.6/security/selinux/include/av_perm_to_string.h	30 Nov 2004 21:32:19 -0000
@@ -16,6 +16,7 @@
    S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
    S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
    S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
+   S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
    S_(SECCLASS_FD, FD__USE, "use")
    S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
    S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
@@ -64,6 +65,7 @@
    S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
    S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
    S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
+   S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
    S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
    S_(SECCLASS_MSG, MSG__SEND, "send")
    S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
Index: linux-2.6/security/selinux/include/av_permissions.h
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_permissions.h,v
retrieving revision 1.17
diff -u -p -r1.17 av_permissions.h
--- linux-2.6/security/selinux/include/av_permissions.h	29 Nov 2004 21:37:36 -0000	1.17
+++ linux-2.6/security/selinux/include/av_permissions.h	30 Nov 2004 21:32:19 -0000
@@ -105,6 +105,7 @@
 
 #define FILE__EXECUTE_NO_TRANS                    0x00020000UL
 #define FILE__ENTRYPOINT                          0x00040000UL
+#define FILE__EXECMOD                             0x00080000UL
 
 #define LNK_FILE__IOCTL                           0x00000001UL
 #define LNK_FILE__READ                            0x00000002UL
@@ -458,6 +459,7 @@
 #define PROCESS__RLIMITINH                        0x00400000UL
 #define PROCESS__DYNTRANSITION                    0x00800000UL
 #define PROCESS__SETCURRENT                       0x01000000UL
+#define PROCESS__EXECMEM                          0x02000000UL
 
 #define IPC__CREATE                               0x00000001UL
 #define IPC__DESTROY                              0x00000002UL

[-- Attachment #3: policy-execmem.patch --]
[-- Type: text/x-patch, Size: 4707 bytes --]

Index: policy/domains/program/modutil.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/modutil.te,v
retrieving revision 1.25
diff -u -r1.25 modutil.te
--- policy/domains/program/modutil.te	8 Nov 2004 20:58:16 -0000	1.25
+++ policy/domains/program/modutil.te	30 Nov 2004 21:30:27 -0000
@@ -123,7 +123,7 @@
 allow insmod_t self:rawip_socket create_socket_perms;
 allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config };
 allow insmod_t domain:process signal;
-allow insmod_t self:process { fork signal_perms };
+allow insmod_t self:process { fork signal_perms execmem };
 allow insmod_t device_t:dir search;
 allow insmod_t etc_runtime_t:file { getattr read };
 
Index: policy/domains/program/unused/prelink.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/prelink.te,v
retrieving revision 1.14
diff -u -r1.14 prelink.te
--- policy/domains/program/unused/prelink.te	8 Nov 2004 20:58:18 -0000	1.14
+++ policy/domains/program/unused/prelink.te	30 Nov 2004 21:30:27 -0000
@@ -11,6 +11,8 @@
 #
 daemon_base_domain(prelink, `, admin')
 
+allow prelink_t self:process execmem;
+
 allow prelink_t fs_t:filesystem getattr;
 
 ifdef(`crond.te', `
Index: policy/domains/program/unused/udev.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/udev.te,v
retrieving revision 1.32
diff -u -r1.32 udev.te
--- policy/domains/program/unused/udev.te	8 Nov 2004 20:58:19 -0000	1.32
+++ policy/domains/program/unused/udev.te	1 Dec 2004 16:42:27 -0000
@@ -13,6 +13,9 @@
 
 general_domain_access(udev_t)
 
+# for alsactl
+allow udev_t self:process execmem;
+
 etc_domain(udev)
 typealias udev_etc_t alias etc_udev_t;
 type udev_helper_exec_t, file_type, sysadmfile, exec_type;
Index: policy/flask/access_vectors
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/flask/access_vectors,v
retrieving revision 1.16
diff -u -r1.16 access_vectors
--- policy/flask/access_vectors	29 Nov 2004 21:37:03 -0000	1.16
+++ policy/flask/access_vectors	30 Nov 2004 21:31:06 -0000
@@ -118,6 +118,7 @@
 {
 	execute_no_trans
 	entrypoint
+	execmod
 }
 
 class lnk_file
@@ -242,6 +243,7 @@
 	rlimitinh
 	dyntransition
 	setcurrent
+	execmem
 }
 
 
Index: policy/macros/base_user_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/base_user_macros.te,v
retrieving revision 1.39
diff -u -r1.39 base_user_macros.te
--- policy/macros/base_user_macros.te	29 Nov 2004 19:01:25 -0000	1.39
+++ policy/macros/base_user_macros.te	1 Dec 2004 16:43:02 -0000
@@ -33,6 +33,12 @@
 # Grant permissions within the domain.
 general_domain_access($1_t);
 
+# Allow loading DSOs that require executable stack.
+allow $1_t self:process execmem;
+
+# Allow text relocations on system shared libraries, e.g. libGL.
+allow $1_t shlib_t:file execmod;
+
 #
 # kdeinit wants this access
 #
Index: policy/macros/core_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/core_macros.te,v
retrieving revision 1.27
diff -u -r1.27 core_macros.te
--- policy/macros/core_macros.te	29 Nov 2004 19:48:10 -0000	1.27
+++ policy/macros/core_macros.te	30 Nov 2004 21:31:46 -0000
@@ -627,9 +627,9 @@
 #
 define(`general_domain_access',`
 # Access other processes in the same domain.
-# Omits ptrace, setcurrent, setexec, and setfscreate.  These must be granted 
-# separately if desired.
-allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit};
+# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, and execmem.  
+# These must be granted separately if desired.
+allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem};
 
 # Access /proc/PID files for processes in the same domain.
 allow $1 self:dir r_dir_perms;
Index: policy/macros/program/xserver_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/program/xserver_macros.te,v
retrieving revision 1.38
diff -u -r1.38 xserver_macros.te
--- policy/macros/program/xserver_macros.te	19 Nov 2004 22:03:34 -0000	1.38
+++ policy/macros/program/xserver_macros.te	30 Nov 2004 21:30:27 -0000
@@ -58,6 +58,8 @@
 # for access within the domain
 general_domain_access($1_xserver_t)
 
+allow $1_xserver_t self:process execmem;
+
 allow $1_xserver_t etc_runtime_t:file { getattr read };
 
 ifelse($1, xdm, `