* [RFC][PATCH] Control ability to have a writable executable mapping
@ 2004-11-09 18:40 Stephen Smalley
2004-11-09 21:05 ` Stephen Smalley
2004-11-09 23:15 ` Joshua Brindle
0 siblings, 2 replies; 7+ messages in thread
From: Stephen Smalley @ 2004-11-09 18:40 UTC (permalink / raw)
To: selinux; +Cc: Joshua Brindle, Christopher J. PeBenito
[-- Attachment #1: Type: text/plain, Size: 2860 bytes --]
At present, SELinux only applies permission checks to mmap/mprotect for
file mappings, and it only checks write permission to the file if the
mapping is shared, as the caller does not truly require write permission
to the file for a private copy-on-write mapping nor would we want to
grant write permission to all processes that perform such mappings.
Consequently, SELinux does not currently provide policy control over the
ability of a process to have a writable executable anonymous mapping or
a writable executable private file mapping.
The attached kernel patch adds a new task->self wxpage permission check
for wx private file mappings and for wx anonymous mappings to address
this gap. The task->file execute permission check is still applied to
private file mappings even when the wxpage check is performed for
consistency (ensure that policy always allows rx mapping whenever it
allows rwx mapping). There is also a small change to avc_audit() to
help in policy debugging for these checks, as the exe= information is
suppressed due to the mmap_sem being held by the caller. Note that
writable executable shared file mappings are still controlled based on
the file write and execute permission checks, not this new check.
The attached policy patch excludes wxpage permission from the
general_domain_access() macro so that it will not be allowed by default
to most domains and adds the wxpage permission selectively to a few
domains based on very preliminary experimentation with this new check.
You may also find it necessary to uncomment the rule added to
base_user_macros.te by the patch to allow user domains this permission,
as they will otherwise be unable to load DSOs that require an executable
stack (e.g. preliminary experimentation with this check prevented many
gnome applications from running at all due to the inability to load a
particular DSO).
I know that the PAX/selinux integration patch approaches this
differently, applying a check based on the executable file type rather
than the process domain, but I would favor a domain-based check for its
greater generality (ability to handle multiple instances of the same
program in different ways) and more direct representation of the actual
operation (can this process perform this action?). Admittedly, the
domain-based check does impose a cost on policy writers - you have to
define separate domains vs. just separate file types in order to
selectively allow this permission. But I believe that this cost is
justified.
Please note that this patch does NOT provide the functionality of PAX,
exec-shield, NX support, etc. It merely provides SELinux policy control
over the ability to create an executable mapping that can contain data
not covered by file permission checks.
Constructive comments welcome.
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
[-- Attachment #2: sel-wxpage.patch --]
[-- Type: text/x-patch, Size: 3737 bytes --]
Index: linux-2.6/security/selinux/avc.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/avc.c,v
retrieving revision 1.47
diff -u -p -r1.47 avc.c
--- linux-2.6/security/selinux/avc.c 27 Oct 2004 20:09:53 -0000 1.47
+++ linux-2.6/security/selinux/avc.c 8 Nov 2004 21:20:29 -0000
@@ -576,6 +576,8 @@ void avc_audit(u32 ssid, u32 tsid,
vma = vma->vm_next;
}
up_read(&mm->mmap_sem);
+ } else {
+ audit_log_format(ab, " comm=%s", tsk->comm);
}
if (tsk != current)
mmput(mm);
Index: linux-2.6/security/selinux/hooks.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v
retrieving revision 1.132
diff -u -p -r1.132 hooks.c
--- linux-2.6/security/selinux/hooks.c 25 Oct 2004 12:51:44 -0000 1.132
+++ linux-2.6/security/selinux/hooks.c 8 Nov 2004 20:22:41 -0000
@@ -2441,6 +2441,8 @@ static int selinux_file_ioctl(struct fil
static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
{
+ int rc;
+
if (file) {
/* read access is always possible with a mapping */
u32 av = FILE__READ;
@@ -2448,12 +2450,29 @@ static int file_map_prot_check(struct fi
/* write access only matters if the mapping is shared */
if (shared && (prot & PROT_WRITE))
av |= FILE__WRITE;
-
- if (prot & PROT_EXEC)
+
+ if (prot & PROT_EXEC) {
av |= FILE__EXECUTE;
+ /*
+ * Check ability to have a writable executable
+ * mapping. In the shared mapping case, this
+ * is covered by the file-based checks.
+ */
+ if (!shared && (prot & PROT_WRITE)) {
+ rc = task_has_perm(current, current, PROCESS__WXPAGE);
+ if (rc)
+ return rc;
+ /* fall through to file-based checks */
+ }
+ }
return file_has_perm(current, file, av);
+ } else {
+ /* Check ability to have a writable executable mapping. */
+ if ((prot & PROT_EXEC) && (prot & PROT_WRITE))
+ return task_has_perm(current, current, PROCESS__WXPAGE);
}
+
return 0;
}
Index: linux-2.6/security/selinux/include/av_perm_to_string.h
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_perm_to_string.h,v
retrieving revision 1.15
diff -u -p -r1.15 av_perm_to_string.h
--- linux-2.6/security/selinux/include/av_perm_to_string.h 5 Oct 2004 17:35:29 -0000 1.15
+++ linux-2.6/security/selinux/include/av_perm_to_string.h 8 Nov 2004 20:22:41 -0000
@@ -62,6 +62,7 @@
S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh")
S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit")
S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
+ S_(SECCLASS_PROCESS, PROCESS__WXPAGE, "wxpage")
S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
S_(SECCLASS_MSG, MSG__SEND, "send")
S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
Index: linux-2.6/security/selinux/include/av_permissions.h
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_permissions.h,v
retrieving revision 1.14
diff -u -p -r1.14 av_permissions.h
--- linux-2.6/security/selinux/include/av_permissions.h 5 Oct 2004 17:35:29 -0000 1.14
+++ linux-2.6/security/selinux/include/av_permissions.h 8 Nov 2004 20:22:41 -0000
@@ -456,6 +456,7 @@
#define PROCESS__SIGINH 0x00100000UL
#define PROCESS__SETRLIMIT 0x00200000UL
#define PROCESS__RLIMITINH 0x00400000UL
+#define PROCESS__WXPAGE 0x00800000UL
#define IPC__CREATE 0x00000001UL
#define IPC__DESTROY 0x00000002UL
[-- Attachment #3: policy-wxpage.patch --]
[-- Type: text/x-patch, Size: 4454 bytes --]
Index: policy/domains/program/modutil.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/modutil.te,v
retrieving revision 1.25
diff -u -r1.25 modutil.te
--- policy/domains/program/modutil.te 8 Nov 2004 20:58:16 -0000 1.25
+++ policy/domains/program/modutil.te 9 Nov 2004 17:26:28 -0000
@@ -123,7 +123,7 @@
allow insmod_t self:rawip_socket create_socket_perms;
allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config };
allow insmod_t domain:process signal;
-allow insmod_t self:process { fork signal_perms };
+allow insmod_t self:process { fork signal_perms wxpage };
allow insmod_t device_t:dir search;
allow insmod_t etc_runtime_t:file { getattr read };
Index: policy/domains/program/unused/prelink.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/prelink.te,v
retrieving revision 1.14
diff -u -r1.14 prelink.te
--- policy/domains/program/unused/prelink.te 8 Nov 2004 20:58:18 -0000 1.14
+++ policy/domains/program/unused/prelink.te 9 Nov 2004 17:26:29 -0000
@@ -11,6 +11,8 @@
#
daemon_base_domain(prelink, `, admin')
+allow prelink_t self:process wxpage;
+
allow prelink_t fs_t:filesystem getattr;
ifdef(`crond.te', `
Index: policy/domains/program/unused/udev.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/udev.te,v
retrieving revision 1.32
diff -u -r1.32 udev.te
--- policy/domains/program/unused/udev.te 8 Nov 2004 20:58:19 -0000 1.32
+++ policy/domains/program/unused/udev.te 9 Nov 2004 17:26:29 -0000
@@ -13,6 +13,9 @@
general_domain_access(udev_t)
+# Why?
+allow udev_t self:process wxpage;
+
etc_domain(udev)
typealias udev_etc_t alias etc_udev_t;
type udev_helper_exec_t, file_type, sysadmfile, exec_type;
Index: policy/flask/access_vectors
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/flask/access_vectors,v
retrieving revision 1.13
diff -u -r1.13 access_vectors
--- policy/flask/access_vectors 9 Sep 2004 12:01:52 -0000 1.13
+++ policy/flask/access_vectors 8 Nov 2004 16:27:39 -0000
@@ -240,6 +240,7 @@
siginh
setrlimit
rlimitinh
+ wxpage
}
Index: policy/macros/base_user_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/base_user_macros.te,v
retrieving revision 1.34
diff -u -r1.34 base_user_macros.te
--- policy/macros/base_user_macros.te 8 Nov 2004 20:58:20 -0000 1.34
+++ policy/macros/base_user_macros.te 9 Nov 2004 17:45:54 -0000
@@ -33,6 +33,9 @@
# Grant permissions within the domain.
general_domain_access($1_t);
+# Uncomment to allow loading DSOs that require executable stack.
+#allow $1_t self:process wxpage;
+
#
# kdeinit wants this access
#
Index: policy/macros/core_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/core_macros.te,v
retrieving revision 1.24
diff -u -r1.24 core_macros.te
--- policy/macros/core_macros.te 8 Nov 2004 20:58:20 -0000 1.24
+++ policy/macros/core_macros.te 9 Nov 2004 17:26:31 -0000
@@ -617,9 +617,9 @@
#
define(`general_domain_access',`
# Access other processes in the same domain.
-# Omits ptrace, setexec, and setfscreate. These must be granted
-# separately if desired.
-allow $1 self:process ~{ptrace setexec setfscreate setrlimit};
+# Omits ptrace, setexec, setfscreate, setrlimit, and wxpage.
+# These must be granted separately if desired.
+allow $1 self:process ~{ptrace setexec setfscreate setrlimit wxpage};
# Access /proc/PID files for processes in the same domain.
allow $1 self:dir r_dir_perms;
Index: policy/macros/program/xserver_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/program/xserver_macros.te,v
retrieving revision 1.37
diff -u -r1.37 xserver_macros.te
--- policy/macros/program/xserver_macros.te 8 Nov 2004 20:58:21 -0000 1.37
+++ policy/macros/program/xserver_macros.te 9 Nov 2004 17:26:31 -0000
@@ -56,6 +56,8 @@
# for access within the domain
general_domain_access($1_xserver_t)
+allow $1_xserver_t self:process wxpage;
+
allow $1_xserver_t etc_runtime_t:file { getattr read };
ifelse($1, xdm, `
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [RFC][PATCH] Control ability to have a writable executable mapping 2004-11-09 18:40 [RFC][PATCH] Control ability to have a writable executable mapping Stephen Smalley @ 2004-11-09 21:05 ` Stephen Smalley 2004-11-10 15:35 ` Stephen Smalley 2004-11-09 23:15 ` Joshua Brindle 1 sibling, 1 reply; 7+ messages in thread From: Stephen Smalley @ 2004-11-09 21:05 UTC (permalink / raw) To: selinux; +Cc: Joshua Brindle, Christopher J. PeBenito On Tue, 2004-11-09 at 13:40, Stephen Smalley wrote: > Please note that this patch does NOT provide the functionality of PAX, > exec-shield, NX support, etc. It merely provides SELinux policy control > over the ability to create an executable mapping that can contain data > not covered by file permission checks. Sorry, the last statement isn't accurate; this patch only provides SELinux policy control over the ability to have a mapping that is simultaneously writable and executable. One could still create a rw mapping and then later change its protection to rx. For anonymous mappings, the patch could be trivially modified to apply the check for any PROT_EXEC mapping and thus prevent executable anonymous mappings entirely except when explicitly allowed; that seems reasonable. Private file mappings are more problematic. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC][PATCH] Control ability to have a writable executable mapping 2004-11-09 21:05 ` Stephen Smalley @ 2004-11-10 15:35 ` Stephen Smalley 2004-12-01 17:02 ` Stephen Smalley 0 siblings, 1 reply; 7+ messages in thread From: Stephen Smalley @ 2004-11-10 15:35 UTC (permalink / raw) To: selinux; +Cc: Joshua Brindle, Christopher J. PeBenito, Karl MacMillan [-- Attachment #1: Type: text/plain, Size: 1427 bytes --] On Tue, 2004-11-09 at 16:05, Stephen Smalley wrote: > Sorry, the last statement isn't accurate; this patch only provides > SELinux policy control over the ability to have a mapping that is > simultaneously writable and executable. One could still create a rw > mapping and then later change its protection to rx. For anonymous > mappings, the patch could be trivially modified to apply the check for > any PROT_EXEC mapping and thus prevent executable anonymous mappings > entirely except when explicitly allowed; that seems reasonable. Private > file mappings are more problematic. Ok, based on feedback and some sample code from Roland McGrath (but any bugs are likely mine), here are revised kernel and policy patches with the following changes: - permission name has changed from wxpage to execmem to more accurately represent the meaning, - always check this permission for any executable anonymous mapping, whether presently writable or not, - check this permission not only for a writable executable private file mapping, but also for an executable private file mapping that has been previously written (based on whether a COW has occurred for the mapping). This brings the check closer to the goal of controlling the ability to make executable a mapping that can contain data not covered by file permission checks. Constructive comments welcome. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency [-- Attachment #2: sel-execmem.patch --] [-- Type: text/x-patch, Size: 3526 bytes --] Index: linux-2.6/security/selinux/avc.c =================================================================== RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/avc.c,v retrieving revision 1.47 diff -u -r1.47 avc.c --- linux-2.6/security/selinux/avc.c 27 Oct 2004 20:09:53 -0000 1.47 +++ linux-2.6/security/selinux/avc.c 10 Nov 2004 14:51:22 -0000 @@ -576,6 +576,8 @@ vma = vma->vm_next; } up_read(&mm->mmap_sem); + } else { + audit_log_format(ab, " comm=%s", tsk->comm); } if (tsk != current) mmput(mm); Index: linux-2.6/security/selinux/hooks.c =================================================================== RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v retrieving revision 1.132 diff -u -r1.132 hooks.c --- linux-2.6/security/selinux/hooks.c 25 Oct 2004 12:51:44 -0000 1.132 +++ linux-2.6/security/selinux/hooks.c 10 Nov 2004 14:45:22 -0000 @@ -2441,6 +2441,17 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared) { + if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { + /* + * We are making executable an anonymous mapping or a + * private file mapping that will be writable or has been + * written before. This has an additional check. + */ + int rc = task_has_perm(current, current, PROCESS__EXECMEM); + if (rc) + return rc; + } + if (file) { /* read access is always possible with a mapping */ u32 av = FILE__READ; @@ -2478,6 +2489,15 @@ if (rc) return rc; + if (vma->vm_file != NULL && vma->anon_vma != NULL) { + /* + * This is a file mapping that has had some COW done. + * Since pages might have been written, apply the check + * for having writable and executable anonymous pages. + */ + prot |= PROT_WRITE; + } + return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); } Index: linux-2.6/security/selinux/include/av_perm_to_string.h =================================================================== RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_perm_to_string.h,v retrieving revision 1.15 diff -u -r1.15 av_perm_to_string.h --- linux-2.6/security/selinux/include/av_perm_to_string.h 5 Oct 2004 17:35:29 -0000 1.15 +++ linux-2.6/security/selinux/include/av_perm_to_string.h 10 Nov 2004 14:45:22 -0000 @@ -62,6 +62,7 @@ S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh") S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit") S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh") + S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem") S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue") S_(SECCLASS_MSG, MSG__SEND, "send") S_(SECCLASS_MSG, MSG__RECEIVE, "receive") Index: linux-2.6/security/selinux/include/av_permissions.h =================================================================== RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_permissions.h,v retrieving revision 1.14 diff -u -r1.14 av_permissions.h --- linux-2.6/security/selinux/include/av_permissions.h 5 Oct 2004 17:35:29 -0000 1.14 +++ linux-2.6/security/selinux/include/av_permissions.h 10 Nov 2004 14:45:22 -0000 @@ -456,6 +456,7 @@ #define PROCESS__SIGINH 0x00100000UL #define PROCESS__SETRLIMIT 0x00200000UL #define PROCESS__RLIMITINH 0x00400000UL +#define PROCESS__EXECMEM 0x00800000UL #define IPC__CREATE 0x00000001UL #define IPC__DESTROY 0x00000002UL [-- Attachment #3: policy-execmem.patch --] [-- Type: text/x-patch, Size: 4470 bytes --] Index: policy/domains/program/modutil.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/modutil.te,v retrieving revision 1.25 diff -u -r1.25 modutil.te --- policy/domains/program/modutil.te 8 Nov 2004 20:58:16 -0000 1.25 +++ policy/domains/program/modutil.te 10 Nov 2004 15:02:16 -0000 @@ -123,7 +123,7 @@ allow insmod_t self:rawip_socket create_socket_perms; allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config }; allow insmod_t domain:process signal; -allow insmod_t self:process { fork signal_perms }; +allow insmod_t self:process { fork signal_perms execmem }; allow insmod_t device_t:dir search; allow insmod_t etc_runtime_t:file { getattr read }; Index: policy/domains/program/unused/prelink.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/prelink.te,v retrieving revision 1.14 diff -u -r1.14 prelink.te --- policy/domains/program/unused/prelink.te 8 Nov 2004 20:58:18 -0000 1.14 +++ policy/domains/program/unused/prelink.te 10 Nov 2004 15:02:38 -0000 @@ -11,6 +11,8 @@ # daemon_base_domain(prelink, `, admin') +allow prelink_t self:process execmem; + allow prelink_t fs_t:filesystem getattr; ifdef(`crond.te', ` Index: policy/domains/program/unused/udev.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/udev.te,v retrieving revision 1.32 diff -u -r1.32 udev.te --- policy/domains/program/unused/udev.te 8 Nov 2004 20:58:19 -0000 1.32 +++ policy/domains/program/unused/udev.te 10 Nov 2004 15:02:47 -0000 @@ -13,6 +13,9 @@ general_domain_access(udev_t) +# Why? +allow udev_t self:process execmem; + etc_domain(udev) typealias udev_etc_t alias etc_udev_t; type udev_helper_exec_t, file_type, sysadmfile, exec_type; Index: policy/flask/access_vectors =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/flask/access_vectors,v retrieving revision 1.13 diff -u -r1.13 access_vectors --- policy/flask/access_vectors 9 Sep 2004 12:01:52 -0000 1.13 +++ policy/flask/access_vectors 10 Nov 2004 12:15:55 -0000 @@ -240,6 +240,7 @@ siginh setrlimit rlimitinh + execmem } Index: policy/macros/base_user_macros.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/base_user_macros.te,v retrieving revision 1.34 diff -u -r1.34 base_user_macros.te --- policy/macros/base_user_macros.te 8 Nov 2004 20:58:20 -0000 1.34 +++ policy/macros/base_user_macros.te 10 Nov 2004 14:54:00 -0000 @@ -33,6 +33,9 @@ # Grant permissions within the domain. general_domain_access($1_t); +# Uncomment to allow loading DSOs that require executable stack. +#allow $1_t self:process execmem; + # # kdeinit wants this access # Index: policy/macros/core_macros.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/core_macros.te,v retrieving revision 1.24 diff -u -r1.24 core_macros.te --- policy/macros/core_macros.te 8 Nov 2004 20:58:20 -0000 1.24 +++ policy/macros/core_macros.te 10 Nov 2004 14:54:14 -0000 @@ -617,9 +617,9 @@ # define(`general_domain_access',` # Access other processes in the same domain. -# Omits ptrace, setexec, and setfscreate. These must be granted -# separately if desired. -allow $1 self:process ~{ptrace setexec setfscreate setrlimit}; +# Omits ptrace, setexec, setfscreate, setrlimit, and execmem. +# These must be granted separately if desired. +allow $1 self:process ~{ptrace setexec setfscreate setrlimit execmem}; # Access /proc/PID files for processes in the same domain. allow $1 self:dir r_dir_perms; Index: policy/macros/program/xserver_macros.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/program/xserver_macros.te,v retrieving revision 1.37 diff -u -r1.37 xserver_macros.te --- policy/macros/program/xserver_macros.te 8 Nov 2004 20:58:21 -0000 1.37 +++ policy/macros/program/xserver_macros.te 10 Nov 2004 15:02:22 -0000 @@ -56,6 +56,8 @@ # for access within the domain general_domain_access($1_xserver_t) +allow $1_xserver_t self:process execmem; + allow $1_xserver_t etc_runtime_t:file { getattr read }; ifelse($1, xdm, ` ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC][PATCH] Control ability to have a writable executable mapping 2004-11-10 15:35 ` Stephen Smalley @ 2004-12-01 17:02 ` Stephen Smalley 0 siblings, 0 replies; 7+ messages in thread From: Stephen Smalley @ 2004-12-01 17:02 UTC (permalink / raw) To: selinux; +Cc: Joshua Brindle, Christopher J. PeBenito, Karl MacMillan [-- Attachment #1: Type: text/plain, Size: 1436 bytes --] On Wed, 2004-11-10 at 10:35, Stephen Smalley wrote: > Ok, based on feedback and some sample code from Roland McGrath (but any > bugs are likely mine), here are revised kernel and policy patches with > the following changes: > - permission name has changed from wxpage to execmem to more accurately > represent the meaning, > - always check this permission for any executable anonymous mapping, > whether presently writable or not, > - check this permission not only for a writable executable private file > mapping, but also for an executable private file mapping that has been > previously written (based on whether a COW has occurred for the > mapping). > > This brings the check closer to the goal of controlling the ability to > make executable a mapping that can contain data not covered by file > permission checks. > > Constructive comments welcome. I've attached the final form of the kernel patch (and a corresponding policy patch) that is being committed to our tree. This patch differs from the previous version in that it splits the single execmem permission check into two separate permission checks: 1) a task->self execmem check for making executable anonymous mappings and for making writable executable private file mappings, and 2) a task->file execmod check for making executable previously written private file mappings (e.g. text relocations). -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency [-- Attachment #2: 05-execmem.patch --] [-- Type: text/x-patch, Size: 3963 bytes --] Index: linux-2.6/security/selinux/hooks.c =================================================================== RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v retrieving revision 1.139 diff -u -p -r1.139 hooks.c --- linux-2.6/security/selinux/hooks.c 30 Nov 2004 17:39:08 -0000 1.139 +++ linux-2.6/security/selinux/hooks.c 30 Nov 2004 21:30:04 -0000 @@ -2465,6 +2465,17 @@ static int selinux_file_ioctl(struct fil static int file_map_prot_check(struct file *file, unsigned long prot, int shared) { + if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { + /* + * We are making executable an anonymous mapping or a + * private file mapping that will also be writable. + * This has an additional check. + */ + int rc = task_has_perm(current, current, PROCESS__EXECMEM); + if (rc) + return rc; + } + if (file) { /* read access is always possible with a mapping */ u32 av = FILE__READ; @@ -2502,6 +2513,18 @@ static int selinux_file_mprotect(struct if (rc) return rc; + if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) { + /* + * We are making executable a file mapping that has + * had some COW done. Since pages might have been written, + * check ability to execute the possibly modified content. + * This typically should only occur for text relocations. + */ + int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD); + if (rc) + return rc; + } + return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); } Index: linux-2.6/security/selinux/include/av_perm_to_string.h =================================================================== RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_perm_to_string.h,v retrieving revision 1.18 diff -u -p -r1.18 av_perm_to_string.h --- linux-2.6/security/selinux/include/av_perm_to_string.h 29 Nov 2004 21:37:36 -0000 1.18 +++ linux-2.6/security/selinux/include/av_perm_to_string.h 30 Nov 2004 21:32:19 -0000 @@ -16,6 +16,7 @@ S_(SECCLASS_DIR, DIR__RMDIR, "rmdir") S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans") S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint") + S_(SECCLASS_FILE, FILE__EXECMOD, "execmod") S_(SECCLASS_FD, FD__USE, "use") S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto") S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn") @@ -64,6 +65,7 @@ S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh") S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition") S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent") + S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem") S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue") S_(SECCLASS_MSG, MSG__SEND, "send") S_(SECCLASS_MSG, MSG__RECEIVE, "receive") Index: linux-2.6/security/selinux/include/av_permissions.h =================================================================== RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_permissions.h,v retrieving revision 1.17 diff -u -p -r1.17 av_permissions.h --- linux-2.6/security/selinux/include/av_permissions.h 29 Nov 2004 21:37:36 -0000 1.17 +++ linux-2.6/security/selinux/include/av_permissions.h 30 Nov 2004 21:32:19 -0000 @@ -105,6 +105,7 @@ #define FILE__EXECUTE_NO_TRANS 0x00020000UL #define FILE__ENTRYPOINT 0x00040000UL +#define FILE__EXECMOD 0x00080000UL #define LNK_FILE__IOCTL 0x00000001UL #define LNK_FILE__READ 0x00000002UL @@ -458,6 +459,7 @@ #define PROCESS__RLIMITINH 0x00400000UL #define PROCESS__DYNTRANSITION 0x00800000UL #define PROCESS__SETCURRENT 0x01000000UL +#define PROCESS__EXECMEM 0x02000000UL #define IPC__CREATE 0x00000001UL #define IPC__DESTROY 0x00000002UL [-- Attachment #3: policy-execmem.patch --] [-- Type: text/x-patch, Size: 4707 bytes --] Index: policy/domains/program/modutil.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/modutil.te,v retrieving revision 1.25 diff -u -r1.25 modutil.te --- policy/domains/program/modutil.te 8 Nov 2004 20:58:16 -0000 1.25 +++ policy/domains/program/modutil.te 30 Nov 2004 21:30:27 -0000 @@ -123,7 +123,7 @@ allow insmod_t self:rawip_socket create_socket_perms; allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config }; allow insmod_t domain:process signal; -allow insmod_t self:process { fork signal_perms }; +allow insmod_t self:process { fork signal_perms execmem }; allow insmod_t device_t:dir search; allow insmod_t etc_runtime_t:file { getattr read }; Index: policy/domains/program/unused/prelink.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/prelink.te,v retrieving revision 1.14 diff -u -r1.14 prelink.te --- policy/domains/program/unused/prelink.te 8 Nov 2004 20:58:18 -0000 1.14 +++ policy/domains/program/unused/prelink.te 30 Nov 2004 21:30:27 -0000 @@ -11,6 +11,8 @@ # daemon_base_domain(prelink, `, admin') +allow prelink_t self:process execmem; + allow prelink_t fs_t:filesystem getattr; ifdef(`crond.te', ` Index: policy/domains/program/unused/udev.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/udev.te,v retrieving revision 1.32 diff -u -r1.32 udev.te --- policy/domains/program/unused/udev.te 8 Nov 2004 20:58:19 -0000 1.32 +++ policy/domains/program/unused/udev.te 1 Dec 2004 16:42:27 -0000 @@ -13,6 +13,9 @@ general_domain_access(udev_t) +# for alsactl +allow udev_t self:process execmem; + etc_domain(udev) typealias udev_etc_t alias etc_udev_t; type udev_helper_exec_t, file_type, sysadmfile, exec_type; Index: policy/flask/access_vectors =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/flask/access_vectors,v retrieving revision 1.16 diff -u -r1.16 access_vectors --- policy/flask/access_vectors 29 Nov 2004 21:37:03 -0000 1.16 +++ policy/flask/access_vectors 30 Nov 2004 21:31:06 -0000 @@ -118,6 +118,7 @@ { execute_no_trans entrypoint + execmod } class lnk_file @@ -242,6 +243,7 @@ rlimitinh dyntransition setcurrent + execmem } Index: policy/macros/base_user_macros.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/base_user_macros.te,v retrieving revision 1.39 diff -u -r1.39 base_user_macros.te --- policy/macros/base_user_macros.te 29 Nov 2004 19:01:25 -0000 1.39 +++ policy/macros/base_user_macros.te 1 Dec 2004 16:43:02 -0000 @@ -33,6 +33,12 @@ # Grant permissions within the domain. general_domain_access($1_t); +# Allow loading DSOs that require executable stack. +allow $1_t self:process execmem; + +# Allow text relocations on system shared libraries, e.g. libGL. +allow $1_t shlib_t:file execmod; + # # kdeinit wants this access # Index: policy/macros/core_macros.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/core_macros.te,v retrieving revision 1.27 diff -u -r1.27 core_macros.te --- policy/macros/core_macros.te 29 Nov 2004 19:48:10 -0000 1.27 +++ policy/macros/core_macros.te 30 Nov 2004 21:31:46 -0000 @@ -627,9 +627,9 @@ # define(`general_domain_access',` # Access other processes in the same domain. -# Omits ptrace, setcurrent, setexec, and setfscreate. These must be granted -# separately if desired. -allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit}; +# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, and execmem. +# These must be granted separately if desired. +allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem}; # Access /proc/PID files for processes in the same domain. allow $1 self:dir r_dir_perms; Index: policy/macros/program/xserver_macros.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/program/xserver_macros.te,v retrieving revision 1.38 diff -u -r1.38 xserver_macros.te --- policy/macros/program/xserver_macros.te 19 Nov 2004 22:03:34 -0000 1.38 +++ policy/macros/program/xserver_macros.te 30 Nov 2004 21:30:27 -0000 @@ -58,6 +58,8 @@ # for access within the domain general_domain_access($1_xserver_t) +allow $1_xserver_t self:process execmem; + allow $1_xserver_t etc_runtime_t:file { getattr read }; ifelse($1, xdm, ` ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC][PATCH] Control ability to have a writable executable mapping 2004-11-09 18:40 [RFC][PATCH] Control ability to have a writable executable mapping Stephen Smalley 2004-11-09 21:05 ` Stephen Smalley @ 2004-11-09 23:15 ` Joshua Brindle 2004-11-10 15:25 ` Stephen Smalley 2004-11-15 11:52 ` Russell Coker 1 sibling, 2 replies; 7+ messages in thread From: Joshua Brindle @ 2004-11-09 23:15 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux, Christopher J. PeBenito Stephen Smalley wrote: >I know that the PAX/selinux integration patch approaches this >differently, applying a check based on the executable file type rather >than the process domain, but I would favor a domain-based check for its >greater generality (ability to handle multiple instances of the same >program in different ways) and more direct representation of the actual >operation (can this process perform this action?). Admittedly, the >domain-based check does impose a cost on policy writers - you have to >define separate domains vs. just separate file types in order to >selectively allow this permission. But I believe that this cost is >justified. > > I can't think of any circumstances where the domain which an application is in should have an impact on it's PaX flags. In general we want whatever defaults (pageexec, mprotect, randmmap) on all the time except in cases where one or more of those flags don't work (eg, java doesn't like pageexec, nor does mono). The caller domain makes no difference in whether those will or will not function with PaX protection, nor should it make a difference in whether those are enabled. That said, I know the current implementation breaks the current domain source, target object type model, and it would be better to make it the same for no better reason than consistancy. On the other hand, you are right, it does impose a higher cost on policy writing. However, it isn't clear that SELinux facilitates this sort of flag setting via permissions well, since SELinux will deny by default all the flags would be off (!) which is less secure. >Please note that this patch does NOT provide the functionality of PAX, >exec-shield, NX support, etc. It merely provides SELinux policy control >over the ability to create an executable mapping that can contain data >not covered by file permission checks. > > > out of curiousity, is revocation handled? >Constructive comments welcome. > > > It seems like the whole purpose of this is to enforce a consistancy between filesystem permissions and mmaped files in memory? Does this fall into the same category as PaX where denying the flag actually causes a less secure default? Joshua Brindle -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC][PATCH] Control ability to have a writable executable mapping 2004-11-09 23:15 ` Joshua Brindle @ 2004-11-10 15:25 ` Stephen Smalley 2004-11-15 11:52 ` Russell Coker 1 sibling, 0 replies; 7+ messages in thread From: Stephen Smalley @ 2004-11-10 15:25 UTC (permalink / raw) To: Joshua Brindle; +Cc: selinux, Christopher J. PeBenito On Tue, 2004-11-09 at 18:15, Joshua Brindle wrote: > That said, I know the current implementation breaks the current domain > source, target object type model, and it would be better to make it the > same for no better reason than consistancy. Abstractly, you want to control what code can be executed by a given domain. Basing your check on the main executable file type (which may not in fact even be the actual file that required a writable executable mapping, as that can be triggered by loading a DSO) means that you have to perform separate analysis of what domains can execute that file type if you want to know what domains can execute runtime generated code. I'm also not entirely clear that it is necessarily a property of an application under every usage scenario, e.g. if the application dlopen()'s a shared object that requires executable stack, but only does so for a certain mode of operation, you could possibly distinguish that in policy. As many applications use a single executable for multiple purposes, it seems preferable to allow for this. > out of curiousity, is revocation handled? This doesn't change the status of revocation support in SELinux, i.e. we revalidate upon certain operations, including mmap/mprotect/read/write, but we do not presently revoke existing mappings upon a policy change or file relabel. > It seems like the whole purpose of this is to enforce a consistancy > between filesystem permissions and mmaped files in memory? No, we already apply checking on mmap/mprotect for file-based mappings. The new check is just an attempt to provide policy control over creation of executable mappings that wouldn't be covered by file permission checks, e.g. anonymous mappings or private file mappings that are writable or previously written. Note that the patch didn't fully address these cases; I'll post a new version shortly based on some other feedback. > Does this fall into the same category as PaX where denying the flag > actually causes a less secure default? No, failure to grant this permission leads to an inability to perform the mmap/mprotect (for the cases covered by the permission). But note that I had to include a change to general_domain_access() in the policy patch to remove the permission by default, as most domains use that macro and that macro typically gives all but a specific set of excluded permissions for task->self:process. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC][PATCH] Control ability to have a writable executable mapping 2004-11-09 23:15 ` Joshua Brindle 2004-11-10 15:25 ` Stephen Smalley @ 2004-11-15 11:52 ` Russell Coker 1 sibling, 0 replies; 7+ messages in thread From: Russell Coker @ 2004-11-15 11:52 UTC (permalink / raw) To: Joshua Brindle; +Cc: Stephen Smalley, selinux, Christopher J. PeBenito On Wednesday 10 November 2004 10:15, Joshua Brindle <jbrindle@tresys.com> wrote: > I can't think of any circumstances where the domain which an application > is in should have an impact on it's PaX flags. Maybe instances of the application running in different domains will be permitted to load different DSOs such that one domain is permitted to load a DSO which wants write-execute access while another domain is not permitted to load such DSOs. It's just a hypothetical, I don't know of an example of this happening. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2004-12-01 17:07 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2004-11-09 18:40 [RFC][PATCH] Control ability to have a writable executable mapping Stephen Smalley 2004-11-09 21:05 ` Stephen Smalley 2004-11-10 15:35 ` Stephen Smalley 2004-12-01 17:02 ` Stephen Smalley 2004-11-09 23:15 ` Joshua Brindle 2004-11-10 15:25 ` Stephen Smalley 2004-11-15 11:52 ` Russell Coker
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.