From: Stephen Smalley <sds@epoch.ncsc.mil>
To: selinux@tycho.nsa.gov
Cc: Joshua Brindle <jbrindle@tresys.com>,
"Christopher J. PeBenito" <cpebenito@tresys.com>,
Karl MacMillan <kmacmillan@tresys.com>
Subject: Re: [RFC][PATCH] Control ability to have a writable executable mapping
Date: Wed, 01 Dec 2004 12:02:25 -0500 [thread overview]
Message-ID: <1101920545.24332.44.camel@moss-spartans.epoch.ncsc.mil> (raw)
In-Reply-To: <1100100906.1972.198.camel@moss-spartans.epoch.ncsc.mil>
[-- Attachment #1: Type: text/plain, Size: 1436 bytes --]
On Wed, 2004-11-10 at 10:35, Stephen Smalley wrote:
> Ok, based on feedback and some sample code from Roland McGrath (but any
> bugs are likely mine), here are revised kernel and policy patches with
> the following changes:
> - permission name has changed from wxpage to execmem to more accurately
> represent the meaning,
> - always check this permission for any executable anonymous mapping,
> whether presently writable or not,
> - check this permission not only for a writable executable private file
> mapping, but also for an executable private file mapping that has been
> previously written (based on whether a COW has occurred for the
> mapping).
>
> This brings the check closer to the goal of controlling the ability to
> make executable a mapping that can contain data not covered by file
> permission checks.
>
> Constructive comments welcome.
I've attached the final form of the kernel patch (and a corresponding
policy patch) that is being committed to our tree. This patch differs
from the previous version in that it splits the single execmem
permission check into two separate permission checks:
1) a task->self execmem check for making executable anonymous mappings
and for making writable executable private file mappings, and
2) a task->file execmod check for making executable previously written
private file mappings (e.g. text relocations).
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
[-- Attachment #2: 05-execmem.patch --]
[-- Type: text/x-patch, Size: 3963 bytes --]
Index: linux-2.6/security/selinux/hooks.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v
retrieving revision 1.139
diff -u -p -r1.139 hooks.c
--- linux-2.6/security/selinux/hooks.c 30 Nov 2004 17:39:08 -0000 1.139
+++ linux-2.6/security/selinux/hooks.c 30 Nov 2004 21:30:04 -0000
@@ -2465,6 +2465,17 @@ static int selinux_file_ioctl(struct fil
static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
{
+ if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
+ /*
+ * We are making executable an anonymous mapping or a
+ * private file mapping that will also be writable.
+ * This has an additional check.
+ */
+ int rc = task_has_perm(current, current, PROCESS__EXECMEM);
+ if (rc)
+ return rc;
+ }
+
if (file) {
/* read access is always possible with a mapping */
u32 av = FILE__READ;
@@ -2502,6 +2513,18 @@ static int selinux_file_mprotect(struct
if (rc)
return rc;
+ if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
+ /*
+ * We are making executable a file mapping that has
+ * had some COW done. Since pages might have been written,
+ * check ability to execute the possibly modified content.
+ * This typically should only occur for text relocations.
+ */
+ int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
+ if (rc)
+ return rc;
+ }
+
return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
}
Index: linux-2.6/security/selinux/include/av_perm_to_string.h
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_perm_to_string.h,v
retrieving revision 1.18
diff -u -p -r1.18 av_perm_to_string.h
--- linux-2.6/security/selinux/include/av_perm_to_string.h 29 Nov 2004 21:37:36 -0000 1.18
+++ linux-2.6/security/selinux/include/av_perm_to_string.h 30 Nov 2004 21:32:19 -0000
@@ -16,6 +16,7 @@
S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
+ S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
S_(SECCLASS_FD, FD__USE, "use")
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
@@ -64,6 +65,7 @@
S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
+ S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
S_(SECCLASS_MSG, MSG__SEND, "send")
S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
Index: linux-2.6/security/selinux/include/av_permissions.h
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_permissions.h,v
retrieving revision 1.17
diff -u -p -r1.17 av_permissions.h
--- linux-2.6/security/selinux/include/av_permissions.h 29 Nov 2004 21:37:36 -0000 1.17
+++ linux-2.6/security/selinux/include/av_permissions.h 30 Nov 2004 21:32:19 -0000
@@ -105,6 +105,7 @@
#define FILE__EXECUTE_NO_TRANS 0x00020000UL
#define FILE__ENTRYPOINT 0x00040000UL
+#define FILE__EXECMOD 0x00080000UL
#define LNK_FILE__IOCTL 0x00000001UL
#define LNK_FILE__READ 0x00000002UL
@@ -458,6 +459,7 @@
#define PROCESS__RLIMITINH 0x00400000UL
#define PROCESS__DYNTRANSITION 0x00800000UL
#define PROCESS__SETCURRENT 0x01000000UL
+#define PROCESS__EXECMEM 0x02000000UL
#define IPC__CREATE 0x00000001UL
#define IPC__DESTROY 0x00000002UL
[-- Attachment #3: policy-execmem.patch --]
[-- Type: text/x-patch, Size: 4707 bytes --]
Index: policy/domains/program/modutil.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/modutil.te,v
retrieving revision 1.25
diff -u -r1.25 modutil.te
--- policy/domains/program/modutil.te 8 Nov 2004 20:58:16 -0000 1.25
+++ policy/domains/program/modutil.te 30 Nov 2004 21:30:27 -0000
@@ -123,7 +123,7 @@
allow insmod_t self:rawip_socket create_socket_perms;
allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config };
allow insmod_t domain:process signal;
-allow insmod_t self:process { fork signal_perms };
+allow insmod_t self:process { fork signal_perms execmem };
allow insmod_t device_t:dir search;
allow insmod_t etc_runtime_t:file { getattr read };
Index: policy/domains/program/unused/prelink.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/prelink.te,v
retrieving revision 1.14
diff -u -r1.14 prelink.te
--- policy/domains/program/unused/prelink.te 8 Nov 2004 20:58:18 -0000 1.14
+++ policy/domains/program/unused/prelink.te 30 Nov 2004 21:30:27 -0000
@@ -11,6 +11,8 @@
#
daemon_base_domain(prelink, `, admin')
+allow prelink_t self:process execmem;
+
allow prelink_t fs_t:filesystem getattr;
ifdef(`crond.te', `
Index: policy/domains/program/unused/udev.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/udev.te,v
retrieving revision 1.32
diff -u -r1.32 udev.te
--- policy/domains/program/unused/udev.te 8 Nov 2004 20:58:19 -0000 1.32
+++ policy/domains/program/unused/udev.te 1 Dec 2004 16:42:27 -0000
@@ -13,6 +13,9 @@
general_domain_access(udev_t)
+# for alsactl
+allow udev_t self:process execmem;
+
etc_domain(udev)
typealias udev_etc_t alias etc_udev_t;
type udev_helper_exec_t, file_type, sysadmfile, exec_type;
Index: policy/flask/access_vectors
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/flask/access_vectors,v
retrieving revision 1.16
diff -u -r1.16 access_vectors
--- policy/flask/access_vectors 29 Nov 2004 21:37:03 -0000 1.16
+++ policy/flask/access_vectors 30 Nov 2004 21:31:06 -0000
@@ -118,6 +118,7 @@
{
execute_no_trans
entrypoint
+ execmod
}
class lnk_file
@@ -242,6 +243,7 @@
rlimitinh
dyntransition
setcurrent
+ execmem
}
Index: policy/macros/base_user_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/base_user_macros.te,v
retrieving revision 1.39
diff -u -r1.39 base_user_macros.te
--- policy/macros/base_user_macros.te 29 Nov 2004 19:01:25 -0000 1.39
+++ policy/macros/base_user_macros.te 1 Dec 2004 16:43:02 -0000
@@ -33,6 +33,12 @@
# Grant permissions within the domain.
general_domain_access($1_t);
+# Allow loading DSOs that require executable stack.
+allow $1_t self:process execmem;
+
+# Allow text relocations on system shared libraries, e.g. libGL.
+allow $1_t shlib_t:file execmod;
+
#
# kdeinit wants this access
#
Index: policy/macros/core_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/core_macros.te,v
retrieving revision 1.27
diff -u -r1.27 core_macros.te
--- policy/macros/core_macros.te 29 Nov 2004 19:48:10 -0000 1.27
+++ policy/macros/core_macros.te 30 Nov 2004 21:31:46 -0000
@@ -627,9 +627,9 @@
#
define(`general_domain_access',`
# Access other processes in the same domain.
-# Omits ptrace, setcurrent, setexec, and setfscreate. These must be granted
-# separately if desired.
-allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit};
+# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, and execmem.
+# These must be granted separately if desired.
+allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem};
# Access /proc/PID files for processes in the same domain.
allow $1 self:dir r_dir_perms;
Index: policy/macros/program/xserver_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/program/xserver_macros.te,v
retrieving revision 1.38
diff -u -r1.38 xserver_macros.te
--- policy/macros/program/xserver_macros.te 19 Nov 2004 22:03:34 -0000 1.38
+++ policy/macros/program/xserver_macros.te 30 Nov 2004 21:30:27 -0000
@@ -58,6 +58,8 @@
# for access within the domain
general_domain_access($1_xserver_t)
+allow $1_xserver_t self:process execmem;
+
allow $1_xserver_t etc_runtime_t:file { getattr read };
ifelse($1, xdm, `
next prev parent reply other threads:[~2004-12-01 17:07 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-09 18:40 [RFC][PATCH] Control ability to have a writable executable mapping Stephen Smalley
2004-11-09 21:05 ` Stephen Smalley
2004-11-10 15:35 ` Stephen Smalley
2004-12-01 17:02 ` Stephen Smalley [this message]
2004-11-09 23:15 ` Joshua Brindle
2004-11-10 15:25 ` Stephen Smalley
2004-11-15 11:52 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1101920545.24332.44.camel@moss-spartans.epoch.ncsc.mil \
--to=sds@epoch.ncsc.mil \
--cc=cpebenito@tresys.com \
--cc=jbrindle@tresys.com \
--cc=kmacmillan@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.