From: Igor Stoppa <igor.stoppa@huawei.com>
To: <keescook@chromium.org>, <mhocko@kernel.org>, <jmorris@namei.org>,
<labbott@redhat.com>
Cc: <penguin-kernel@I-love.SAKURA.ne.jp>, <paul@paul-moore.com>,
<sds@tycho.nsa.gov>, <casey@schaufler-ca.com>,
<hch@infradead.org>, <linux-security-module@vger.kernel.org>,
<linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>,
<kernel-hardening@lists.openwall.com>,
"Igor Stoppa" <igor.stoppa@huawei.com>
Subject: [PATCH v7 0/3] ro protection for dynamic data
Date: Mon, 26 Jun 2017 17:41:13 +0300 [thread overview]
Message-ID: <20170626144116.27599-1-igor.stoppa@huawei.com> (raw)
Hi,
please consider for inclusion.
This patch introduces the possibility of protecting memory that has
been allocated dynamically.
The memory is managed in pools: when a pool is made R/O, all the memory
that is part of it, will become R/O.
A R/O pool can be destroyed to recover its memory, but it cannot be
turned back into R/W mode.
This is intentional. This feature is meant for data that doesn't need
further modifications, after initialization.
An example is provided, showing how to turn into a boot-time option the
writable state of the security hooks.
Prior to this patch, it was a compile-time option.
This is made possible, thanks to Tetsuo Handa's rework of the hooks
structure (included in the patchset).
Changes since the v6 version:
- complete rewrite, to use the genalloc library
- added sysfs interface for tracking of active pools
The only question still open is if there should be a possibility for
unprotecting a memory pool in other cases than destruction.
The only cases found for this topic are:
- protecting the LSM header structure between creation and insertion of a
security module that was not built as part of the kernel
(but the module can protect the headers after it has loaded)
- unloading SELinux from RedHat, if the system has booted, but no policy
has been loaded yet - this feature is going away, according to Casey.
Igor Stoppa (2):
Protectable memory support
Make LSM Writable Hooks a command line option
Tetsuo Handa (1):
LSM: Convert security_hook_heads into explicit array of struct
list_head
arch/Kconfig | 1 +
include/linux/lsm_hooks.h | 420 ++++++++++++++++++++---------------------
include/linux/page-flags.h | 2 +
include/linux/pmalloc.h | 111 +++++++++++
include/trace/events/mmflags.h | 1 +
init/main.c | 2 +
lib/Kconfig | 1 +
lib/genalloc.c | 4 +-
mm/Makefile | 1 +
mm/pmalloc.c | 346 +++++++++++++++++++++++++++++++++
mm/usercopy.c | 24 ++-
security/security.c | 49 +++--
12 files changed, 726 insertions(+), 236 deletions(-)
create mode 100644 include/linux/pmalloc.h
create mode 100644 mm/pmalloc.c
--
2.9.3
WARNING: multiple messages have this Message-ID (diff)
From: igor.stoppa@huawei.com (Igor Stoppa)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v7 0/3] ro protection for dynamic data
Date: Mon, 26 Jun 2017 17:41:13 +0300 [thread overview]
Message-ID: <20170626144116.27599-1-igor.stoppa@huawei.com> (raw)
Hi,
please consider for inclusion.
This patch introduces the possibility of protecting memory that has
been allocated dynamically.
The memory is managed in pools: when a pool is made R/O, all the memory
that is part of it, will become R/O.
A R/O pool can be destroyed to recover its memory, but it cannot be
turned back into R/W mode.
This is intentional. This feature is meant for data that doesn't need
further modifications, after initialization.
An example is provided, showing how to turn into a boot-time option the
writable state of the security hooks.
Prior to this patch, it was a compile-time option.
This is made possible, thanks to Tetsuo Handa's rework of the hooks
structure (included in the patchset).
Changes since the v6 version:
- complete rewrite, to use the genalloc library
- added sysfs interface for tracking of active pools
The only question still open is if there should be a possibility for
unprotecting a memory pool in other cases than destruction.
The only cases found for this topic are:
- protecting the LSM header structure between creation and insertion of a
security module that was not built as part of the kernel
(but the module can protect the headers after it has loaded)
- unloading SELinux from RedHat, if the system has booted, but no policy
has been loaded yet - this feature is going away, according to Casey.
Igor Stoppa (2):
Protectable memory support
Make LSM Writable Hooks a command line option
Tetsuo Handa (1):
LSM: Convert security_hook_heads into explicit array of struct
list_head
arch/Kconfig | 1 +
include/linux/lsm_hooks.h | 420 ++++++++++++++++++++---------------------
include/linux/page-flags.h | 2 +
include/linux/pmalloc.h | 111 +++++++++++
include/trace/events/mmflags.h | 1 +
init/main.c | 2 +
lib/Kconfig | 1 +
lib/genalloc.c | 4 +-
mm/Makefile | 1 +
mm/pmalloc.c | 346 +++++++++++++++++++++++++++++++++
mm/usercopy.c | 24 ++-
security/security.c | 49 +++--
12 files changed, 726 insertions(+), 236 deletions(-)
create mode 100644 include/linux/pmalloc.h
create mode 100644 mm/pmalloc.c
--
2.9.3
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Igor Stoppa <igor.stoppa@huawei.com>
To: keescook@chromium.org, mhocko@kernel.org, jmorris@namei.org,
labbott@redhat.com
Cc: penguin-kernel@I-love.SAKURA.ne.jp, paul@paul-moore.com,
sds@tycho.nsa.gov, casey@schaufler-ca.com, hch@infradead.org,
linux-security-module@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Igor Stoppa <igor.stoppa@huawei.com>
Subject: [PATCH v7 0/3] ro protection for dynamic data
Date: Mon, 26 Jun 2017 17:41:13 +0300 [thread overview]
Message-ID: <20170626144116.27599-1-igor.stoppa@huawei.com> (raw)
Hi,
please consider for inclusion.
This patch introduces the possibility of protecting memory that has
been allocated dynamically.
The memory is managed in pools: when a pool is made R/O, all the memory
that is part of it, will become R/O.
A R/O pool can be destroyed to recover its memory, but it cannot be
turned back into R/W mode.
This is intentional. This feature is meant for data that doesn't need
further modifications, after initialization.
An example is provided, showing how to turn into a boot-time option the
writable state of the security hooks.
Prior to this patch, it was a compile-time option.
This is made possible, thanks to Tetsuo Handa's rework of the hooks
structure (included in the patchset).
Changes since the v6 version:
- complete rewrite, to use the genalloc library
- added sysfs interface for tracking of active pools
The only question still open is if there should be a possibility for
unprotecting a memory pool in other cases than destruction.
The only cases found for this topic are:
- protecting the LSM header structure between creation and insertion of a
security module that was not built as part of the kernel
(but the module can protect the headers after it has loaded)
- unloading SELinux from RedHat, if the system has booted, but no policy
has been loaded yet - this feature is going away, according to Casey.
Igor Stoppa (2):
Protectable memory support
Make LSM Writable Hooks a command line option
Tetsuo Handa (1):
LSM: Convert security_hook_heads into explicit array of struct
list_head
arch/Kconfig | 1 +
include/linux/lsm_hooks.h | 420 ++++++++++++++++++++---------------------
include/linux/page-flags.h | 2 +
include/linux/pmalloc.h | 111 +++++++++++
include/trace/events/mmflags.h | 1 +
init/main.c | 2 +
lib/Kconfig | 1 +
lib/genalloc.c | 4 +-
mm/Makefile | 1 +
mm/pmalloc.c | 346 +++++++++++++++++++++++++++++++++
mm/usercopy.c | 24 ++-
security/security.c | 49 +++--
12 files changed, 726 insertions(+), 236 deletions(-)
create mode 100644 include/linux/pmalloc.h
create mode 100644 mm/pmalloc.c
--
2.9.3
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Igor Stoppa <igor.stoppa@huawei.com>
To: keescook@chromium.org, mhocko@kernel.org, jmorris@namei.org,
labbott@redhat.com
Cc: penguin-kernel@I-love.SAKURA.ne.jp, paul@paul-moore.com,
sds@tycho.nsa.gov, casey@schaufler-ca.com, hch@infradead.org,
linux-security-module@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Igor Stoppa <igor.stoppa@huawei.com>
Subject: [kernel-hardening] [PATCH v7 0/3] ro protection for dynamic data
Date: Mon, 26 Jun 2017 17:41:13 +0300 [thread overview]
Message-ID: <20170626144116.27599-1-igor.stoppa@huawei.com> (raw)
Hi,
please consider for inclusion.
This patch introduces the possibility of protecting memory that has
been allocated dynamically.
The memory is managed in pools: when a pool is made R/O, all the memory
that is part of it, will become R/O.
A R/O pool can be destroyed to recover its memory, but it cannot be
turned back into R/W mode.
This is intentional. This feature is meant for data that doesn't need
further modifications, after initialization.
An example is provided, showing how to turn into a boot-time option the
writable state of the security hooks.
Prior to this patch, it was a compile-time option.
This is made possible, thanks to Tetsuo Handa's rework of the hooks
structure (included in the patchset).
Changes since the v6 version:
- complete rewrite, to use the genalloc library
- added sysfs interface for tracking of active pools
The only question still open is if there should be a possibility for
unprotecting a memory pool in other cases than destruction.
The only cases found for this topic are:
- protecting the LSM header structure between creation and insertion of a
security module that was not built as part of the kernel
(but the module can protect the headers after it has loaded)
- unloading SELinux from RedHat, if the system has booted, but no policy
has been loaded yet - this feature is going away, according to Casey.
Igor Stoppa (2):
Protectable memory support
Make LSM Writable Hooks a command line option
Tetsuo Handa (1):
LSM: Convert security_hook_heads into explicit array of struct
list_head
arch/Kconfig | 1 +
include/linux/lsm_hooks.h | 420 ++++++++++++++++++++---------------------
include/linux/page-flags.h | 2 +
include/linux/pmalloc.h | 111 +++++++++++
include/trace/events/mmflags.h | 1 +
init/main.c | 2 +
lib/Kconfig | 1 +
lib/genalloc.c | 4 +-
mm/Makefile | 1 +
mm/pmalloc.c | 346 +++++++++++++++++++++++++++++++++
mm/usercopy.c | 24 ++-
security/security.c | 49 +++--
12 files changed, 726 insertions(+), 236 deletions(-)
create mode 100644 include/linux/pmalloc.h
create mode 100644 mm/pmalloc.c
--
2.9.3
next reply other threads:[~2017-06-26 14:43 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-26 14:41 Igor Stoppa [this message]
2017-06-26 14:41 ` [kernel-hardening] [PATCH v7 0/3] ro protection for dynamic data Igor Stoppa
2017-06-26 14:41 ` Igor Stoppa
2017-06-26 14:41 ` Igor Stoppa
2017-06-26 14:41 ` [PATCH 1/3] Protectable memory support Igor Stoppa
2017-06-26 14:41 ` [kernel-hardening] " Igor Stoppa
2017-06-26 14:41 ` Igor Stoppa
2017-06-26 14:41 ` Igor Stoppa
2017-06-27 3:17 ` kbuild test robot
2017-06-27 3:17 ` [kernel-hardening] " kbuild test robot
2017-06-27 3:17 ` kbuild test robot
2017-06-27 3:17 ` kbuild test robot
2017-06-27 3:55 ` kbuild test robot
2017-06-27 3:55 ` [kernel-hardening] " kbuild test robot
2017-06-27 3:55 ` kbuild test robot
2017-06-27 3:55 ` kbuild test robot
2017-06-26 14:41 ` [PATCH 2/3] LSM: Convert security_hook_heads into explicit array of struct list_head Igor Stoppa
2017-06-26 14:41 ` [kernel-hardening] " Igor Stoppa
2017-06-26 14:41 ` Igor Stoppa
2017-06-26 14:41 ` Igor Stoppa
2017-06-26 14:41 ` [PATCH 3/3] Make LSM Writable Hooks a command line option Igor Stoppa
2017-06-26 14:41 ` [kernel-hardening] " Igor Stoppa
2017-06-26 14:41 ` Igor Stoppa
2017-06-26 14:41 ` Igor Stoppa
2017-06-27 5:07 ` kbuild test robot
2017-06-27 5:07 ` [kernel-hardening] " kbuild test robot
2017-06-27 5:07 ` kbuild test robot
2017-06-27 5:07 ` kbuild test robot
2017-06-27 6:48 ` kbuild test robot
2017-06-27 6:48 ` [kernel-hardening] " kbuild test robot
2017-06-27 6:48 ` kbuild test robot
2017-06-27 6:48 ` kbuild test robot
2017-06-29 2:26 ` 7361ce7529: BUG:sleeping_function_called_from_invalid_context_at_mm/slab.h kernel test robot
2017-06-29 2:26 ` kernel test robot
2017-06-29 2:26 ` [kernel-hardening] " kernel test robot
2017-06-29 2:26 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170626144116.27599-1-igor.stoppa@huawei.com \
--to=igor.stoppa@huawei.com \
--cc=casey@schaufler-ca.com \
--cc=hch@infradead.org \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mhocko@kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.