From: Randy Dunlap <firstname.lastname@example.org> To: Salvatore Mesoraca <email@example.com>, firstname.lastname@example.org Cc: email@example.com, firstname.lastname@example.org, email@example.com, Alexander Viro <firstname.lastname@example.org>, Brad Spengler <email@example.com>, Casey Schaufler <firstname.lastname@example.org>, Christoph Hellwig <email@example.com>, James Morris <firstname.lastname@example.org>, Jann Horn <email@example.com>, Kees Cook <firstname.lastname@example.org>, PaX Team <email@example.com>, "Serge E. Hallyn" <firstname.lastname@example.org>, Thomas Gleixner <email@example.com> Subject: Re: [PATCH v5 01/12] S.A.R.A.: add documentation Date: Sat, 6 Jul 2019 10:14:24 -0700 [thread overview] Message-ID: <firstname.lastname@example.org> (raw) In-Reply-To: <email@example.com> Hi, Just a few typo fixes (inline). On 7/6/19 3:54 AM, Salvatore Mesoraca wrote: > Adding documentation for S.A.R.A. LSM. > > Signed-off-by: Salvatore Mesoraca <firstname.lastname@example.org> > --- > Documentation/admin-guide/LSM/SARA.rst | 177 ++++++++++++++++++++++++ > Documentation/admin-guide/LSM/index.rst | 1 + > Documentation/admin-guide/kernel-parameters.txt | 24 ++++ > 3 files changed, 202 insertions(+) > create mode 100644 Documentation/admin-guide/LSM/SARA.rst > > diff --git a/Documentation/admin-guide/LSM/SARA.rst b/Documentation/admin-guide/LSM/SARA.rst > new file mode 100644 > index 0000000..fdde04c > --- /dev/null > +++ b/Documentation/admin-guide/LSM/SARA.rst > @@ -0,0 +1,177 @@ > +.. SPDX-License-Identifier: GPL-2.0 > + > +======== > +S.A.R.A. > +======== > + > +S.A.R.A. (S.A.R.A. is Another Recursive Acronym) is a stacked Linux Security > +Module that aims to collect heterogeneous security measures, providing a common > +interface to manage them. > +As of today it consists of one submodule: > + > +- WX Protection > + > + > +The kernel-space part is complemented by its user-space counterpart: `saractl` > +_. > +A test suite for WX Protection, called `sara-test` _, is also available. > +More information about where to find these tools and the full S.A.R.A. > +documentation are in the `External Links and Documentation`_ section. > + > +------------------------------------------------------------------------------- > + > +S.A.R.A.'s Submodules > +===================== > + > +WX Protection > +------------- > +WX Protection aims to improve user-space programs security by applying: > + > +- `W^X enforcement`_ > +- `W!->X (once writable never executable) mprotect restriction`_ > +- `Executable MMAP prevention`_ > + > +All of the above features can be enabled or disabled both system wide > +or on a per executable basis through the use of configuration files managed by > +`saractl` _. > + > +It is important to note that some programs may have issues working with > +WX Protection. In particular: > + > +- **W^X enforcement** will cause problems to any programs that needs > + memory pages mapped both as writable and executable at the same time e.g. > + programs with executable stack markings in the *PT_GNU_STACK* segment. > +- **W!->X mprotect restriction** will cause problems to any program that > + needs to generate executable code at run time or to modify executable > + pages e.g. programs with a *JIT* compiler built-in or linked against a > + *non-PIC* library. > +- **Executable MMAP prevention** can work only with programs that have at least > + partial *RELRO* support. It's disabled automatically for programs that > + lack this feature. It will cause problems to any program that uses *dlopen* > + or tries to do an executable mmap. Unfortunately this feature is the one > + that could create most problems and should be enabled only after careful > + evaluation. > + > +To extend the scope of the above features, despite the issues that they may > +cause, they are complemented by **/proc/PID/attr/sara/wxprot** interface > +and **trampoline emulation**. > + > +At the moment, WX Protection (unless specified otherwise) should work on > +any architecture supporting the NX bit, including, but not limited to: > +`x86_64`, `x86_32` (with PAE), `ARM` and `ARM64`. > + > +Parts of WX Protection are inspired by some of the features available in PaX. > + > +For further information about configuration file format and user-space > +utilities please take a look at the full documentation _. > + > +W^X enforcement > +^^^^^^^^^^^^^^^ > +W^X means that a program can't have a page of memory that is marked, at the > +same time, writable and executable. This also allow to detect many bad allows > +behaviours that make life much more easy for attackers. Programs running with > +this feature enabled will be more difficult to exploit in the case they are > +affected by some vulnerabilities, because the attacker will be forced > +to make more steps in order to exploit them. > +This feature also blocks accesses to /proc/*/mem files that would allow to > +write the current process read-only memory, bypassing any protection. > + > +W!->X (once writable never executable) mprotect restriction > +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > +"Once writable never executable" means that any page that could have been > +marked as writable in the past won't ever be allowed to be marked (e.g. via > +an mprotect syscall) as executable. > +This goes on the same track as W^X, but is much stricter and prevents > +the runtime creation of new executable code in memory. > +Obviously, this feature does not prevent a program from creating a new file and > +*mmapping* it as executable, however, it will be way more difficult for > +attackers to exploit vulnerabilities if this feature is enabled. > + > +Executable MMAP prevention > +^^^^^^^^^^^^^^^^^^^^^^^^^^ > +This feature prevents the creation of new executable mmaps after the dynamic > +libraries have been loaded. When used in combination with **W!->X mprotect > +restriction** this feature will completely prevent the creation of new > +executable code from the current thread. > +Obviously, this feature does not prevent cases in which an attacker uses an > +*execve* to start a completely new program. This kind of restriction, if > +needed, can be applied using one of the other LSM that focuses on MAC. LSMs > +Please be aware that this feature can break many programs and so it should be > +enabled after careful evaluation. > + > +/proc/PID/attr/sara/wxprot interface > +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > +The `procattr` interface can be used by a thread to discover which > +WX Protection features are enabled and/or to tighten them: protection > +can't be softened via procattr. > +The interface is simple: it's a text file with an hexadecimal with a > +number in it representing enabled features (more information can be > +found in the `Flags values`_ section). Via this interface it is also > +possible to perform a complete memory scan to remove the write permission > +from pages that are both writable and executable, please note that this > +change will also affect other threads of the same process. [snip] cheers. -- ~Randy
next prev parent reply other threads:[~2019-07-06 17:14 UTC|newest] Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-07-06 10:54 [PATCH v5 00/12] S.A.R.A. a new stacked LSM Salvatore Mesoraca 2019-07-06 10:54 ` [PATCH v5 01/12] S.A.R.A.: add documentation Salvatore Mesoraca 2019-07-06 17:14 ` Randy Dunlap [this message] 2019-07-06 17:32 ` Salvatore Mesoraca 2019-07-13 0:14 ` James Morris 2019-07-06 10:54 ` [PATCH v5 02/12] S.A.R.A.: create framework Salvatore Mesoraca 2019-07-06 15:29 ` Randy Dunlap 2019-07-06 10:54 ` [PATCH v5 03/12] S.A.R.A.: cred blob management Salvatore Mesoraca 2019-07-12 23:35 ` James Morris 2019-07-06 10:54 ` [PATCH v5 04/12] S.A.R.A.: generic DFA for string matching Salvatore Mesoraca 2019-07-06 18:32 ` Jann Horn 2019-07-07 16:01 ` Salvatore Mesoraca 2019-07-08 17:37 ` Jann Horn 2019-10-06 16:49 ` Salvatore Mesoraca 2019-10-07 12:40 ` Jann Horn 2019-07-06 10:54 ` [PATCH v5 05/12] LSM: creation of "check_vmflags" LSM hook Salvatore Mesoraca 2019-07-06 10:54 ` [PATCH v5 06/12] S.A.R.A.: WX protection Salvatore Mesoraca 2019-07-06 15:38 ` Randy Dunlap 2019-07-06 19:28 ` Al Viro 2019-07-07 15:49 ` Salvatore Mesoraca 2019-07-09 4:51 ` Kees Cook 2019-07-08 12:42 ` David Laight 2019-07-06 10:54 ` [PATCH v5 07/12] LSM: creation of "pagefault_handler" LSM hook Salvatore Mesoraca 2019-07-06 10:54 ` [PATCH v5 08/12] S.A.R.A.: trampoline emulation Salvatore Mesoraca 2019-07-06 15:31 ` Randy Dunlap 2019-07-06 10:54 ` [PATCH v5 09/12] S.A.R.A.: WX protection procattr interface Salvatore Mesoraca 2019-07-06 10:54 ` [PATCH v5 10/12] S.A.R.A.: XATTRs support Salvatore Mesoraca 2019-07-06 10:54 ` [PATCH v5 11/12] S.A.R.A.: /proc/*/mem write limitation Salvatore Mesoraca 2019-07-06 18:20 ` Jann Horn 2019-07-07 16:15 ` Salvatore Mesoraca 2019-07-06 10:54 ` [PATCH v5 12/12] MAINTAINERS: take maintainership for S.A.R.A Salvatore Mesoraca 2019-07-06 14:33 ` [PATCH v5 00/12] S.A.R.A. a new stacked LSM Jordan Glover 2019-07-06 15:02 ` Salvatore Mesoraca 2019-07-07 1:16 ` James Morris 2019-07-07 15:40 ` Salvatore Mesoraca
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --subject='Re: [PATCH v5 01/12] S.A.R.A.: add documentation' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).