linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* selinux: should execmem disable shmat(..., SHM_EXEC)?
@ 2016-10-26 20:31 Topi Miettinen
  2016-10-27 13:01 ` Stephen Smalley
  0 siblings, 1 reply; 2+ messages in thread
From: Topi Miettinen @ 2016-10-26 20:31 UTC (permalink / raw)
  To: Paul Moore, Eric Paris, James Morris, Serge E. Hallyn,
	moderated list:SELINUX SECURITY MODULE,
	open list:SECURITY SUBSYSTEM, open list, Stephen Smalley

Hi,

Maybe this is a stupid question and I didn't test this with SELinux, but
it looks to me that SELinux execmem does not prevent process from
getting writable and executable memory mappings by using shmat(...,
SHM_EXEC). Shouldn't this be blocked by execmem, I suppose it is there
to prevent this kind of memory access?

Here's a test program:
#include <sys/ipc.h>
#include <sys/shm.h>

int main(void) {
        int shmid;
        char *execmem;
        void (*fn)(void);

        shmid = shmget(IPC_PRIVATE, 4096, IPC_CREAT | 0777);
        execmem = shmat(shmid, 0, SHM_EXEC);
        shmctl(shmid, IPC_RMID, 0);
        *execmem = 0xc3; // retq
        fn = (void (*)(void))execmem;
        fn();
        shmdt(execmem);
}

-Topi

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: selinux: should execmem disable shmat(..., SHM_EXEC)?
  2016-10-26 20:31 selinux: should execmem disable shmat(..., SHM_EXEC)? Topi Miettinen
@ 2016-10-27 13:01 ` Stephen Smalley
  0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2016-10-27 13:01 UTC (permalink / raw)
  To: Topi Miettinen, Paul Moore, Eric Paris, James Morris,
	Serge E. Hallyn, moderated list:SELINUX SECURITY MODULE,
	open list:SECURITY SUBSYSTEM, open list

On 10/26/2016 04:31 PM, Topi Miettinen wrote:
> Hi,
> 
> Maybe this is a stupid question and I didn't test this with SELinux, but
> it looks to me that SELinux execmem does not prevent process from
> getting writable and executable memory mappings by using shmat(...,
> SHM_EXEC). Shouldn't this be blocked by execmem, I suppose it is there
> to prevent this kind of memory access?
> 
> Here's a test program:
> #include <sys/ipc.h>
> #include <sys/shm.h>
> 
> int main(void) {
>         int shmid;
>         char *execmem;
>         void (*fn)(void);
> 
>         shmid = shmget(IPC_PRIVATE, 4096, IPC_CREAT | 0777);
>         execmem = shmat(shmid, 0, SHM_EXEC);
>         shmctl(shmid, IPC_RMID, 0);
>         *execmem = 0xc3; // retq
>         fn = (void (*)(void))execmem;
>         fn();
>         shmdt(execmem);
> }
> 
> -Topi
> 

The test program fails with a seg fault and a SELinux avc denial for
execmem permission when run in a domain that lacks execmem permission.
Thanks though for the test; I'll add it to the selinux testsuite to
ensure we don't regress in this area.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-10-27 14:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-10-26 20:31 selinux: should execmem disable shmat(..., SHM_EXEC)? Topi Miettinen
2016-10-27 13:01 ` Stephen Smalley

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).