linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Salvatore Mesoraca <s.mesoraca16@gmail.com>
To: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	"kernel-hardening@lists.openwall.com" 
	<kernel-hardening@lists.openwall.com>,
	Brad Spengler <spender@grsecurity.net>,
	PaX Team <pageexec@freemail.hu>,
	Casey Schaufler <casey@schaufler-ca.com>,
	James Morris <james.l.morris@oracle.com>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	Linux-MM <linux-mm@kvack.org>, "x86@kernel.org" <x86@kernel.org>,
	Jann Horn <jannh@google.com>,
	Christoph Hellwig <hch@infradead.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	John Johansen <john.johansen@canonical.com>
Subject: Re: [RFC v2 3/9] Creation of "check_vmflags" LSM hook
Date: Thu, 29 Jun 2017 21:28:11 +0200	[thread overview]
Message-ID: <CAJHCu1JMdBCPgpL=vCqOKD1y4fK5Y3qoWOdXCy-qDw-ixV0Lmg@mail.gmail.com> (raw)
In-Reply-To: <CAGXu5jJTEoeGs8uBdHYdBJwacOp2b22ySrn-V8T93qaD4cv65A@mail.gmail.com>

2017-06-28 1:05 GMT+02:00 Kees Cook <keescook@chromium.org>:
> On Thu, Jun 15, 2017 at 9:42 AM, Salvatore Mesoraca
> <s.mesoraca16@gmail.com> wrote:
>> Creation of a new LSM hook to check if a given configuration of vmflags,
>> for a new memory allocation request, should be allowed or not.
>> It's placed in "do_mmap", "do_brk_flags" and "__install_special_mapping".
>
> I like this. I think this is something the other LSMs should be
> checking too. (Though I wonder if it would be helpful to include the
> VMA in the hook, though it does exist yet, so... hmm.)

For the particular case of my LSM and the type of check it does, the VMA
isn't needed, of course.
Maybe some other LSM can benefit from it, but it depends on what they
want to do with this hook.
Looking forward to feedback from potential future users.
Thank you for your interest.

Salvatore

  reply	other threads:[~2017-06-29 19:28 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-15 16:42 [RFC v2 0/9] S.A.R.A. a new stacked LSM Salvatore Mesoraca
2017-06-15 16:42 ` [RFC v2 1/9] S.A.R.A. Documentation Salvatore Mesoraca
2017-06-15 16:42 ` [RFC v2 2/9] S.A.R.A. framework creation Salvatore Mesoraca
2017-06-15 16:42 ` [RFC v2 3/9] Creation of "check_vmflags" LSM hook Salvatore Mesoraca
2017-06-27 23:05   ` Kees Cook
2017-06-29 19:28     ` Salvatore Mesoraca [this message]
2017-06-15 16:42 ` [RFC v2 4/9] S.A.R.A. cred blob management Salvatore Mesoraca
2017-06-15 16:42 ` [RFC v2 5/9] S.A.R.A. WX Protection Salvatore Mesoraca
2017-06-27 23:04   ` Kees Cook
2017-06-29 19:39     ` Salvatore Mesoraca
2017-06-15 16:42 ` [RFC v2 6/9] Creation of "pagefault_handler_x86" LSM hook Salvatore Mesoraca
2017-06-27 23:07   ` Kees Cook
2017-06-29 19:30     ` Salvatore Mesoraca
2017-06-29 20:20       ` Kees Cook
2017-06-15 16:42 ` [RFC v2 7/9] Trampoline emulation Salvatore Mesoraca
2017-06-15 16:47   ` [kernel-hardening] " aconcernedfossdev
2017-06-15 17:19     ` Salvatore Mesoraca
2017-06-27 23:13   ` Kees Cook
2017-06-29 19:35     ` Salvatore Mesoraca
2017-06-15 16:42 ` [RFC v2 8/9] Allowing for stacking procattr support in S.A.R.A Salvatore Mesoraca
2017-06-15 16:42 ` [RFC v2 9/9] S.A.R.A. WX Protection procattr interface Salvatore Mesoraca

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAJHCu1JMdBCPgpL=vCqOKD1y4fK5Y3qoWOdXCy-qDw-ixV0Lmg@mail.gmail.com' \
    --to=s.mesoraca16@gmail.com \
    --cc=casey@schaufler-ca.com \
    --cc=hch@infradead.org \
    --cc=james.l.morris@oracle.com \
    --cc=jannh@google.com \
    --cc=john.johansen@canonical.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=pageexec@freemail.hu \
    --cc=sds@tycho.nsa.gov \
    --cc=serge@hallyn.com \
    --cc=spender@grsecurity.net \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).