Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752348AbcKCDKQ (ORCPT ); Wed, 2 Nov 2016 23:10:16 -0400 Received: from thejh.net ([37.221.195.125]:35393 "EHLO thejh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752074AbcKCDKM (ORCPT ); Wed, 2 Nov 2016 23:10:12 -0400 Date: Thu, 3 Nov 2016 04:10:08 +0100 From: Jann Horn To: security@kernel.org, Alexander Viro , Paul Moore , Stephen Smalley , Eric Paris , James Morris , "Serge E. Hallyn" , mchong@google.com, Andy Lutomirski , Ingo Molnar , Oleg Nesterov , Nick Kralevich , Janis Danisevskis Cc: linux-security-module@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v3 2/3] mm: add LSM hook for writes to readonly memory Message-ID: <20161103031008.GC13748@pc.thejh.net> References: <1478142286-18427-1-git-send-email-jann@thejh.net> <1478142286-18427-5-git-send-email-jann@thejh.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="V88s5gaDVPzZ0KCq" Content-Disposition: inline In-Reply-To: <1478142286-18427-5-git-send-email-jann@thejh.net> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2311 Lines: 54 --V88s5gaDVPzZ0KCq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 03, 2016 at 04:04:45AM +0100, Jann Horn wrote: > SELinux attempts to make it possible to whitelist trustworthy sources of > code that may be mapped into memory, and Android makes use of this featur= e. > To prevent an attacker from bypassing this by modifying R+X memory through > /proc/$pid/mem, PTRACE_POKETEXT or DMA, it is necessary to call a security > hook in check_vma_flags(). >=20 > PTRACE_POKETEXT can also be mitigated by blocking ptrace access, and > /proc/$pid/mem can also be blocked at the VFS layer, but DMA is harder to > deal with: Some driver functions (e.g. videobuf_dma_init_user_locked) > write to user-specified DMA mappings even if those mappings are readonly > or R+X. Whoops, sorry for sending that twice. :/ A comment regarding the whole series: I'm not entirely sure whether this is the best way to fix this after all. It's quite a bit of code churn, but it has the benefit of having a single check in a central place. As an alternative to this patch, it might be possible to break the ABIs of the drivers that access DMA buffers with FOLL_FORCE by simply removing FOLL_FORCE from those drivers. However, I'm not sure how much that would break existing userspace code. --V88s5gaDVPzZ0KCq Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJYGqqQAAoJED4KNFJOeCOo49sQANukv1CdzzfURE8CTP4rMdlU 0PFqwSlfUB5hirr/aWQBICiUFxrJzVd15j08p7i2lxFoiDF8lIyXwcwlFXlgcl4+ GDDvq7em4bNf1OHkATxOj7Nm4mkq/FRqcAWuOtHUx4rnwV2V1a3FU7asfdUqjZIY xWth51afy8klJHfsa01WGAjNi7AxZm+xOLicZHpubEAkhHB4TVDZjb7mMHciuKRj GhYAryJPhgbIzoZSuDfLWQf3lQyGMKLPnutYo4rYHI7FlTyf9BFbnlg8TGowjYV2 6a4aSNLyzVszGQLSGkSMv6BQQGnzJLwjUnkWY5S1Mk2F5HjpuMh6BRqtNBw6i8Wa nlEpp42329i0iRA13hI0MR3h+dvUjaBlAyi8Y4bl9SEAzVzTMTZ1XG9r4WowLCps +47numDQkBs3DI8s0RRix2aKDqVh26nkj/mSYYtI+aeH6dtG4SrUhUFmiVIFnWIs wggJJ0XBUlwnOrUK1LyM9SfJ2yCkW7bTKh/aZ0ltwF3Sp/EwaxQD+KwcLYVPOyUM N2mQL/rzAt77/mh4vAQiVxQvEHc7EMFEIOej2MjDJHJ+ybep7y+Hu+VISv+KNzq4 8Pkx+UAgBVnNgOcoAkK6DGl3+bxBeW0Gu5PltIFnz7uIpO35KmohXxKwuko/JWnh t3scv478HeeMtN+vlQ1M =Onc6 -----END PGP SIGNATURE----- --V88s5gaDVPzZ0KCq--