Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756463AbcKCKj2 (ORCPT ); Thu, 3 Nov 2016 06:39:28 -0400 Received: from thejh.net ([37.221.195.125]:35511 "EHLO thejh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751382AbcKCKj1 (ORCPT ); Thu, 3 Nov 2016 06:39:27 -0400 Date: Thu, 3 Nov 2016 11:39:23 +0100 From: Jann Horn To: security@kernel.org, Alexander Viro , Paul Moore , Stephen Smalley , Eric Paris , James Morris , "Serge E. Hallyn" , mchong@google.com, Andy Lutomirski , Ingo Molnar , Oleg Nesterov , Nick Kralevich , Janis Danisevskis Cc: linux-security-module@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 2/3] mm: add LSM hook for writes to readonly memory Message-ID: <20161103103922.GD13748@pc.thejh.net> References: <1478142286-18427-1-git-send-email-jann@thejh.net> <1478142286-18427-2-git-send-email-jann@thejh.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="UfEAyuTBtIjiZzX6" Content-Disposition: inline In-Reply-To: <1478142286-18427-2-git-send-email-jann@thejh.net> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2802 Lines: 68 --UfEAyuTBtIjiZzX6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 03, 2016 at 04:04:42AM +0100, Jann Horn wrote: > SELinux attempts to make it possible to whitelist trustworthy sources of > code that may be mapped into memory, and Android makes use of this featur= e. > To prevent an attacker from bypassing this by modifying R+X memory through > /proc/$pid/mem, PTRACE_POKETEXT or DMA, it is necessary to call a security > hook in check_vma_flags(). >=20 > PTRACE_POKETEXT can also be mitigated by blocking ptrace access, and > /proc/$pid/mem can also be blocked at the VFS layer, but DMA is harder to > deal with: Some driver functions (e.g. videobuf_dma_init_user_locked) > write to user-specified DMA mappings even if those mappings are readonly > or R+X. >=20 > The new security hook security_forced_write() takes three arguments: >=20 > - The modified VMA, so the security check can e.g. test for executabilit= y. > - The subject performing the access. For remote accesses, this may be > different from the target of the access. This can e.g. be used to crea= te > a security policy that permits a privileged debugger to set software > breakpoints in the address space of a sandboxed process. > - The target of the access. This is useful if only a subset of the > processes on the system should be prevented from executing arbitrary > code, as is the case on Android. >=20 > changed in v2: > - fix comment (Janis Danisevsk) > - simplify code a bit (Janis Danisevsk) >=20 > changed in v3: > - rebase > - no need to pass in creds in populate_vma_page_range() > - reword check_vma_flags() comment (Ingo Molnar) > - use helper struct gup_creds (Ingo Molnar) I introduced some bugs here again, as the kernel test robot points out. --UfEAyuTBtIjiZzX6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJYGxPaAAoJED4KNFJOeCOo2igQAJVj0RGJ4EaUQ2lLewI+QaKP 9fL9XVChcpzRj0hlyAT5jdoUXTe+w2jX6/JetAcXvuo49GszxHRoxg5iNRKlCVaQ zsm5UDMUMhnMUGjA4rVnh2vyZdQWiarLXgkirVBAeno74X0dbc1vtgaD6VjmAil/ JwZT5vj3lUuMhrHKKktTbGwwz7EUYbj7fHy9LXQUJvPNYJ/n37AI5PBgoBRZ9E+3 EL3GSk6zqThN1YnokPT3HoDaJ5B4SSHWn0BRp0XpPPFU6THleiKIawTqXsHnuZwn 0TS2cBok/cET7ykJkp/YaLCVEYM1ViDlFVfjX0DE7UIAXanFA86cKQOTA5S4eVMS OPuknSgAxGkw7IbpvUbHAPaM0DXFqifINL8GgbNadfS0pFD4ezeuVX2l5fUJ0Pi2 nPFTRxHg46s1Lvb2CC2QuDPyEnvN/w/iKCwdqRaGCoJKVJIa0dTd4WBmFnGnk0H5 qSMREqael0yQgZ7lV7V+5aaKKMuYP92PWC1lYMIUfhBcO401HEQl4u+e6aEgUpgw i+2a1v3zqoeCDvjJFJNKsHMK0RbpK5V+yW5miGuxToQVol7cM0WJM/nf6UTotmE/ KyKVzqQq7lOu76GMD7H08iXqbHjrPOey+QmtoM6lojjSihX2JU7wT2DmQvin/KZS nPF49NY1Vt3ByJsktTt7 =vGPU -----END PGP SIGNATURE----- --UfEAyuTBtIjiZzX6--