Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp4378929ybi; Sat, 6 Jul 2019 03:56:23 -0700 (PDT) X-Google-Smtp-Source: APXvYqwvTEfmoAxLx/okK/NTYxGR0IxF/H0iecMi1KnsaeEfk11QEmwWWdYpVnSAvr0Jh2jrrb6T X-Received: by 2002:a17:902:2ae7:: with SMTP id j94mr10889053plb.270.1562410583411; Sat, 06 Jul 2019 03:56:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562410583; cv=none; d=google.com; s=arc-20160816; b=o+V5XusHnuw1K4FLSvdul0X0nEkw057rpe3Bcdf8GTJsliNiG+LWiqDZrmh+sqBV0k Zpr5ym+RfwvZROlQ4Ufai1ihcmNbrznvl1FMfuu1lojdTSmVPf6AcZHt+pMhfEAIFI5i nNcd7ARgbj4roK1gGRewCfum5sEO9ZSFlMS8AkuBtIhwmcUHXWrnsgixohOtnpUvTGFU pSMR/df6Co8hcGrlVF6th5deHzpK+o6wPdcQnp6oGKmpIWoo2LyUN7YZ8urMw0kqb7Pf BY5WbJYakf9I9nmgE0qHJ4CZmKxgx9WpkciuqML3vQsP7lYYo9KiiCmd1GDcJgQxPJUV g+gw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=u2RjwdUFNE3OIK/3bCmlFikIsAzp11hkr0vwILrcAOk=; b=Fa1fBr6ZVM3drKJPwMD/kKyw9OCpKFikhobXMgZruqh2SZ+02Y4sOvk9QtMoJly74g sPOVoVCvNmgnIsVu8MgispKoZ6uEgJ+8+3g7TJDDgsus8qnSRBKaBabU5LopbqrgOvvC c90dL5WbtDqqA5ijtuSUyX8GHM6qDfNtc7+Hi5U0uFoiDw2b8/huQltpbh42jKeO2uky +Sg0SiUvli0YW/KL+srBplZUA8Il1ITATukFF//Hp7okiT/eSJHuD6cDQB8iE074qxCc dsidKm/T4Au8Zvz9HAYG6Hro2rhNgyX3LqDefDElyX3dh6B0BqHuZt0NFqwoU2CqqlU2 vB7w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=thNRn6TJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k22si12517846pfk.90.2019.07.06.03.56.08; Sat, 06 Jul 2019 03:56:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=thNRn6TJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727158AbfGFKzg (ORCPT + 99 others); Sat, 6 Jul 2019 06:55:36 -0400 Received: from mail-wm1-f67.google.com ([209.85.128.67]:40883 "EHLO mail-wm1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727057AbfGFKz1 (ORCPT ); Sat, 6 Jul 2019 06:55:27 -0400 Received: by mail-wm1-f67.google.com with SMTP id v19so11941394wmj.5; Sat, 06 Jul 2019 03:55:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=u2RjwdUFNE3OIK/3bCmlFikIsAzp11hkr0vwILrcAOk=; b=thNRn6TJGPSAjqCTr1tPi/WxernvhpJlmpA3TOqpdYJiE30WEHmKtQQLBhQkPRLOPw 6LdBMJiwQeRDj45LsQ+CyPeBPtz6Sm/DVPA/1jFuQwsFGykkDeEEAkecFk+eI93fAHD1 qYlH4joBKaM50/AAsI6LhYNjkSKoWjJohjBdSbGLIHp32dQu3tN7YZr1eYxcsB+bqXUy bX3ZLkExfr5FGb8+TAw/oOIVBNNg7ayqAkWV/3r6PYpzR3qHiM4xg4ORrndOJWzJXK+K OUQHzEOkfBbfQCpO4tDaUbNknqB74EkTe516YzXQIsCHfecezahJQP/7fVtAx2XeBD7c +9Fw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=u2RjwdUFNE3OIK/3bCmlFikIsAzp11hkr0vwILrcAOk=; b=eDrGL44MRUA86Mk8sjVGtgkww0yi39ok0Mn2EnsMtKpwyRNyJi73HvJZcxZYNg7TQ+ u4Gy/RJv7neDJnSInjCwsh4z8BptxWMsJ++2iXcW0CbTHwd61iS92mz7mu6FRxC1QB76 Rlb/6gKI34MbyMk2MQ7EfSnR8FtfCYFR1uevtyyl26Mx31Ei6zDLE539HKStZGHiXTXF gwqAezlNEY6tDElezDXgQ2icGvXZGBUnHqHu28ugFyAtIMsVbLYyM71NV+DLIIYX8RNq 6UfKhUfoUg0lYaV23z7wEkcBJhVItsqTFx6AMsbRgkr9x5KLKe7dZw+J5Cf43A0ddhds TimA== X-Gm-Message-State: APjAAAXpuhJXa390AkHldeITDMcT8zFQ0uDJTsG6o+FJJEh0I/vkjhIG KKqMX19TnfHAId0Boid/T/plGKboALI25g== X-Received: by 2002:a1c:5f87:: with SMTP id t129mr8243038wmb.150.1562410524445; Sat, 06 Jul 2019 03:55:24 -0700 (PDT) Received: from localhost (net-93-71-3-102.cust.vodafonedsl.it. [93.71.3.102]) by smtp.gmail.com with ESMTPSA id h11sm12578794wrx.93.2019.07.06.03.55.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 06 Jul 2019 03:55:23 -0700 (PDT) From: Salvatore Mesoraca To: linux-kernel@vger.kernel.org Cc: kernel-hardening@lists.openwall.com, linux-mm@kvack.org, linux-security-module@vger.kernel.org, Alexander Viro , Brad Spengler , Casey Schaufler , Christoph Hellwig , James Morris , Jann Horn , Kees Cook , PaX Team , Salvatore Mesoraca , "Serge E. Hallyn" , Thomas Gleixner Subject: [PATCH v5 11/12] S.A.R.A.: /proc/*/mem write limitation Date: Sat, 6 Jul 2019 12:54:52 +0200 Message-Id: <1562410493-8661-12-git-send-email-s.mesoraca16@gmail.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1562410493-8661-1-git-send-email-s.mesoraca16@gmail.com> References: <1562410493-8661-1-git-send-email-s.mesoraca16@gmail.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Prevent a task from opening, in "write" mode, any /proc/*/mem file that operates on the task's mm. A process could use it to overwrite read-only memory, bypassing S.A.R.A. restrictions. Signed-off-by: Salvatore Mesoraca --- security/sara/include/sara_data.h | 18 ++++++++++++++++- security/sara/sara_data.c | 8 ++++++++ security/sara/wxprot.c | 41 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 66 insertions(+), 1 deletion(-) diff --git a/security/sara/include/sara_data.h b/security/sara/include/sara_data.h index 9216c47..ee95f74 100644 --- a/security/sara/include/sara_data.h +++ b/security/sara/include/sara_data.h @@ -15,6 +15,7 @@ #define __SARA_DATA_H #include +#include #include #include #include @@ -40,6 +41,10 @@ struct sara_shm_data { spinlock_t lock; }; +struct sara_inode_data { + struct task_struct *task; +}; + static inline struct sara_data *get_sara_data(const struct cred *cred) { @@ -79,6 +84,17 @@ static inline struct sara_shm_data *get_sara_shm_data( #define lock_sara_shm(X) (spin_lock(&get_sara_shm_data((X))->lock)) #define unlock_sara_shm(X) (spin_unlock(&get_sara_shm_data((X))->lock)) -#endif + +static inline struct sara_inode_data *get_sara_inode_data( + const struct inode *inode) +{ + if (unlikely(!inode->i_security)) + return NULL; + return inode->i_security + sara_blob_sizes.lbs_inode; +} + +#define get_sara_inode_task(X) (get_sara_inode_data((X))->task) + +#endif /* CONFIG_SECURITY_SARA_WXPROT */ #endif /* __SARA_H */ diff --git a/security/sara/sara_data.c b/security/sara/sara_data.c index 9afca37..e875cf0 100644 --- a/security/sara/sara_data.c +++ b/security/sara/sara_data.c @@ -17,6 +17,7 @@ #include #include #include +#include #include static int sara_cred_prepare(struct cred *new, const struct cred *old, @@ -40,15 +41,22 @@ static int sara_shm_alloc_security(struct kern_ipc_perm *shp) return 0; } +static void sara_task_to_inode(struct task_struct *t, struct inode *i) +{ + get_sara_inode_task(i) = t; +} + static struct security_hook_list data_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(cred_prepare, sara_cred_prepare), LSM_HOOK_INIT(cred_transfer, sara_cred_transfer), LSM_HOOK_INIT(shm_alloc_security, sara_shm_alloc_security), + LSM_HOOK_INIT(task_to_inode, sara_task_to_inode), }; struct lsm_blob_sizes sara_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct sara_data), .lbs_ipc = sizeof(struct sara_shm_data), + .lbs_inode = sizeof(struct sara_inode_data), }; int __init sara_data_init(void) diff --git a/security/sara/wxprot.c b/security/sara/wxprot.c index 773d1fd..1a8d132 100644 --- a/security/sara/wxprot.c +++ b/security/sara/wxprot.c @@ -22,8 +22,11 @@ #include #include #include +#include #include #include +#include +#include #include #include @@ -615,6 +618,43 @@ static int sara_file_mprotect(struct vm_area_struct *vma, return 0; } +static int sara_file_open(struct file *file) +{ + struct task_struct *t; + struct mm_struct *mm; + u16 sara_wxp_flags = get_current_sara_wxp_flags(); + + /* + * Prevent write access to /proc/.../mem + * if it operates on the mm_struct of the + * current process: it could be used to + * bypass W^X. + */ + + if (!sara_enabled || + !wxprot_enabled || + !(sara_wxp_flags & SARA_WXP_WXORX) || + !(file->f_mode & FMODE_WRITE)) + return 0; + + t = get_sara_inode_task(file_inode(file)); + if (unlikely(t != NULL && + strcmp(file->f_path.dentry->d_name.name, + "mem") == 0)) { + get_task_struct(t); + mm = get_task_mm(t); + put_task_struct(t); + if (unlikely(mm == current->mm)) + sara_warn_or_goto(error, + "write access to /proc/*/mem"); + mmput(mm); + } + return 0; +error: + mmput(mm); + return -EACCES; +} + #ifdef CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP static int sara_pagefault_handler(struct pt_regs *regs, unsigned long error_code, @@ -778,6 +818,7 @@ static int sara_setprocattr(const char *name, void *value, size_t size) LSM_HOOK_INIT(check_vmflags, sara_check_vmflags), LSM_HOOK_INIT(shm_shmat, sara_shm_shmat), LSM_HOOK_INIT(file_mprotect, sara_file_mprotect), + LSM_HOOK_INIT(file_open, sara_file_open), #ifdef CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP LSM_HOOK_INIT(pagefault_handler, sara_pagefault_handler), #endif -- 1.9.1