Received: by 2002:a25:23cc:0:0:0:0:0 with SMTP id j195csp117675ybj; Mon, 4 May 2020 17:18:35 -0700 (PDT) X-Google-Smtp-Source: APiQypLAAYSPCf6oNd03XoE9uOsSlo4KhU/v/TfdUiEYIr06jr2ak9AsrZBiR0TpueZWno9R8UTL X-Received: by 2002:a05:6402:1b08:: with SMTP id by8mr513995edb.286.1588637914942; Mon, 04 May 2020 17:18:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588637914; cv=none; d=google.com; s=arc-20160816; b=nTr/XpHbTWhZxTljMIsAwrsNbaLTuuA/MTHIFut4jZ+7NE/2cn6U8AadeclBzxM2wR snrKW8oZdt8jGWhffLbzLk4/ShxGvRMo2vABXtn4s1Z0n+7vc3bKhdwkBz/q+IOxeTmh cIieUW72ETa3NsiJJfAs/BJP8PqJQz++q3xvrXn4Kvd1PpW/Ug8b1LGgRYRySDEhySQ5 sW1cw2K6inZ8UvO7D2Ni/Hg/y7vLUCspLm9TLCVZPA0bDYbazxPSyXu/1CFnJ0h/lROS Gd3t5NphwJQvr7FmcDkZF3YA3ikAcWuoagKtbfA73WHzkO7jiO6OQAg99sC1OISdDFQq bVYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=QiqUUss2jL8iYfIE6Bd+6noVnRyNqoTAQ9IVKOuRQgM=; b=HgyELCzgKubrHl1lqen5LDl4y/BfbebfRDHqzS0ESqINKrU4HvbkNGcf+Opzj+96T0 wVnsK6wBLJJHwK5FTY3HSmkA69LKa+CaMGOVYDISFlTpXiHHZ3hHaijYp08btW9SDyjj KVLR+N4Oqe4oSpkcd+B/e5PU4JcxroNYKh7Sp2eDBvQyBJT/HukqdK8NHzpeTJipHoVB KrwaecAQlvRtoprFLiZMpnvpg/F2U+btSgUUgi8h09DmXfAfuydxA1dy+s8QkKG+FNTv wEsdb3mjPT1QXFTRxqxox1TlXBd4t3LOXaZKgLDla2Y0Cdv+4ZM0PtDEOlZkuyCL5RI6 6T8A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=N4s+XP8H; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r3si322778edc.405.2020.05.04.17.18.08; Mon, 04 May 2020 17:18:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=N4s+XP8H; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728391AbgEEAQZ (ORCPT + 99 others); Mon, 4 May 2020 20:16:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59306 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728367AbgEEAQY (ORCPT ); Mon, 4 May 2020 20:16:24 -0400 Received: from mail-lf1-x141.google.com (mail-lf1-x141.google.com [IPv6:2a00:1450:4864:20::141]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 71A20C061A0F for ; Mon, 4 May 2020 17:16:24 -0700 (PDT) Received: by mail-lf1-x141.google.com with SMTP id a4so4953220lfh.12 for ; Mon, 04 May 2020 17:16:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QiqUUss2jL8iYfIE6Bd+6noVnRyNqoTAQ9IVKOuRQgM=; b=N4s+XP8Hut8idJW2OzJ7P2a4JzXglSpVAIJjOBw2Ld+5maAmt0BoeQ06cj4QDsgGDE 6NAcJbsXytHSsE4lwzCkdHu0rpMzM+wisgaZcziE5fWQOQV64jlS0LdKr7xstsB9UVpj mvdwkKwFKgiksfSm/EgH/UxIAAWrqnO8bFFX0Lexs6cbcyu8KkMMItlCihp8z7iDO0ss aNEAOQneXGQzOZoCkFT5iHrMhaq7DQ80aKybV35v5cm2xpXcpz7v57rzUH81ux+HoSU3 DZiwpOXUYwj1/gR1uVO5SGmB9WkBXR5UKZl8CKlSKBHoyL8UsOZlR+02AseogMgZ52Np grdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QiqUUss2jL8iYfIE6Bd+6noVnRyNqoTAQ9IVKOuRQgM=; b=I1sni+WfxyZaKfRyNJkCF0S8NCZIlDpJCx1a1W8zp6KrdQjdLkFuAJkpUwfNSGoz0E aeA0nOK8mLU0iTj7UJEfjMspUWO8YnP0BDI+hphARIDU501/0YjONB8HNCuKBLdZafu4 s8ibPQ8jMnkYvB6otM8giZLkTfFOFicAJKSfcqMXIjncFGZiRlTHDUGs3WPK1MNupw+E Y/RKCFer/rqhrEXg5eD8a8W0TXuWbVBxFYJFmkrC4HiAhn81SjK01JCQR4q114IpxQpi i/9HVnag0jliVvAsR8ALlEp3xEhOV/krgHM5P9EEIjT/WEmgTegYv6jfk9Dx1AFvNLDv 4yew== X-Gm-Message-State: AGi0PuaKKSlZRsi2ukPoJ+4iaiGU3ThFYhTDq5OMhBtNTOFqhjwzOMLI wolN1yJU2d612nFiDEa2AWULWN1j7AKRx5T7i4cS0Q== X-Received: by 2002:a05:6512:104a:: with SMTP id c10mr5802lfb.184.1588637782543; Mon, 04 May 2020 17:16:22 -0700 (PDT) MIME-Version: 1.0 References: <1588627060-7399-1-git-send-email-zohar@linux.ibm.com> In-Reply-To: <1588627060-7399-1-git-send-email-zohar@linux.ibm.com> From: Jann Horn Date: Tue, 5 May 2020 02:15:56 +0200 Message-ID: Subject: Re: [RFC PATCH] ima: verify mprotect change is consistent with mmap policy To: Mimi Zohar Cc: linux-integrity@vger.kernel.org, Stephen Smalley , Eric Biggers , linux-security-module , kernel list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 4, 2020 at 11:18 PM Mimi Zohar wrote: > Files can be mmap'ed read/write and later changed to execute to circumvent > IMA's mmap appraise policy rules. Due to locking issues (mmap semaphore > would be taken prior to i_mutex), files can not be measured or appraised at > this point. Eliminate this integrity gap, by denying the mprotect > PROT_EXECUTE change, if an mmap appraise policy rule exists. Just keep in mind that there are other ways to create executable mappings containing controlled code; e.g. PROT_EXEC with MAP_ANONYMOUS, or writing to /proc/self/mem (which is a debugging API that works entirely without ever making the VMA writable - I had an old series to provide LSM hooks for that stuff at , but I guess I must have forgotten about it or something...).