Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1203233rwd; Tue, 16 May 2023 13:25:51 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6psgWJ0poCIRrI1APV84c9PrCe36ghtiBQo77TibUolqArHrtWCj+lyd1J4Kdt8OfW4fro X-Received: by 2002:a05:6a00:1492:b0:643:53b6:d841 with SMTP id v18-20020a056a00149200b0064353b6d841mr54211551pfu.2.1684268751152; Tue, 16 May 2023 13:25:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684268751; cv=none; d=google.com; s=arc-20160816; b=FbUK55UnP7kBjNUGHun9UmY4jZhnBThW7wgssummPcwUMEAEByQdmp63j9trBYVu64 EO4yrRF0U5DL4By6UPEXYyKePWukM8extcKd++sLLU/jL15h/TxjmSkm7DN+N1n/x6Gr +evQjZkpR+fAyG624K4jm2wlpj9CDE9jafqJB85o4PPbSjURA4Iy57jhqfE61WCQ4cb6 VRLG0lbYm337h9k05dFz89BYK8kWbMFUYPsOoHKrCwy7j7roDtiJyshpyfVnBL6Eh6N9 V1t7Rx6GBO166HNxowsvNfoyKuWc9J/Y4tUNfZfE6uaC7dToug7+B4QkgaUCXB4SPtFl 1oiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=YJEJEgHLDw3Nrf2OYxAw65J2/yLmkvxFlpYWiAtQcmA=; b=PJJhwTlAATffeCi4MMBdcAuyNFpULhOfPElrcmdINTwpIikwQLeRW4jHThjLz0vM0P Q7Vw8HWQzJXpOda8x44f8jz6z8Rsizd+WEVWhekQAko99XTpzVPawzrj20ZsFcmptXFj OuHzGdtKs08Yrz2zWQPNrG0aAr4Y4G1uH9HQvI/epBGVKr1GFBSe+vdU50QiLUj4wG/W 8yES+u7Wrn7mVKPaKpVi3tIonACD3lZHjPHsO3ataB9mDb661qSYGD644NZivhkKZdsh a1LtdJCnpP1FzNuwAOK+WWK+b9A32YAWsScUQ+GK35YXC65KpFjkTAuz4ltBJfi1/mO2 lKUQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=HnGWjuYO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i66-20020a625445000000b0064caa26723bsi5315980pfb.318.2023.05.16.13.25.36; Tue, 16 May 2023 13:25:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=HnGWjuYO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229557AbjEPURp (ORCPT + 99 others); Tue, 16 May 2023 16:17:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37870 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229521AbjEPURn (ORCPT ); Tue, 16 May 2023 16:17:43 -0400 Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 948141BE2 for ; Tue, 16 May 2023 13:17:36 -0700 (PDT) Received: by mail-pf1-x434.google.com with SMTP id d2e1a72fcca58-643990c5319so10583301b3a.2 for ; Tue, 16 May 2023 13:17:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1684268256; x=1686860256; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=YJEJEgHLDw3Nrf2OYxAw65J2/yLmkvxFlpYWiAtQcmA=; b=HnGWjuYOAI8Ajbhmofm3GokXhD5YgSqiF6UQCDCLlwnbaHtP73wUieT9TUP2SHAOuO 90idaRSc566+i6YTMHc7sZ415zRHQJMrUOZPDCys53qkJdWi3b5hDQ/MN+RLydISIgE2 GwdnyrHrai/aOeaCCSDIFQHmxVT8/mRzDgfCA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684268256; x=1686860256; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=YJEJEgHLDw3Nrf2OYxAw65J2/yLmkvxFlpYWiAtQcmA=; b=jnV1b+y4/bU3EV2rKljCamDF/i5Bu6PZPByjRwgHNXGcb5CF9eYSOk5SM3m2SFjKLp /f8l+TzHM0yUsPLotN3/gpDtzvOJtovTBTpnI5B2RgWqsdwQq1Ei3Jc7ucDAyIcauu+d jpJv7T676kfy7z8D03/20zrX9Ox/cDVk31ed8Rs9aMAp/MTPc7KwEevsKwSY2w2ayGE2 Igbb3P05i5S2ttLfvBL8RcCYe8cYEflYk7Q9B1c5CvSUk3UJ8Cb8j5o6c5UOkguPIWlW ARD7/bXdVhH9nL8ellqqs3lcB6n8JjfLPkxMdf9rJ1bVfZzNuc4IHscpkX9tvzME7Mni 4t5Q== X-Gm-Message-State: AC+VfDx22TrQAPR40AY2IM+Xu9sbh/frscFIQPzK9s5vcNXvDrHRxG2A SNyXjOgrvuZHCsA9C4x3iZ+NkQ== X-Received: by 2002:a05:6a00:189a:b0:646:7234:cbfc with SMTP id x26-20020a056a00189a00b006467234cbfcmr43435667pfh.27.1684268255812; Tue, 16 May 2023 13:17:35 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id q26-20020a62e11a000000b0063d29df1589sm13747558pfh.136.2023.05.16.13.17.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 May 2023 13:17:34 -0700 (PDT) Date: Tue, 16 May 2023 13:17:34 -0700 From: Kees Cook To: Michael McCracken Cc: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, serge@hallyn.com, tycho@tycho.pizza, Luis Chamberlain , Iurii Zaikin , Andrew Morton , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org Subject: Re: [PATCH] sysctl: add config to make randomize_va_space RO Message-ID: <202305161312.078E5E7@keescook> References: <20230504213002.56803-1-michael.mccracken@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230504213002.56803-1-michael.mccracken@gmail.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 04, 2023 at 02:30:02PM -0700, Michael McCracken wrote: > Add config RO_RANDMAP_SYSCTL to set the mode of the randomize_va_space > sysctl to 0444 to disallow all runtime changes. This will prevent > accidental changing of this value by a root service. > > The config is disabled by default to avoid surprises. > > Signed-off-by: Michael McCracken > --- > kernel/sysctl.c | 4 ++++ > mm/Kconfig | 7 +++++++ > 2 files changed, 11 insertions(+) > > diff --git a/kernel/sysctl.c b/kernel/sysctl.c > index bfe53e835524..c5aafb734abe 100644 > --- a/kernel/sysctl.c > +++ b/kernel/sysctl.c > @@ -1913,7 +1913,11 @@ static struct ctl_table kern_table[] = { > .procname = "randomize_va_space", > .data = &randomize_va_space, > .maxlen = sizeof(int), > +#if defined(CONFIG_RO_RANDMAP_SYSCTL) > + .mode = 0444, > +#else > .mode = 0644, > +#endif The way we've dealt with this in the past for similarly sensitive sysctl variables to was set a "locked" position. (e.g. 0==off, 1==on, 2==cannot be turned off). In this case, we could make it, 0, 1, 2, 3==forced on full. I note that there is actually no min/max (extra1/extra2) for this sysctl, which is itself a bug, IMO. And there is just a magic "> 1" test that should be a define or enum: fs/binfmt_elf.c: if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) { I think much of this should be improved. Regardless, take a look at yama_dointvec_minmax(), which could, perhaps, be generalized and used here. Then we have a run-time way to manage this bit, without needing full kernel rebuilds, etc, etc. -Kees -- Kees Cook