Re: [PATCH] hardening: add PROT_FINAL prot flag to mmap/mprotect

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

* Re: [PATCH] hardening: add PROT_FINAL prot flag to mmap/mprotect
       [not found]       ` <CAKFga-fB2JSAscSVi+YUOnFS4Lq4yzH5MHRwxDQBQYZfKAgB6A@mail.gmail.com>
@ 2012-10-02 22:10         ` Kees Cook
  2012-10-02 22:38           ` Andrew Morton
  0 siblings, 1 reply; 3+ messages in thread
From: Kees Cook @ 2012-10-02 22:10 UTC (permalink / raw)
  To: Ard Biesheuvel
  Cc: linux-kernel, Al Viro, Andrew Morton, Ingo Molnar,
	Srikar Dronamraju, KOSAKI Motohiro, James Morris,
	Konstantin Khlebnikov, linux-mm

On Tue, Oct 2, 2012 at 2:41 PM, Ard Biesheuvel <ard.biesheuvel@gmail.com> wrote:
> 2012/10/2 Kees Cook <keescook@chromium.org>:
>>> If desired, additional restrictions can be imposed by using the
>>> security framework, e.g,, disallow non-final r-x mappings.
>>
>> Interesting; what kind of interface did you have in mind?
>
> The 'interface' we use is a LSM .ko which registers handlers for
> mmap() and mprotect() that fail the respective invocations if the
> passed arguments do not adhere to the policy.

Seems reasonable.

>>>> It seems like there needs to be a sensible way to detect that this flag is
>>>> available, though.
>>>
>>> I am open for suggestions to address this. Our particular
>>> implementation of the loader (on an embedded system) tries to set it
>>> on the first mmap invocation, and stops trying if it fails. Not the
>>> most elegant approach, I know ...
>>
>> Actually, that seems easiest.
>>
>> Has there been any more progress on this patch over-all?
>
> No progress.

Al, Andrew, anyone? Thoughts on this?
(First email is https://lkml.org/lkml/2012/8/14/448)

-Kees

-- 
Kees Cook
Chrome OS Security

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] hardening: add PROT_FINAL prot flag to mmap/mprotect
  2012-10-02 22:10         ` [PATCH] hardening: add PROT_FINAL prot flag to mmap/mprotect Kees Cook
@ 2012-10-02 22:38           ` Andrew Morton
  2012-10-03  0:43             ` Hugh Dickins
  0 siblings, 1 reply; 3+ messages in thread
From: Andrew Morton @ 2012-10-02 22:38 UTC (permalink / raw)
  To: Kees Cook
  Cc: Ard Biesheuvel, linux-kernel, Al Viro, Ingo Molnar,
	Srikar Dronamraju, KOSAKI Motohiro, James Morris,
	Konstantin Khlebnikov, linux-mm

On Tue, 2 Oct 2012 15:10:56 -0700
Kees Cook <keescook@chromium.org> wrote:

> >> Has there been any more progress on this patch over-all?
> >
> > No progress.
> 
> Al, Andrew, anyone? Thoughts on this?
> (First email is https://lkml.org/lkml/2012/8/14/448)

Wasn't cc'ed, missed it.

The patch looks straightforward enough.  Have the maintainers of the
runtime linker (I guess that's glibc) provided any feedback on the
proposal?

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] hardening: add PROT_FINAL prot flag to mmap/mprotect
  2012-10-02 22:38           ` Andrew Morton
@ 2012-10-03  0:43             ` Hugh Dickins
  0 siblings, 0 replies; 3+ messages in thread
From: Hugh Dickins @ 2012-10-03  0:43 UTC (permalink / raw)
  To: Andrew Morton
  Cc: Kees Cook, Ard Biesheuvel, linux-kernel, Al Viro, Ingo Molnar,
	Srikar Dronamraju, KOSAKI Motohiro, James Morris,
	Konstantin Khlebnikov, linux-mm

On Tue, 2 Oct 2012, Andrew Morton wrote:
> On Tue, 2 Oct 2012 15:10:56 -0700
> Kees Cook <keescook@chromium.org> wrote:
> 
> > >> Has there been any more progress on this patch over-all?
> > >
> > > No progress.
> > 
> > Al, Andrew, anyone? Thoughts on this?
> > (First email is https://lkml.org/lkml/2012/8/14/448)
> 
> Wasn't cc'ed, missed it.
> 
> The patch looks straightforward enough.  Have the maintainers of the
> runtime linker (I guess that's glibc) provided any feedback on the
> proposal?

It looks reasonable to me too.  I checked through VM_MAYflag handling
and don't expect surprises (a few places already turn off VM_MAYWRITE
in much the same way that this does, I hadn't realized).

I'm disappointed to find that our mmap() is lax about checking its
PROT and MAP args, so old kernels will accept PROT_FINAL but do
nothing with it.  Luckily mprotect() is stricter, so that can be
used to check for whether it's supported.

The patch does need to be slightly extended though: alpha, mips,
parisc and xtensa have their own include/asm/mman.h, which does
not include asm-generic/mman-common.h at all.

Hugh

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2012-10-03  0:44 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <E1T1N2q-0001xm-5X@morero.ard.nu>
     [not found] ` <20120820180037.GV4232@outflux.net>
     [not found]   ` <CAKFga-dDRyRwxUu4Sv7QLcoyY5T3xxhw48LP2goWs=avGW0d_A@mail.gmail.com>
     [not found]     ` <CAGXu5jJCqABZcMHuQNAaAcUKCEsSqOTn5=DHdwFdJ70zVLsmSQ@mail.gmail.com>
     [not found]       ` <CAKFga-fB2JSAscSVi+YUOnFS4Lq4yzH5MHRwxDQBQYZfKAgB6A@mail.gmail.com>
2012-10-02 22:10         ` [PATCH] hardening: add PROT_FINAL prot flag to mmap/mprotect Kees Cook
2012-10-02 22:38           ` Andrew Morton
2012-10-03  0:43             ` Hugh Dickins

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox