From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28173C77B7F for ; Tue, 16 May 2023 20:17:40 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9DDCB900003; Tue, 16 May 2023 16:17:39 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 96585900002; Tue, 16 May 2023 16:17:39 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8061A900003; Tue, 16 May 2023 16:17:39 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 6D231900002 for ; Tue, 16 May 2023 16:17:39 -0400 (EDT) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 095BE803F4 for ; Tue, 16 May 2023 20:17:39 +0000 (UTC) X-FDA: 80797228638.09.B62129F Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by imf25.hostedemail.com (Postfix) with ESMTP id 16712A000D for ; Tue, 16 May 2023 20:17:36 +0000 (UTC) Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=HnGWjuYO; spf=pass (imf25.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.179 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684268257; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=YJEJEgHLDw3Nrf2OYxAw65J2/yLmkvxFlpYWiAtQcmA=; b=V7KBJ53n6YvcLL2Jqb41regSfmdLWl1CC1mCLz3QEcY10v8Atpf5hNgenRPxA5NWuFfqjQ z9PMqbksLKOpbS9teFcitMcTKOfBrUWPnHbdL/GKr17h8pZWrDGFna5FU1PVRd6bkxnjk3 QrXuMnGGZqJMVczlZZxz0SqoU1JJWzQ= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684268257; a=rsa-sha256; cv=none; b=ihMF+m6gZRVYCEKiS9FjTi5WVk8BGrkrjbJ5xh8k3XcKyBfiHub9ww5+d1WNowcfBZ+/O5 FCrRk+TnFGtm7eNhnTX1tqoNOFtfgK6vFQ2vo3o9kKGkJwyg+yeZf/KSRHce/49Toj35Kt tV8LclHPcxHbLUD4gptk9rpcKUGoQ78= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=HnGWjuYO; spf=pass (imf25.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.179 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-6439bbc93b6so10341789b3a.1 for ; Tue, 16 May 2023 13:17:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1684268256; x=1686860256; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=YJEJEgHLDw3Nrf2OYxAw65J2/yLmkvxFlpYWiAtQcmA=; b=HnGWjuYOAI8Ajbhmofm3GokXhD5YgSqiF6UQCDCLlwnbaHtP73wUieT9TUP2SHAOuO 90idaRSc566+i6YTMHc7sZ415zRHQJMrUOZPDCys53qkJdWi3b5hDQ/MN+RLydISIgE2 GwdnyrHrai/aOeaCCSDIFQHmxVT8/mRzDgfCA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684268256; x=1686860256; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=YJEJEgHLDw3Nrf2OYxAw65J2/yLmkvxFlpYWiAtQcmA=; b=iFS1MKaKMLO4o0YJBtfabIostSe2qpaVYbhVaSQKPrI03293dYMgQcSepxLFdyfcH5 Nv1TZTOmgGviNVCS4iOwOqNO1Q4AeuOU7juWo/IpXWM4i5o3WbhR1/z/1UHYWggi+YbY FTci7J+Ggh+wvXWhNNnGd1Vp8XbBhgPuWRbju3hJ56tft4vFtCmEZA6Gps0Iv8DzMb9A IrIZSoYRU9gCpGxLpxoAevVWmqTWjjGHZrJ3Vl1uBAdFmt0FbfCwzRWDFJNK0/hchiZU GKANkvQcAjEUiDSPc0m8qL5gnxDyqZ9rD9x5terX+2ZrIrhCDgVdg2ssJnyctM/aIp6j dsqg== X-Gm-Message-State: AC+VfDwF4ZGcEqq4bYYLnXX3kbZe6b8sdWZiIWR3WtmDiS1IUMsZ2hm9 baSh5+qh6TnPLcn1ZlD3GwuRZQ== X-Google-Smtp-Source: ACHHUZ6Oynxwi7sloZ3Ypg7XgSCwwZO30bG7FPKKxxgXTbfRZw5iZB64xYqMeanZeGOcTKnSKanXQg== X-Received: by 2002:a05:6a00:189a:b0:646:7234:cbfc with SMTP id x26-20020a056a00189a00b006467234cbfcmr43435667pfh.27.1684268255812; Tue, 16 May 2023 13:17:35 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id q26-20020a62e11a000000b0063d29df1589sm13747558pfh.136.2023.05.16.13.17.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 May 2023 13:17:34 -0700 (PDT) Date: Tue, 16 May 2023 13:17:34 -0700 From: Kees Cook To: Michael McCracken Cc: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, serge@hallyn.com, tycho@tycho.pizza, Luis Chamberlain , Iurii Zaikin , Andrew Morton , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org Subject: Re: [PATCH] sysctl: add config to make randomize_va_space RO Message-ID: <202305161312.078E5E7@keescook> References: <20230504213002.56803-1-michael.mccracken@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230504213002.56803-1-michael.mccracken@gmail.com> X-Stat-Signature: it3zrumuugfir8saccpzm9iuh683rjw8 X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 16712A000D X-Rspam-User: X-HE-Tag: 1684268256-510153 X-HE-Meta: U2FsdGVkX1/v86NNRs6pCeJh9PPm968xK2YlF+IhhRGR/nevdx09j+Np2sJhokVg8/N5SiUAbdTL/13To37ALQG6ucBSCdrQYYp3XyeRe0KgULCuvzAHRcQ12seOCXKq3rRjbCX5v1cwt8ePuDrneqhHh6eJ/vMbQyqGFe1aJQobsiF4uah9nSnOpGB4HAtKS7DFWYa8wX/BDBv5mQqTTgCWDtjcRPO+ucYqno5s7o6Ls+F2OTTyjsljN/Y3RZzrXDU+PVqYWhrZ7Uq0qrJxfNLrNh0If/Ojrqai5CN6+ngF/8J9/5DPJMV2OGtdbdo5eDB9GIjN3ePhS+owlE/2OCz2XiTOPOHDUYCDdtH22idRPQ8VI5Zt9D2RMVmtv/Oqnf2vAryL7xH1qJhaM7s8Zt8OXKKKj/akanzhINl41yhbxRI8jOUYAWAnDYfuvxvSjA7y8H1dL5Y4tMEdI2HGhCD1aBySIcYglANYmC957N3ljd7Bfm8fV7+iUzPLp1ZB3DIl9MEa1poJLTnx2FCygtbAmqlmMWvVAbnDS6tHGVTlJpOs4B1D8ZtJuIAEdzzKPddvnFlLGXx4l7SUK0HWLpdmnnEUnaKaN2MNJi9ty8FdPaQOWzpGLVNbloI1/cL8MDHwml06aeOfLwHWF5UshfR5pu0aS6CkB1EQViVo1QPpP9z8nsTTdpjmzw6NjEe+wh+MGi1TJWRcpqYemz4M0K0l69/Vqa0E4G1z+lnEsk8fxWwT/1ZsHX6HCNWOi0NE2ZR0eI2cEahYF6PpRGyQ25e4tl+d6rp6i1Zbe+Sr3mq1dPMXK0mo4/EcvBNWHXzSFqqRkk3nSdtmH6JDaoZgQjWfk4fDdrCke6MTHK/qBWw73QmNX/Xab/tZUuklO4M997lRU0q9ynrohYeZi7KaM9ODGJzwwDyCa7UoNPozWqmRoEc/zAFZMe3S7tdY8Mb72nJ0AOSLClk6XRmgdZ1 1FLWekpC TvLoJ7XACbpW9LbQPxwqcOArOrsol0jpdtTNZCttDB1KucaVBh8DurFkGjPfEqSnm8w2BSorHUqcI3PuU5FHwpDnq1vZJudQsdf0NoL4zuBzDzFths3zSwLyWeAlApg0QakXZ5WCKplJfKCLKwiK89ffr4ajbMtGXHAuSPl50+zcMPdnywWazvddetejmXBwpQfMevzdFKjMmWSXjTnYFrPsOXTJro1SttN2dhNCs5UUYLO8Pw3uCcGMNX9k2M/+EzyvUbmObNJU/eAiyjBDzLBgvNEMBKvvFfIqPss6eue7sgU0ZTwfdkmSu4SQra3jiP3luUGp5npmQ9MvBGZO02D6VH4Lt/Ze6nXb9e8MIAVw7yGmm2PLaiIBysBAYGpTP6cLjLNvFg5d/U2vvHdvGb7EbfhxbBGbCXbdPq8yLY4OjnlJy+Txyyt7ZH8J0dXosYB64UenQPlSVdaIM2Ktub5mlZ//0F/aT9seoIm1492exdAQuLgnsqgXORA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, May 04, 2023 at 02:30:02PM -0700, Michael McCracken wrote: > Add config RO_RANDMAP_SYSCTL to set the mode of the randomize_va_space > sysctl to 0444 to disallow all runtime changes. This will prevent > accidental changing of this value by a root service. > > The config is disabled by default to avoid surprises. > > Signed-off-by: Michael McCracken > --- > kernel/sysctl.c | 4 ++++ > mm/Kconfig | 7 +++++++ > 2 files changed, 11 insertions(+) > > diff --git a/kernel/sysctl.c b/kernel/sysctl.c > index bfe53e835524..c5aafb734abe 100644 > --- a/kernel/sysctl.c > +++ b/kernel/sysctl.c > @@ -1913,7 +1913,11 @@ static struct ctl_table kern_table[] = { > .procname = "randomize_va_space", > .data = &randomize_va_space, > .maxlen = sizeof(int), > +#if defined(CONFIG_RO_RANDMAP_SYSCTL) > + .mode = 0444, > +#else > .mode = 0644, > +#endif The way we've dealt with this in the past for similarly sensitive sysctl variables to was set a "locked" position. (e.g. 0==off, 1==on, 2==cannot be turned off). In this case, we could make it, 0, 1, 2, 3==forced on full. I note that there is actually no min/max (extra1/extra2) for this sysctl, which is itself a bug, IMO. And there is just a magic "> 1" test that should be a define or enum: fs/binfmt_elf.c: if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) { I think much of this should be improved. Regardless, take a look at yama_dointvec_minmax(), which could, perhaps, be generalized and used here. Then we have a run-time way to manage this bit, without needing full kernel rebuilds, etc, etc. -Kees -- Kees Cook