From: Dmitry Mastykin <dmastykin@astralinux.ru>
To: linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-mm@kvack.org
Cc: stephen.smalley.work@gmail.com, aaw@google.com
Subject: preventing executable stack with file_mprotect hook
Date: Tue, 16 Jan 2024 15:37:45 +0300 [thread overview]
Message-ID: <5eb30083-1d8f-02cf-c4bf-2560ad46243d@astralinux.ru> (raw)
Hello all,
I use the file_mprotect hook to prevent executable stack. It's called
from mprotect syscall and prevents linkage with execstack-flagged
libraries. But I don't see it called when I execute a simple
execstack-flagged binary: int main() { char shell[100] = "\xb0\x01" //
mov al, 1 "\x31\xdb" // xor ebx, ebx "\xcd\x80" ; // int 0x80
((void(*)())shell)(); return 0; } I'm thinking about a patch like one in
the end of this message. I would be glad to have a feedback, if someone
find this reasonable. Thank you! Kind regards Dmitry Mastykin
diff --git a/fs/exec.c b/fs/exec.c
index cebfe15bbad8..0288f14f11b2 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -50,6 +50,7 @@
#include <linux/module.h>
#include <linux/namei.h>
#include <linux/mount.h>
+#include <linux/mman.h>
#include <linux/security.h>
#include <linux/syscalls.h>
#include <linux/tsacct_kern.h>
@@ -759,6 +760,7 @@ int setup_arg_pages(struct linux_binprm *bprm,
struct vm_area_struct *vma = bprm->vma;
struct vm_area_struct *prev = NULL;
unsigned long vm_flags;
+ unsigned long prot = 0;
unsigned long stack_base;
unsigned long stack_size;
unsigned long stack_expand;
@@ -811,16 +813,19 @@ int setup_arg_pages(struct linux_binprm *bprm,
* EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
* (arch default) otherwise.
*/
- if (unlikely(executable_stack == EXSTACK_ENABLE_X))
+ if (unlikely(executable_stack == EXSTACK_ENABLE_X)) {
+ prot |= PROT_EXEC;
vm_flags |= VM_EXEC;
- else if (executable_stack == EXSTACK_DISABLE_X)
+ } else if (executable_stack == EXSTACK_DISABLE_X)
vm_flags &= ~VM_EXEC;
vm_flags |= mm->def_flags;
vm_flags |= VM_STACK_INCOMPLETE_SETUP;
tlb_gather_mmu(&tlb, mm);
- ret = mprotect_fixup(&tlb, vma, &prev, vma->vm_start, vma->vm_end,
- vm_flags);
+ ret = security_file_mprotect(vma, prot, prot);
+ if (!ret)
+ ret = mprotect_fixup(&tlb, vma, &prev,
+ vma->vm_start, vma->vm_end, vm_flags);
tlb_finish_mmu(&tlb);
if (ret)
reply other threads:[~2024-01-16 12:37 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5eb30083-1d8f-02cf-c4bf-2560ad46243d@astralinux.ru \
--to=dmastykin@astralinux.ru \
--cc=aaw@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox