From: Eric Paris <eparis@parisplace.org>
To: Christoph Lameter <cl@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
"Larry H." <research@subreption.com>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
linux-mm@kvack.org, Rik van Riel <riel@redhat.com>,
linux-kernel@vger.kernel.org, pageexec@freemail.hu,
jmorris@namei.org
Subject: Re: Security fix for remapping of page 0 (was [PATCH] Change ZERO_SIZE_PTR to point at unmapped space)
Date: Wed, 3 Jun 2009 16:16:02 -0400 [thread overview]
Message-ID: <7e0fb38c0906031316n7aeed974xf15f8af5a3b04f63@mail.gmail.com> (raw)
In-Reply-To: <alpine.DEB.1.10.0906031602250.20254@gentwo.org>
On Wed, Jun 3, 2009 at 4:04 PM, Christoph Lameter
<cl@linux-foundation.org> wrote:
> On Wed, 3 Jun 2009, Eric Paris wrote:
>
>> The 'right'est fix is as Alan suggested, duplicate the code
>>
>> from security/capability.c::cap_file_mmap()
>> to include/linux/security.h::securitry_file_mmap()
>
> Thats easy to do but isnt it a bit weird now to configure mmap_min_addr?
??
> A security model may give it a different interpretation?
Not sure what you mean. Yes, each security model is allowed to decide
what permissions are needed to pass a given security check. SELinux
decided that CAP_SYS_RAWIO was not needed, but the selinux permission
mmap_zero was. Had there been a more specific capability to use
SELinux might have been happy using a capability...
> What about round_hint_to_min()?
not sure what you mean....
>
> Use mmap_min_addr indepedently of security models
>
> This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY.
> It also sets a default mmap_min_addr of 4096.
>
> mmapping of addresses below 4096 will only be possible for processes
> with CAP_SYS_RAWIO.
<pedantic nit> "or the appropriate permission for the given LSM </pedantic nit>
> Signed-off-by: Christoph Lameter <cl@linux-foundation.org>
Clearly lots more cleanup can be done between CONFIG_SECURITY and
!CONFIG_SECURITY like Linus suggested, but
Acked-by: Eric Paris <eparis@redhat.com>
> ---
> include/linux/mm.h | 2 --
> include/linux/security.h | 2 ++
> kernel/sysctl.c | 2 --
> mm/Kconfig | 19 +++++++++++++++++++
> mm/mmap.c | 3 +++
> security/Kconfig | 20 --------------------
> security/security.c | 3 ---
> 7 files changed, 24 insertions(+), 27 deletions(-)
>
> Index: linux-2.6/include/linux/mm.h
> ===================================================================
> --- linux-2.6.orig/include/linux/mm.h 2009-06-03 15:00:54.000000000 -0500
> +++ linux-2.6/include/linux/mm.h 2009-06-03 15:00:56.000000000 -0500
> @@ -580,12 +580,10 @@ static inline void set_page_links(struct
> */
> static inline unsigned long round_hint_to_min(unsigned long hint)
> {
> -#ifdef CONFIG_SECURITY
> hint &= PAGE_MASK;
> if (((void *)hint != NULL) &&
> (hint < mmap_min_addr))
> return PAGE_ALIGN(mmap_min_addr);
> -#endif
> return hint;
> }
>
> Index: linux-2.6/kernel/sysctl.c
> ===================================================================
> --- linux-2.6.orig/kernel/sysctl.c 2009-06-03 15:00:54.000000000 -0500
> +++ linux-2.6/kernel/sysctl.c 2009-06-03 15:00:56.000000000 -0500
> @@ -1225,7 +1225,6 @@ static struct ctl_table vm_table[] = {
> .strategy = &sysctl_jiffies,
> },
> #endif
> -#ifdef CONFIG_SECURITY
> {
> .ctl_name = CTL_UNNUMBERED,
> .procname = "mmap_min_addr",
> @@ -1234,7 +1233,6 @@ static struct ctl_table vm_table[] = {
> .mode = 0644,
> .proc_handler = &proc_doulongvec_minmax,
> },
> -#endif
> #ifdef CONFIG_NUMA
> {
> .ctl_name = CTL_UNNUMBERED,
> Index: linux-2.6/mm/mmap.c
> ===================================================================
> --- linux-2.6.orig/mm/mmap.c 2009-06-03 15:00:54.000000000 -0500
> +++ linux-2.6/mm/mmap.c 2009-06-03 15:01:18.000000000 -0500
> @@ -87,6 +87,9 @@ int sysctl_overcommit_ratio = 50; /* def
> int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
> struct percpu_counter vm_committed_as;
>
> +/* amount of vm to protect from userspace access */
> +unsigned long mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
> +
> /*
> * Check that a process has enough memory to allocate a new virtual
> * mapping. 0 means there is enough memory for the allocation to
> Index: linux-2.6/security/security.c
> ===================================================================
> --- linux-2.6.orig/security/security.c 2009-06-03 15:00:54.000000000 -0500
> +++ linux-2.6/security/security.c 2009-06-03 15:00:56.000000000 -0500
> @@ -26,9 +26,6 @@ extern void security_fixup_ops(struct se
>
> struct security_operations *security_ops; /* Initialized to NULL */
>
> -/* amount of vm to protect from userspace access */
> -unsigned long mmap_min_addr = CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR;
> -
> static inline int verify(struct security_operations *ops)
> {
> /* verify the security_operations structure exists */
> Index: linux-2.6/mm/Kconfig
> ===================================================================
> --- linux-2.6.orig/mm/Kconfig 2009-06-03 15:00:54.000000000 -0500
> +++ linux-2.6/mm/Kconfig 2009-06-03 15:00:56.000000000 -0500
> @@ -226,6 +226,25 @@ config HAVE_MLOCKED_PAGE_BIT
> config MMU_NOTIFIER
> bool
>
> +config DEFAULT_MMAP_MIN_ADDR
> + int "Low address space to protect from user allocation"
> + default 4096
> + help
> + This is the portion of low virtual memory which should be protected
> + from userspace allocation. Keeping a user from writing to low pages
> + can help reduce the impact of kernel NULL pointer bugs.
> +
> + For most ia64, ppc64 and x86 users with lots of address space
> + a value of 65536 is reasonable and should cause no problems.
> + On arm and other archs it should not be higher than 32768.
> + Programs which use vm86 functionality would either need additional
> + permissions from either the LSM or the capabilities module or have
> + this protection disabled.
> +
> + This value can be changed after boot using the
> + /proc/sys/vm/mmap_min_addr tunable.
> +
> +
> config NOMMU_INITIAL_TRIM_EXCESS
> int "Turn on mmap() excess space trimming before booting"
> depends on !MMU
> Index: linux-2.6/security/Kconfig
> ===================================================================
> --- linux-2.6.orig/security/Kconfig 2009-06-03 15:00:54.000000000 -0500
> +++ linux-2.6/security/Kconfig 2009-06-03 15:00:56.000000000 -0500
> @@ -113,26 +113,6 @@ config SECURITY_ROOTPLUG
>
> If you are unsure how to answer this question, answer N.
>
> -config SECURITY_DEFAULT_MMAP_MIN_ADDR
> - int "Low address space to protect from user allocation"
> - depends on SECURITY
> - default 0
> - help
> - This is the portion of low virtual memory which should be protected
> - from userspace allocation. Keeping a user from writing to low pages
> - can help reduce the impact of kernel NULL pointer bugs.
> -
> - For most ia64, ppc64 and x86 users with lots of address space
> - a value of 65536 is reasonable and should cause no problems.
> - On arm and other archs it should not be higher than 32768.
> - Programs which use vm86 functionality would either need additional
> - permissions from either the LSM or the capabilities module or have
> - this protection disabled.
> -
> - This value can be changed after boot using the
> - /proc/sys/vm/mmap_min_addr tunable.
> -
> -
> source security/selinux/Kconfig
> source security/smack/Kconfig
> source security/tomoyo/Kconfig
> Index: linux-2.6/include/linux/security.h
> ===================================================================
> --- linux-2.6.orig/include/linux/security.h 2009-06-03 15:01:28.000000000 -0500
> +++ linux-2.6/include/linux/security.h 2009-06-03 15:01:42.000000000 -0500
> @@ -2197,6 +2197,8 @@ static inline int security_file_mmap(str
> unsigned long addr,
> unsigned long addr_only)
> {
> + if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
> + return -EACCES;
> return 0;
> }
>
>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2009-06-03 20:16 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-30 19:28 [PATCH] Change ZERO_SIZE_PTR to point at unmapped space Larry H.
2009-05-30 22:29 ` Linus Torvalds
2009-05-30 23:00 ` Larry H.
2009-05-31 2:02 ` Linus Torvalds
2009-05-31 2:21 ` Larry H.
2009-06-02 15:37 ` Christoph Lameter
2009-06-02 20:34 ` Larry H.
2009-06-03 14:50 ` Security fix for remapping of page 0 (was [PATCH] Change ZERO_SIZE_PTR to point at unmapped space) Christoph Lameter
2009-06-03 15:07 ` Linus Torvalds
2009-06-03 15:23 ` Christoph Lameter
2009-06-03 15:38 ` Linus Torvalds
2009-06-03 16:14 ` Alan Cox
2009-06-03 16:19 ` Linus Torvalds
2009-06-03 16:24 ` Eric Paris
2009-06-03 16:22 ` Eric Paris
2009-06-03 16:28 ` Linus Torvalds
2009-06-03 16:32 ` Eric Paris
2009-06-03 16:44 ` Linus Torvalds
2009-06-03 15:11 ` Stephen Smalley
2009-06-03 15:41 ` Christoph Lameter
2009-06-03 16:18 ` Linus Torvalds
2009-06-03 16:28 ` Larry H.
2009-06-03 16:36 ` Rik van Riel
2009-06-03 16:47 ` Linus Torvalds
2009-06-03 17:16 ` Eric Paris
2009-06-03 17:28 ` Linus Torvalds
2009-06-03 17:31 ` Eric Paris
2009-06-03 17:24 ` Larry H.
2009-06-03 17:21 ` Larry H.
2009-06-03 22:52 ` James Morris
2009-06-03 17:29 ` Alan Cox
2009-06-03 17:35 ` Linus Torvalds
2009-06-03 18:00 ` Larry H.
2009-06-03 18:12 ` Linus Torvalds
2009-06-03 18:39 ` Larry H.
2009-06-03 18:45 ` Linus Torvalds
2009-06-03 18:50 ` Linus Torvalds
2009-06-03 18:59 ` Christoph Lameter
2009-06-03 19:11 ` Rik van Riel
2009-06-03 19:14 ` Eric Paris
2009-06-03 19:42 ` Christoph Lameter
2009-06-03 19:51 ` Eric Paris
2009-06-03 20:04 ` Christoph Lameter
2009-06-03 20:16 ` Eric Paris [this message]
2009-06-03 20:36 ` Christoph Lameter
2009-06-03 21:20 ` Linus Torvalds
2009-06-04 2:41 ` James Morris
2009-06-03 19:21 ` Alan Cox
2009-06-03 19:45 ` Christoph Lameter
2009-06-03 21:07 ` Alan Cox
2009-06-03 19:27 ` Linus Torvalds
2009-06-03 19:50 ` Christoph Lameter
2009-06-03 20:00 ` pageexec
2009-06-03 19:41 ` pageexec
2009-06-07 10:29 ` Pavel Machek
2009-05-30 22:32 ` [PATCH] Change ZERO_SIZE_PTR to point at unmapped space Peter Zijlstra
2009-05-30 22:51 ` Larry H.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7e0fb38c0906031316n7aeed974xf15f8af5a3b04f63@mail.gmail.com \
--to=eparis@parisplace.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cl@linux-foundation.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pageexec@freemail.hu \
--cc=research@subreption.com \
--cc=riel@redhat.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox