security: Protection for exploiting null dereference using mmap
authorEric Paris <eparis@redhat.com>
Thu, 28 Jun 2007 19:55:21 +0000 (15:55 -0400)
committerJames Morris <jmorris@namei.org>
Thu, 12 Jul 2007 02:52:29 +0000 (22:52 -0400)
Add a new security check on mmap operations to see if the user is attempting
to mmap to low area of the address space.  The amount of space protected is
indicated by the new proc tunable /proc/sys/vm/mmap_min_addr and defaults to
0, preserving existing behavior.

This patch uses a new SELinux security class "memprotect."  Policy already
contains a number of allow rules like a_t self:process * (unconfined_t being
one of them) which mean that putting this check in the process class (its
best current fit) would make it useless as all user processes, which we also
want to protect against, would be allowed. By taking the memprotect name of
the new class it will also make it possible for us to move some of the other
memory protect permissions out of 'process' and into the new class next time
we bump the policy version number (which I also think is a good future idea)

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 files changed:
Documentation/sysctl/vm.txt
include/linux/security.h
kernel/sysctl.c
mm/mmap.c
mm/mremap.c
mm/nommu.c
security/dummy.c
security/security.c
security/selinux/hooks.c
security/selinux/include/av_perm_to_string.h
security/selinux/include/av_permissions.h
security/selinux/include/class_to_string.h
security/selinux/include/flask.h

index 1d192565e18207188cc93b54d962dd7d5974d7bb..8cfca173d4bca46fab5c121be80d070858aaa0c6 100644 (file)
@@ -31,6 +31,7 @@ Currently, these files are in /proc/sys/vm:
 - min_unmapped_ratio
 - min_slab_ratio
 - panic_on_oom
+- mmap_min_address
 
 ==============================================================
 
@@ -216,3 +217,17 @@ above-mentioned.
 The default value is 0.
 1 and 2 are for failover of clustering. Please select either
 according to your policy of failover.
+
+==============================================================
+
+mmap_min_addr
+
+This file indicates the amount of address space  which a user process will
+be restricted from mmaping.  Since kernel null dereference bugs could
+accidentally operate based on the information in the first couple of pages
+of memory userspace processes should not be allowed to write to them.  By
+default this value is set to 0 and no protections will be enforced by the
+security module.  Setting this value to something like 64k will allow the
+vast majority of applications to work correctly and provide defense in depth
+against future potential kernel bugs.
+
index 9eb9e0fe03312614b8702e0435c1604b928e4190..c11dc8aa0351e25be90e967a59d4f93b0f5e73b0 100644 (file)
@@ -71,6 +71,7 @@ struct xfrm_user_sec_ctx;
 extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
 extern int cap_netlink_recv(struct sk_buff *skb, int cap);
 
+extern unsigned long mmap_min_addr;
 /*
  * Values used in the task_security_ops calls
  */
@@ -1241,8 +1242,9 @@ struct security_operations {
        int (*file_ioctl) (struct file * file, unsigned int cmd,
                           unsigned long arg);
        int (*file_mmap) (struct file * file,
-                         unsigned long reqprot,
-                         unsigned long prot, unsigned long flags);
+                         unsigned long reqprot, unsigned long prot,
+                         unsigned long flags, unsigned long addr,
+                         unsigned long addr_only);
        int (*file_mprotect) (struct vm_area_struct * vma,
                              unsigned long reqprot,
                              unsigned long prot);
@@ -1814,9 +1816,12 @@ static inline int security_file_ioctl (struct file *file, unsigned int cmd,
 
 static inline int security_file_mmap (struct file *file, unsigned long reqprot,
                                      unsigned long prot,
-                                     unsigned long flags)
+                                     unsigned long flags,
+                                     unsigned long addr,
+                                     unsigned long addr_only)
 {
-       return security_ops->file_mmap (file, reqprot, prot, flags);
+       return security_ops->file_mmap (file, reqprot, prot, flags, addr,
+                                       addr_only);
 }
 
 static inline int security_file_mprotect (struct vm_area_struct *vma,
@@ -2489,7 +2494,9 @@ static inline int security_file_ioctl (struct file *file, unsigned int cmd,
 
 static inline int security_file_mmap (struct file *file, unsigned long reqprot,
                                      unsigned long prot,
-                                     unsigned long flags)
+                                     unsigned long flags,
+                                     unsigned long addr,
+                                     unsigned long addr_only)
 {
        return 0;
 }
index 51f5dac42a00c9f56943a44b7d1865f604d84bde..d93e13d93f24c0c25d0bfc9cfe4944cd239fc10f 100644 (file)
@@ -949,6 +949,16 @@ static ctl_table vm_table[] = {
                .strategy       = &sysctl_jiffies,
        },
 #endif
+#ifdef CONFIG_SECURITY
+       {
+               .ctl_name       = CTL_UNNUMBERED,
+               .procname       = "mmap_min_addr",
+               .data           = &mmap_min_addr,
+               .maxlen         = sizeof(unsigned long),
+               .mode           = 0644,
+               .proc_handler   = &proc_doulongvec_minmax,
+       },
+#endif
 #if defined(CONFIG_X86_32) || \
    (defined(CONFIG_SUPERH) && defined(CONFIG_VSYSCALL))
        {
index 906ed402f7cabda336a73d6d0d297b862b0d2932..9f70c8e8c871c272047fdc4c969f285299b58926 100644 (file)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1023,10 +1023,10 @@ unsigned long do_mmap_pgoff(struct file * file, unsigned long addr,
                }
        }
 
-       error = security_file_mmap(file, reqprot, prot, flags);
+       error = security_file_mmap(file, reqprot, prot, flags, addr, 0);
        if (error)
                return error;
-               
+
        /* Clear old maps */
        error = -ENOMEM;
 munmap_back:
index 5d4bd4f95b8e5ef28f269f604b61d133f341d27b..bc7c52efc71bb1d5dddded25b836c4b842a54edf 100644 (file)
@@ -291,6 +291,10 @@ unsigned long do_mremap(unsigned long addr,
                if ((addr <= new_addr) && (addr+old_len) > new_addr)
                        goto out;
 
+               ret = security_file_mmap(0, 0, 0, 0, new_addr, 1);
+               if (ret)
+                       goto out;
+
                ret = do_munmap(mm, new_addr, new_len);
                if (ret)
                        goto out;
@@ -390,8 +394,13 @@ unsigned long do_mremap(unsigned long addr,
 
                        new_addr = get_unmapped_area(vma->vm_file, 0, new_len,
                                                vma->vm_pgoff, map_flags);
-                       ret = new_addr;
-                       if (new_addr & ~PAGE_MASK)
+                       if (new_addr & ~PAGE_MASK) {
+                               ret = new_addr;
+                               goto out;
+                       }
+
+                       ret = security_file_mmap(0, 0, 0, 0, new_addr, 1);
+                       if (ret)
                                goto out;
                }
                ret = move_vma(vma, addr, old_len, new_len, new_addr);
index 2b16b00a5b115be2c13897aab5763562312ecb84..989e2e9af5c3adc42cb250409a4b7249288e0df7 100644 (file)
@@ -639,7 +639,7 @@ static int validate_mmap_request(struct file *file,
        }
 
        /* allow the security API to have its say */
-       ret = security_file_mmap(file, reqprot, prot, flags);
+       ret = security_file_mmap(file, reqprot, prot, flags, addr, 0);
        if (ret < 0)
                return ret;
 
index 8ffd76405b5b69f0b61057be0ffc3fb2af6adb6a..d6a112ce2975c847390fed605ade3d532f4fe03a 100644 (file)
@@ -420,8 +420,12 @@ static int dummy_file_ioctl (struct file *file, unsigned int command,
 
 static int dummy_file_mmap (struct file *file, unsigned long reqprot,
                            unsigned long prot,
-                           unsigned long flags)
+                           unsigned long flags,
+                           unsigned long addr,
+                           unsigned long addr_only)
 {
+       if (addr < mmap_min_addr)
+               return -EACCES;
        return 0;
 }
 
index fc8601b2b7acabde473cc86a0fdc4b342a00e97a..024484fc59b0a5b7d22f190a1a3a755cd1dc3dab 100644 (file)
@@ -24,6 +24,7 @@ extern struct security_operations dummy_security_ops;
 extern void security_fixup_ops(struct security_operations *ops);
 
 struct security_operations *security_ops;      /* Initialized to NULL */
+unsigned long mmap_min_addr;           /* 0 means no protection */
 
 static inline int verify(struct security_operations *ops)
 {
@@ -176,4 +177,5 @@ EXPORT_SYMBOL_GPL(register_security);
 EXPORT_SYMBOL_GPL(unregister_security);
 EXPORT_SYMBOL_GPL(mod_reg_security);
 EXPORT_SYMBOL_GPL(mod_unreg_security);
+EXPORT_SYMBOL_GPL(mmap_min_addr);
 EXPORT_SYMBOL(security_ops);
index b29059ecc04526648785c932b4455666579e25de..78c3f98fcdcfa94b2bf72a2bbcc7158b11756eba 100644 (file)
@@ -2569,12 +2569,16 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
 }
 
 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
-                            unsigned long prot, unsigned long flags)
+                            unsigned long prot, unsigned long flags,
+                            unsigned long addr, unsigned long addr_only)
 {
-       int rc;
+       int rc = 0;
+       u32 sid = ((struct task_security_struct*)(current->security))->sid;
 
-       rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
-       if (rc)
+       if (addr < mmap_min_addr)
+               rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
+                                 MEMPROTECT__MMAP_ZERO, NULL);
+       if (rc || addr_only)
                return rc;
 
        if (selinux_checkreqprot)
index b83e74012a979ee8bc935921fa686496fd82f681..049bf69429b66d2566abc5bb063c19fc41647095 100644 (file)
    S_(SECCLASS_KEY, KEY__CREATE, "create")
    S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
    S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
+   S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
index 5fee1735bffe423d78cb559e1cb3ee529b6ced5f..eda89a2ec635db3ec67e546af97cd5d76dedc565 100644 (file)
 #define DCCP_SOCKET__NAME_BIND                    0x00200000UL
 #define DCCP_SOCKET__NODE_BIND                    0x00400000UL
 #define DCCP_SOCKET__NAME_CONNECT                 0x00800000UL
+#define MEMPROTECT__MMAP_ZERO                     0x00000001UL
index 3787990684418f540974541d3c6b68078b4c72c4..e77de0e62ea0e00deae7c92822d61b5ba9e82ce0 100644 (file)
@@ -63,3 +63,4 @@
     S_("key")
     S_(NULL)
     S_("dccp_socket")
+    S_("memprotect")
index 35f309f478731aa0ea116c81055cdfd72a77460f..a9c2b20f14b5c0584085180c272875453b9796c9 100644 (file)
@@ -49,6 +49,7 @@
 #define SECCLASS_PACKET                                  57
 #define SECCLASS_KEY                                     58
 #define SECCLASS_DCCP_SOCKET                             60
+#define SECCLASS_MEMPROTECT                              61
 
 /*
  * Security identifier indices for initial entities