[rsbac] PROT_EXEC PROT_WRITE
Javier Juan Martínez Cabezón
tazok.id0 at gmail.com
Sat Oct 8 00:36:00 CEST 2011
Hi
I think it would be a good idea to split the MAP_EXEC request into two
requests, MAP_EXEC to EXEC only mappings and MAP_WRITE to write only
mappings, with this I think we could get W or X or mprotect pax facility
implemented in RC or ACL as requests fully integrated. In case both required
every one could grant both (java and a few ones more..., nothing important
though)
I think every PROT_EXEC rights should be granted only to every T_FILE
targets, and PROT_WRITE to T_NONE. I think changes wouldn't be so heavy,
don't you think?.
from mprotect.c:
MAP_EXEC||MAP_WRITE
#ifdef CONFIG_RSBAC
317 if ((prot & PROT_EXEC) && !(vma->vm_flags & PROT_EXEC))
{
318 rsbac_pr_debug(aef, "calling ADF\n");
319 if (vma->vm_file) {
320 rsbac_target = T_FILE;
321 rsbac_target_id.file.device =
vma->vm_file->f_dentry->d_inode->i_sb->s_dev;
322 rsbac_target_id.file.inode =
vma->vm_file->f_dentry->d_inode->i_ino;
323 rsbac_target_id.file.dentry_p =
vma->vm_file->f_dentry;
324 } else {
325 rsbac_target = T_NONE;
326 rsbac_target_id.dummy = 0;
327 }
328 rsbac_attribute_value.prot_bits = prot;
329 if (!rsbac_adf_request(R_MAP_EXEC,
330 task_pid(current),
331 rsbac_target,
332 rsbac_target_id,
333 A_prot_bits,
334
rsbac_attribute_value))
335 {
336 rsbac_pr_debug(aef, "request
NOT_GRANTED\n");
337 error = -EPERM;
338 goto out;
339 } else
340 need_notify = TRUE;
341 }
342 #endif
343
344 tmp = vma->vm_end;
345 if (tmp > end)
346 tmp = end;
347 error = mprotect_fixup(vma, &prev, nstart, tmp,
newflags);
348 if (error)
349 goto out;
350 nstart = tmp;
351
352 if (nstart < prev->vm_end)
353 nstart = prev->vm_end;
354 if (nstart >= end)
355 goto out;
356
357 vma = prev->vm_next;
358 if (!vma || vma->vm_start != nstart) {
359 error = -ENOMEM;
360 goto out;
361 }
362 }
363 out:
364 up_write(¤t->mm->mmap_sem);
365
366 /* RSBAC: notify ADF of mapped segment */
367 #ifdef CONFIG_RSBAC
368 if (need_notify && !error) {
369 union rsbac_target_id_t rsbac_new_target_id;
370
371 rsbac_pr_debug(aef, "calling ADF_set_attr\n");
372 rsbac_new_target_id.dummy = 0;
373 if (rsbac_adf_set_attr(R_MAP_EXEC,
374 task_pid(current),
375 rsbac_target,
376 rsbac_target_id,
377 T_NONE,
378 rsbac_new_target_id,
379 A_none,
380 rsbac_attribute_value))
381 {
382 rsbac_printk(KERN_WARNING
383 "sys_mprotect:
rsbac_adf_set_attr() returned error\n");
384 }
385 }
386 #endif
387
388 return error;
Amon, Kang, Michal, it's hard to implement as requests and under complete
control of rsbac some funcionality of PaX as the one above?,
More information about the rsbac
mailing list