[rsbac] RSBAC mprotect

[Javier Juan Martínez Cabezón]

Amon, PaX is a derivative work of a standard linux kernel isn't it, it
should maintain the GPL license or not? For example could you close the
rsbac kernel source code?

Have you talked with pipacs and spender? maybe they could relicense to
you PaX source code to use with rsbac.

I think the trouble of spender and pipacs were that one grsec user
company of embedded devices was supposed to implement grsecurity in an
architecture that was not supported by standard grsecurity and this
company denied that his device were a new arch, spender and pipacs asked
for source code and didn't obtain it (something like this).

Damn I like this new feature, may be could be time to call rsbac 1.5
when being stable, may be could co-exist hooks to standard pax with the
standard PaX module and one module MPROTECT if you decide to implement
your own PaX version.

Do you have plans to extend MPROTECT module to implement for example
PageExec (may be using SCD NONE EXECUTE), UDEREF etc etc etc?

On 03/08/16 17:07, Amon Ott wrote:
> Am 18.07.2016 um 11:44 schrieb Amon Ott:
>> We now have prepatched kernel 4.4 source code at
>> https://git.m-privacy.de/linux-mprivacy-4.4.git/
>>
>> Unfortunately, the PaX licensing has changed. This means that we cannot
>> provide any new prepatched kernels with both RSBAC and PaX. The 4.4
>> kernel is already without PaX and 4.1 will not go beyond 4.1.21. Thanks
>> to the PaX team for all the good work and good bye...
> 
> As partial replacement I have extended RSBAC with a new feature called
> "Prevent memory write and execute (mprotect)".
> 
> If you enable the new kernel config switch CONFIG_RSBAC_MPROTECT in the
> RSBAC menu, RSBAC will per default prevent process memory mappings from
> having both EXEC and WRITE access (see man mprotect, man mmap, man
> shmat), except for initial library (ELF DYN) mapping relocation.
> 
> A new general (GEN) attribute allow_write_exec for PROCESS, FILE, DIR
> (for inheritance) allows to change the behaviour. It can be set per
> program or per mapped file. "false" means never allow, true always
> allow, relocate means initial relocation allowed, inherit is for usual
> inheritance from parent DIR.
> 
> In my tests, only few programs required the "true" setting, e.g. Firefox
> for its JIT compiler for JavaScript. The new debug switch
> rsbac_debug_mprotect lets you watch the behaviour in the kernel log,
> denied accesses are always logged at info level. All paxtest tests were
> successful here.
> 
> mprotect can be switched into individual softmode or completely off (and
> back on) like decision modules, if enabled in kernel config, just use
> MPROTECT as module name.
> 
> All the code ist in RSBAC 4.4 kernel git at git.rsbac.org, updated tools
> are in rsbac-admin git. The version has been changed to 1.4.10 to
> reflect the new functionality, but everything is compatible with older
> versions. I have removed the mostly obsolete "DAC disable" feature so
> that I could reuse its attribute space in the structures.
> 
> I would welcome any feedback, but my answer might be delayed two weeks
> because of upcoming holidays.
> 
> Amon.
>