[rsbac] RSBAC mprotect

Javier Juan Martínez Cabezón tazok at rsbac.org
Fri Aug 5 20:26:05 CEST 2016 

PD: is supposed rsbac mprotect include  pageexec or rely of NX bit active?

On 05/08/16 19:42, Javier Juan Martínez Cabezón wrote:
> 
> Amon, PaX is a derivative work of a standard linux kernel isn't it, it
> should maintain the GPL license or not? For example could you close the
> rsbac kernel source code?
> 
> Have you talked with pipacs and spender? maybe they could relicense to
> you PaX source code to use with rsbac.
> 
> I think the trouble of spender and pipacs were that one grsec user
> company of embedded devices was supposed to implement grsecurity in an
> architecture that was not supported by standard grsecurity and this
> company denied that his device were a new arch, spender and pipacs asked
> for source code and didn't obtain it (something like this).
> 
> Damn I like this new feature, may be could be time to call rsbac 1.5
> when being stable, may be could co-exist hooks to standard pax with the
> standard PaX module and one module MPROTECT if you decide to implement
> your own PaX version.
> 
> Do you have plans to extend MPROTECT module to implement for example
> PageExec (may be using SCD NONE EXECUTE), UDEREF etc etc etc?
> 
> On 03/08/16 17:07, Amon Ott wrote:
>> Am 18.07.2016 um 11:44 schrieb Amon Ott:
>>> We now have prepatched kernel 4.4 source code at
>>> https://git.m-privacy.de/linux-mprivacy-4.4.git/
>>>
>>> Unfortunately, the PaX licensing has changed. This means that we cannot
>>> provide any new prepatched kernels with both RSBAC and PaX. The 4.4
>>> kernel is already without PaX and 4.1 will not go beyond 4.1.21. Thanks
>>> to the PaX team for all the good work and good bye...
>>
>> As partial replacement I have extended RSBAC with a new feature called
>> "Prevent memory write and execute (mprotect)".
>>
>> If you enable the new kernel config switch CONFIG_RSBAC_MPROTECT in the
>> RSBAC menu, RSBAC will per default prevent process memory mappings from
>> having both EXEC and WRITE access (see man mprotect, man mmap, man
>> shmat), except for initial library (ELF DYN) mapping relocation.
>>
>> A new general (GEN) attribute allow_write_exec for PROCESS, FILE, DIR
>> (for inheritance) allows to change the behaviour. It can be set per
>> program or per mapped file. "false" means never allow, true always
>> allow, relocate means initial relocation allowed, inherit is for usual
>> inheritance from parent DIR.
>>
>> In my tests, only few programs required the "true" setting, e.g. Firefox
>> for its JIT compiler for JavaScript. The new debug switch
>> rsbac_debug_mprotect lets you watch the behaviour in the kernel log,
>> denied accesses are always logged at info level. All paxtest tests were
>> successful here.
>>
>> mprotect can be switched into individual softmode or completely off (and
>> back on) like decision modules, if enabled in kernel config, just use
>> MPROTECT as module name.
>>
>> All the code ist in RSBAC 4.4 kernel git at git.rsbac.org, updated tools
>> are in rsbac-admin git. The version has been changed to 1.4.10 to
>> reflect the new functionality, but everything is compatible with older
>> versions. I have removed the mostly obsolete "DAC disable" feature so
>> that I could reuse its attribute space in the structures.
>>
>> I would welcome any feedback, but my answer might be delayed two weeks
>> because of upcoming holidays.
>>
>> Amon.
>>
> 
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
>

More information about the rsbac mailing list