diff options
| author | Kees Cook <keescook@chromium.org> | 2016-10-28 04:22:25 -0400 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2017-06-30 15:00:51 -0400 |
| commit | 3859a271a003aba01e45b85c9d8b355eb7bf25f9 (patch) | |
| tree | 850c019e6a6449857e864b6a545b053ffe2f99a9 /include/linux/fs.h | |
| parent | ffa47aa678cfaa9b88e8a26cfb115b4768325121 (diff) | |
randstruct: Mark various structs for randomization
This marks many critical kernel structures for randomization. These are
structures that have been targeted in the past in security exploits, or
contain functions pointers, pointers to function pointer tables, lists,
workqueues, ref-counters, credentials, permissions, or are otherwise
sensitive. This initial list was extracted from Brad Spengler/PaX Team's
code in the last public patch of grsecurity/PaX based on my understanding
of the code. Changes or omissions from the original code are mine and
don't reflect the original grsecurity/PaX code.
Left out of this list is task_struct, which requires special handling
and will be covered in a subsequent patch.
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'include/linux/fs.h')
| -rw-r--r-- | include/linux/fs.h | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/include/linux/fs.h b/include/linux/fs.h index 803e5a9b2654..8f28143486c4 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h | |||
| @@ -275,7 +275,7 @@ struct kiocb { | |||
| 275 | void (*ki_complete)(struct kiocb *iocb, long ret, long ret2); | 275 | void (*ki_complete)(struct kiocb *iocb, long ret, long ret2); |
| 276 | void *private; | 276 | void *private; |
| 277 | int ki_flags; | 277 | int ki_flags; |
| 278 | }; | 278 | } __randomize_layout; |
| 279 | 279 | ||
| 280 | static inline bool is_sync_kiocb(struct kiocb *kiocb) | 280 | static inline bool is_sync_kiocb(struct kiocb *kiocb) |
| 281 | { | 281 | { |
| @@ -392,7 +392,7 @@ struct address_space { | |||
| 392 | gfp_t gfp_mask; /* implicit gfp mask for allocations */ | 392 | gfp_t gfp_mask; /* implicit gfp mask for allocations */ |
| 393 | struct list_head private_list; /* ditto */ | 393 | struct list_head private_list; /* ditto */ |
| 394 | void *private_data; /* ditto */ | 394 | void *private_data; /* ditto */ |
| 395 | } __attribute__((aligned(sizeof(long)))); | 395 | } __attribute__((aligned(sizeof(long)))) __randomize_layout; |
| 396 | /* | 396 | /* |
| 397 | * On most architectures that alignment is already the case; but | 397 | * On most architectures that alignment is already the case; but |
| 398 | * must be enforced here for CRIS, to let the least significant bit | 398 | * must be enforced here for CRIS, to let the least significant bit |
| @@ -435,7 +435,7 @@ struct block_device { | |||
| 435 | int bd_fsfreeze_count; | 435 | int bd_fsfreeze_count; |
| 436 | /* Mutex for freeze */ | 436 | /* Mutex for freeze */ |
| 437 | struct mutex bd_fsfreeze_mutex; | 437 | struct mutex bd_fsfreeze_mutex; |
| 438 | }; | 438 | } __randomize_layout; |
| 439 | 439 | ||
| 440 | /* | 440 | /* |
| 441 | * Radix-tree tags, for tagging dirty and writeback pages within the pagecache | 441 | * Radix-tree tags, for tagging dirty and writeback pages within the pagecache |
| @@ -653,7 +653,7 @@ struct inode { | |||
| 653 | #endif | 653 | #endif |
| 654 | 654 | ||
| 655 | void *i_private; /* fs or device private pointer */ | 655 | void *i_private; /* fs or device private pointer */ |
| 656 | }; | 656 | } __randomize_layout; |
| 657 | 657 | ||
| 658 | static inline unsigned int i_blocksize(const struct inode *node) | 658 | static inline unsigned int i_blocksize(const struct inode *node) |
| 659 | { | 659 | { |
| @@ -868,7 +868,8 @@ struct file { | |||
| 868 | struct list_head f_tfile_llink; | 868 | struct list_head f_tfile_llink; |
| 869 | #endif /* #ifdef CONFIG_EPOLL */ | 869 | #endif /* #ifdef CONFIG_EPOLL */ |
| 870 | struct address_space *f_mapping; | 870 | struct address_space *f_mapping; |
| 871 | } __attribute__((aligned(4))); /* lest something weird decides that 2 is OK */ | 871 | } __randomize_layout |
| 872 | __attribute__((aligned(4))); /* lest something weird decides that 2 is OK */ | ||
| 872 | 873 | ||
| 873 | struct file_handle { | 874 | struct file_handle { |
| 874 | __u32 handle_bytes; | 875 | __u32 handle_bytes; |
| @@ -1005,7 +1006,7 @@ struct file_lock { | |||
| 1005 | int state; /* state of grant or error if -ve */ | 1006 | int state; /* state of grant or error if -ve */ |
| 1006 | } afs; | 1007 | } afs; |
| 1007 | } fl_u; | 1008 | } fl_u; |
| 1008 | }; | 1009 | } __randomize_layout; |
| 1009 | 1010 | ||
| 1010 | struct file_lock_context { | 1011 | struct file_lock_context { |
| 1011 | spinlock_t flc_lock; | 1012 | spinlock_t flc_lock; |
| @@ -1404,7 +1405,7 @@ struct super_block { | |||
| 1404 | 1405 | ||
| 1405 | spinlock_t s_inode_wblist_lock; | 1406 | spinlock_t s_inode_wblist_lock; |
| 1406 | struct list_head s_inodes_wb; /* writeback inodes */ | 1407 | struct list_head s_inodes_wb; /* writeback inodes */ |
| 1407 | }; | 1408 | } __randomize_layout; |
| 1408 | 1409 | ||
| 1409 | /* Helper functions so that in most cases filesystems will | 1410 | /* Helper functions so that in most cases filesystems will |
| 1410 | * not need to deal directly with kuid_t and kgid_t and can | 1411 | * not need to deal directly with kuid_t and kgid_t and can |
| @@ -1690,7 +1691,7 @@ struct file_operations { | |||
| 1690 | u64); | 1691 | u64); |
| 1691 | ssize_t (*dedupe_file_range)(struct file *, u64, u64, struct file *, | 1692 | ssize_t (*dedupe_file_range)(struct file *, u64, u64, struct file *, |
| 1692 | u64); | 1693 | u64); |
| 1693 | }; | 1694 | } __randomize_layout; |
| 1694 | 1695 | ||
| 1695 | struct inode_operations { | 1696 | struct inode_operations { |
| 1696 | struct dentry * (*lookup) (struct inode *,struct dentry *, unsigned int); | 1697 | struct dentry * (*lookup) (struct inode *,struct dentry *, unsigned int); |