Security/SELinux: seperate lsm specific mmap_min_addr

Currently SELinux enforcement of controls on the ability to map low memory is determined by the mmap_min_addr tunable. This patch causes SELinux to ignore the tunable and instead use a seperate Kconfig option specific to how much space the LSM should protect. The tunable will now only control the need for CAP_SYS_RAWIO and SELinux permissions will always protect the amount of low memory designated by CONFIG_LSM_MMAP_MIN_ADDR. This allows users who need to disable the mmap_min_addr controls (usual reason being they run WINE as a non-root user) to do so and still have SELinux controls preventing confined domains (like a web server) from being able to map some area of low memory. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Eric Paris <eparis@redhat.com> 2009-07-31 12:54:11 -0400
committer: James Morris <jmorris@namei.org> 2009-08-05 19:02:23 -0400
commit: a2551df7ec568d87793d2eea4ca744e86318f205 (patch)
tree: 3bdd4257bf757d9d1d64d9d7aa10cd144cd3a657 /security
parent: 84336d1a77ccd2c06a730ddd38e695c2324a7386 (diff)
5 files changed, 68 insertions, 3 deletions
diff --git a/security/Kconfig b/security/Kconfig
index d23c839038f0..9c60c346a91d 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -113,6 +113,22 @@ config SECURITY_ROOTPLUG
          If you are unsure how to answer this question, answer N.
+config LSM_MMAP_MIN_ADDR
+        int "Low address space for LSM to from user allocation"
+        depends on SECURITY && SECURITY_SELINUX
+        default 65535
+        help
+          This is the portion of low virtual memory which should be protected
+          from userspace allocation.  Keeping a user from writing to low pages
+          can help reduce the impact of kernel NULL pointer bugs.
+          For most ia64, ppc64 and x86 users with lots of address space
+          a value of 65536 is reasonable and should cause no problems.
+          On arm and other archs it should not be higher than 32768.
+          Programs which use vm86 functionality or have some need to map
+          this low address space will need the permission specific to the
+          systems running LSM.
 source security/selinux/Kconfig
 source security/smack/Kconfig
 source security/tomoyo/Kconfig
diff --git a/security/Makefile b/security/Makefile
index c67557cdaa85..b56e7f9ecbc2 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -8,7 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK)		+= smack
 subdir-$(CONFIG_SECURITY_TOMOYO)        += tomoyo
 # always enable default capabilities
-obj-y           += commoncap.o
+obj-y           += commoncap.o min_addr.o
 # Object file lists
 obj-$(CONFIG_SECURITY)                  += security.o capability.o
diff --git a/security/commoncap.c b/security/commoncap.c
index 3852e9432801..fe30751a6cd9 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1005,7 +1005,7 @@ int cap_file_mmap(struct file *file, unsigned long reqprot,
 {
        int ret = 0;
-        if (addr < mmap_min_addr) {
+        if (addr < dac_mmap_min_addr) {
                ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
                                  SECURITY_CAP_AUDIT);
                /* set PF_SUPERPRIV if it turns out we allow the low mmap */
diff --git a/security/min_addr.c b/security/min_addr.c
new file mode 100644
index 000000000000..14cc7b3b8d03
--- /dev/null
+++ b/security/min_addr.c
@@ -0,0 +1,49 @@
+#include <linux/init.h>
+#include <linux/mm.h>
+#include <linux/security.h>
+#include <linux/sysctl.h>
+/* amount of vm to protect from userspace access by both DAC and the LSM*/
+unsigned long mmap_min_addr;
+/* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */
+unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
+/* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */
+/*
+ * Update mmap_min_addr = max(dac_mmap_min_addr, CONFIG_LSM_MMAP_MIN_ADDR)
+ */
+static void update_mmap_min_addr(void)
+{
+#ifdef CONFIG_LSM_MMAP_MIN_ADDR
+        if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
+                mmap_min_addr = dac_mmap_min_addr;
+        else
+                mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR;
+#else
+        mmap_min_addr = dac_mmap_min_addr;
+#endif
+}
+/*
+ * sysctl handler which just sets dac_mmap_min_addr = the new value and then
+ * calls update_mmap_min_addr() so non MAP_FIXED hints get rounded properly
+ */
+int mmap_min_addr_handler(struct ctl_table *table, int write, struct file *filp,
+                          void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+        int ret;
+        ret = proc_doulongvec_minmax(table, write, filp, buffer, lenp, ppos);
+        update_mmap_min_addr();
+        return ret;
+}
+int __init init_mmap_min_addr(void)
+{
+        update_mmap_min_addr();
+        return 0;
+}
+pure_initcall(init_mmap_min_addr);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8a78f584f46e..5dee88362e71 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3040,7 +3040,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
         * at bad behaviour/exploit that we always want to get the AVC, even
         * if DAC would have also denied the operation.
         */
-        if (addr < mmap_min_addr) {
+        if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
                rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
                                  MEMPROTECT__MMAP_ZERO, NULL);
                if (rc)
author	Eric Paris <eparis@redhat.com>	2009-07-31 12:54:11 -0400
committer	James Morris <jmorris@namei.org>	2009-08-05 19:02:23 -0400
commit	a2551df7ec568d87793d2eea4ca744e86318f205 (patch)
tree	3bdd4257bf757d9d1d64d9d7aa10cd144cd3a657 /security
parent	84336d1a77ccd2c06a730ddd38e695c2324a7386 (diff)

diff --git a/security/Kconfig b/security/Kconfig index d23c839038f0..9c60c346a91d 100644 --- a/security/Kconfig +++ b/security/Kconfig
@@ -113,6 +113,22 @@ config SECURITY_ROOTPLUG
113		113
114	If you are unsure how to answer this question, answer N.	114	If you are unsure how to answer this question, answer N.
115		115
		116	config LSM_MMAP_MIN_ADDR
		117	int "Low address space for LSM to from user allocation"
		118	depends on SECURITY && SECURITY_SELINUX
		119	default 65535
		120	help
		121	This is the portion of low virtual memory which should be protected
		122	from userspace allocation. Keeping a user from writing to low pages
		123	can help reduce the impact of kernel NULL pointer bugs.
		124
		125	For most ia64, ppc64 and x86 users with lots of address space
		126	a value of 65536 is reasonable and should cause no problems.
		127	On arm and other archs it should not be higher than 32768.
		128	Programs which use vm86 functionality or have some need to map
		129	this low address space will need the permission specific to the
		130	systems running LSM.
		131
116	source security/selinux/Kconfig	132	source security/selinux/Kconfig
117	source security/smack/Kconfig	133	source security/smack/Kconfig
118	source security/tomoyo/Kconfig	134	source security/tomoyo/Kconfig


diff --git a/security/Makefile b/security/Makefile index c67557cdaa85..b56e7f9ecbc2 100644 --- a/security/Makefile +++ b/security/Makefile
@@ -8,7 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK) += smack
8	subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo	8	subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
9		9
10	# always enable default capabilities	10	# always enable default capabilities
11	obj-y += commoncap.o	11	obj-y += commoncap.o min_addr.o
12		12
13	# Object file lists	13	# Object file lists
14	obj-$(CONFIG_SECURITY) += security.o capability.o	14	obj-$(CONFIG_SECURITY) += security.o capability.o


diff --git a/security/commoncap.c b/security/commoncap.c index 3852e9432801..fe30751a6cd9 100644 --- a/security/commoncap.c +++ b/security/commoncap.c
@@ -1005,7 +1005,7 @@ int cap_file_mmap(struct file *file, unsigned long reqprot,
1005	{	1005	{
1006	int ret = 0;	1006	int ret = 0;
1007		1007
1008	if (addr < mmap_min_addr) {	1008	if (addr < dac_mmap_min_addr) {
1009	ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,	1009	ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
1010	SECURITY_CAP_AUDIT);	1010	SECURITY_CAP_AUDIT);
1011	/* set PF_SUPERPRIV if it turns out we allow the low mmap */	1011	/* set PF_SUPERPRIV if it turns out we allow the low mmap */


diff --git a/security/min_addr.c b/security/min_addr.c new file mode 100644 index 000000000000..14cc7b3b8d03 --- /dev/null +++ b/security/min_addr.c
@@ -0,0 +1,49 @@
		1	#include <linux/init.h>
		2	#include <linux/mm.h>
		3	#include <linux/security.h>
		4	#include <linux/sysctl.h>
		5
		6	/* amount of vm to protect from userspace access by both DAC and the LSM*/
		7	unsigned long mmap_min_addr;
		8	/* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */
		9	unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
		10	/* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */
		11
		12	/*
		13	* Update mmap_min_addr = max(dac_mmap_min_addr, CONFIG_LSM_MMAP_MIN_ADDR)
		14	*/
		15	static void update_mmap_min_addr(void)
		16	{
		17	#ifdef CONFIG_LSM_MMAP_MIN_ADDR
		18	if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
		19	mmap_min_addr = dac_mmap_min_addr;
		20	else
		21	mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR;
		22	#else
		23	mmap_min_addr = dac_mmap_min_addr;
		24	#endif
		25	}
		26
		27	/*
		28	* sysctl handler which just sets dac_mmap_min_addr = the new value and then
		29	* calls update_mmap_min_addr() so non MAP_FIXED hints get rounded properly
		30	*/
		31	int mmap_min_addr_handler(struct ctl_table table, int write, struct file filp,
		32	void __user buffer, size_t lenp, loff_t *ppos)
		33	{
		34	int ret;
		35
		36	ret = proc_doulongvec_minmax(table, write, filp, buffer, lenp, ppos);
		37
		38	update_mmap_min_addr();
		39
		40	return ret;
		41	}
		42
		43	int __init init_mmap_min_addr(void)
		44	{
		45	update_mmap_min_addr();
		46
		47	return 0;
		48	}
		49	pure_initcall(init_mmap_min_addr);


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8a78f584f46e..5dee88362e71 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -3040,7 +3040,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3040	* at bad behaviour/exploit that we always want to get the AVC, even	3040	* at bad behaviour/exploit that we always want to get the AVC, even
3041	* if DAC would have also denied the operation.	3041	* if DAC would have also denied the operation.
3042	*/	3042	*/
3043	if (addr < mmap_min_addr) {	3043	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3044	rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,	3044	rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3045	MEMPROTECT__MMAP_ZERO, NULL);	3045	MEMPROTECT__MMAP_ZERO, NULL);
3046	if (rc)	3046	if (rc)