6 files changed, 109 insertions, 11 deletions
diff --git a/security/Kconfig b/security/Kconfig
index d23c839038f0..9c60c346a91d 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -113,6 +113,22 @@ config SECURITY_ROOTPLUG
          If you are unsure how to answer this question, answer N.
+config LSM_MMAP_MIN_ADDR
+        int "Low address space for LSM to from user allocation"
+        depends on SECURITY && SECURITY_SELINUX
+        default 65535
+        help
+          This is the portion of low virtual memory which should be protected
+          from userspace allocation.  Keeping a user from writing to low pages
+          can help reduce the impact of kernel NULL pointer bugs.
+          For most ia64, ppc64 and x86 users with lots of address space
+          a value of 65536 is reasonable and should cause no problems.
+          On arm and other archs it should not be higher than 32768.
+          Programs which use vm86 functionality or have some need to map
+          this low address space will need the permission specific to the
+          systems running LSM.
 source security/selinux/Kconfig
 source security/smack/Kconfig
 source security/tomoyo/Kconfig
diff --git a/security/Makefile b/security/Makefile
index c67557cdaa85..b56e7f9ecbc2 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -8,7 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK)		+= smack
 subdir-$(CONFIG_SECURITY_TOMOYO)        += tomoyo
 # always enable default capabilities
-obj-y           += commoncap.o
+obj-y           += commoncap.o min_addr.o
 # Object file lists
 obj-$(CONFIG_SECURITY)                  += security.o capability.o
diff --git a/security/capability.c b/security/capability.c
index 21b6cead6a8e..88f752e8152c 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -330,15 +330,6 @@ static int cap_file_ioctl(struct file *file, unsigned int command,
        return 0;
 }
-static int cap_file_mmap(struct file *file, unsigned long reqprot,
-                         unsigned long prot, unsigned long flags,
-                         unsigned long addr, unsigned long addr_only)
-{
-        if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
-                return -EACCES;
-        return 0;
-}
 static int cap_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
                             unsigned long prot)
 {
diff --git a/security/commoncap.c b/security/commoncap.c
index 48b7e0228fa3..e3097c0a1311 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -984,3 +984,33 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
                cap_sys_admin = 1;
        return __vm_enough_memory(mm, pages, cap_sys_admin);
 }
+/*
+ * cap_file_mmap - check if able to map given addr
+ * @file: unused
+ * @reqprot: unused
+ * @prot: unused
+ * @flags: unused
+ * @addr: address attempting to be mapped
+ * @addr_only: unused
+ *
+ * If the process is attempting to map memory below mmap_min_addr they need
+ * CAP_SYS_RAWIO.  The other parameters to this function are unused by the
+ * capability security module.  Returns 0 if this mapping should be allowed
+ * -EPERM if not.
+ */
+int cap_file_mmap(struct file *file, unsigned long reqprot,
+                  unsigned long prot, unsigned long flags,
+                  unsigned long addr, unsigned long addr_only)
+{
+        int ret = 0;
+        if (addr < dac_mmap_min_addr) {
+                ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
+                                  SECURITY_CAP_AUDIT);
+                /* set PF_SUPERPRIV if it turns out we allow the low mmap */
+                if (ret == 0)
+                        current->flags |= PF_SUPERPRIV;
+        }
+        return ret;
+}
diff --git a/security/min_addr.c b/security/min_addr.c
new file mode 100644
index 000000000000..14cc7b3b8d03
--- /dev/null
+++ b/security/min_addr.c
@@ -0,0 +1,49 @@
+#include <linux/init.h>
+#include <linux/mm.h>
+#include <linux/security.h>
+#include <linux/sysctl.h>
+/* amount of vm to protect from userspace access by both DAC and the LSM*/
+unsigned long mmap_min_addr;
+/* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */
+unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
+/* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */
+/*
+ * Update mmap_min_addr = max(dac_mmap_min_addr, CONFIG_LSM_MMAP_MIN_ADDR)
+ */
+static void update_mmap_min_addr(void)
+{
+#ifdef CONFIG_LSM_MMAP_MIN_ADDR
+        if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
+                mmap_min_addr = dac_mmap_min_addr;
+        else
+                mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR;
+#else
+        mmap_min_addr = dac_mmap_min_addr;
+#endif
+}
+/*
+ * sysctl handler which just sets dac_mmap_min_addr = the new value and then
+ * calls update_mmap_min_addr() so non MAP_FIXED hints get rounded properly
+ */
+int mmap_min_addr_handler(struct ctl_table *table, int write, struct file *filp,
+                          void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+        int ret;
+        ret = proc_doulongvec_minmax(table, write, filp, buffer, lenp, ppos);
+        update_mmap_min_addr();
+        return ret;
+}
+int __init init_mmap_min_addr(void)
+{
+        update_mmap_min_addr();
+        return 0;
+}
+pure_initcall(init_mmap_min_addr);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1e8cfc4c2ed6..8d8b69c5664e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3030,9 +3030,21 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
        int rc = 0;
        u32 sid = current_sid();
-        if (addr < mmap_min_addr)
+        /*
+         * notice that we are intentionally putting the SELinux check before
+         * the secondary cap_file_mmap check.  This is such a likely attempt
+         * at bad behaviour/exploit that we always want to get the AVC, even
+         * if DAC would have also denied the operation.
+         */
+        if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
                rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
                                  MEMPROTECT__MMAP_ZERO, NULL);
+                if (rc)
+                        return rc;
+        }
+        /* do DAC check on address space usage */
+        rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
        if (rc || addr_only)
                return rc;

diff --git a/security/Kconfig b/security/Kconfig index d23c839038f0..9c60c346a91d 100644 --- a/security/Kconfig +++ b/security/Kconfig
@@ -113,6 +113,22 @@ config SECURITY_ROOTPLUG
113		113
114	If you are unsure how to answer this question, answer N.	114	If you are unsure how to answer this question, answer N.
115		115
		116	config LSM_MMAP_MIN_ADDR
		117	int "Low address space for LSM to from user allocation"
		118	depends on SECURITY && SECURITY_SELINUX
		119	default 65535
		120	help
		121	This is the portion of low virtual memory which should be protected
		122	from userspace allocation. Keeping a user from writing to low pages
		123	can help reduce the impact of kernel NULL pointer bugs.
		124
		125	For most ia64, ppc64 and x86 users with lots of address space
		126	a value of 65536 is reasonable and should cause no problems.
		127	On arm and other archs it should not be higher than 32768.
		128	Programs which use vm86 functionality or have some need to map
		129	this low address space will need the permission specific to the
		130	systems running LSM.
		131
116	source security/selinux/Kconfig	132	source security/selinux/Kconfig
117	source security/smack/Kconfig	133	source security/smack/Kconfig
118	source security/tomoyo/Kconfig	134	source security/tomoyo/Kconfig


diff --git a/security/Makefile b/security/Makefile index c67557cdaa85..b56e7f9ecbc2 100644 --- a/security/Makefile +++ b/security/Makefile
@@ -8,7 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK) += smack
8	subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo	8	subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
9		9
10	# always enable default capabilities	10	# always enable default capabilities
11	obj-y += commoncap.o	11	obj-y += commoncap.o min_addr.o
12		12
13	# Object file lists	13	# Object file lists
14	obj-$(CONFIG_SECURITY) += security.o capability.o	14	obj-$(CONFIG_SECURITY) += security.o capability.o


diff --git a/security/capability.c b/security/capability.c index 21b6cead6a8e..88f752e8152c 100644 --- a/security/capability.c +++ b/security/capability.c
@@ -330,15 +330,6 @@ static int cap_file_ioctl(struct file *file, unsigned int command,
330	return 0;	330	return 0;
331	}	331	}
332		332
333	static int cap_file_mmap(struct file *file, unsigned long reqprot,
334	unsigned long prot, unsigned long flags,
335	unsigned long addr, unsigned long addr_only)
336	{
337	if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
338	return -EACCES;
339	return 0;
340	}
341
342	static int cap_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,	333	static int cap_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
343	unsigned long prot)	334	unsigned long prot)
344	{	335	{


diff --git a/security/commoncap.c b/security/commoncap.c index 48b7e0228fa3..e3097c0a1311 100644 --- a/security/commoncap.c +++ b/security/commoncap.c
@@ -984,3 +984,33 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
984	cap_sys_admin = 1;	984	cap_sys_admin = 1;
985	return __vm_enough_memory(mm, pages, cap_sys_admin);	985	return __vm_enough_memory(mm, pages, cap_sys_admin);
986	}	986	}
		987
		988	/*
		989	* cap_file_mmap - check if able to map given addr
		990	* @file: unused
		991	* @reqprot: unused
		992	* @prot: unused
		993	* @flags: unused
		994	* @addr: address attempting to be mapped
		995	* @addr_only: unused
		996	*
		997	* If the process is attempting to map memory below mmap_min_addr they need
		998	* CAP_SYS_RAWIO. The other parameters to this function are unused by the
		999	* capability security module. Returns 0 if this mapping should be allowed
		1000	* -EPERM if not.
		1001	*/
		1002	int cap_file_mmap(struct file *file, unsigned long reqprot,
		1003	unsigned long prot, unsigned long flags,
		1004	unsigned long addr, unsigned long addr_only)
		1005	{
		1006	int ret = 0;
		1007
		1008	if (addr < dac_mmap_min_addr) {
		1009	ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
		1010	SECURITY_CAP_AUDIT);
		1011	/* set PF_SUPERPRIV if it turns out we allow the low mmap */
		1012	if (ret == 0)
		1013	current->flags \|= PF_SUPERPRIV;
		1014	}
		1015	return ret;
		1016	}


diff --git a/security/min_addr.c b/security/min_addr.c new file mode 100644 index 000000000000..14cc7b3b8d03 --- /dev/null +++ b/security/min_addr.c
@@ -0,0 +1,49 @@
		1	#include <linux/init.h>
		2	#include <linux/mm.h>
		3	#include <linux/security.h>
		4	#include <linux/sysctl.h>
		5
		6	/* amount of vm to protect from userspace access by both DAC and the LSM*/
		7	unsigned long mmap_min_addr;
		8	/* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */
		9	unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
		10	/* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */
		11
		12	/*
		13	* Update mmap_min_addr = max(dac_mmap_min_addr, CONFIG_LSM_MMAP_MIN_ADDR)
		14	*/
		15	static void update_mmap_min_addr(void)
		16	{
		17	#ifdef CONFIG_LSM_MMAP_MIN_ADDR
		18	if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
		19	mmap_min_addr = dac_mmap_min_addr;
		20	else
		21	mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR;
		22	#else
		23	mmap_min_addr = dac_mmap_min_addr;
		24	#endif
		25	}
		26
		27	/*
		28	* sysctl handler which just sets dac_mmap_min_addr = the new value and then
		29	* calls update_mmap_min_addr() so non MAP_FIXED hints get rounded properly
		30	*/
		31	int mmap_min_addr_handler(struct ctl_table table, int write, struct file filp,
		32	void __user buffer, size_t lenp, loff_t *ppos)
		33	{
		34	int ret;
		35
		36	ret = proc_doulongvec_minmax(table, write, filp, buffer, lenp, ppos);
		37
		38	update_mmap_min_addr();
		39
		40	return ret;
		41	}
		42
		43	int __init init_mmap_min_addr(void)
		44	{
		45	update_mmap_min_addr();
		46
		47	return 0;
		48	}
		49	pure_initcall(init_mmap_min_addr);


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1e8cfc4c2ed6..8d8b69c5664e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -3030,9 +3030,21 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3030	int rc = 0;	3030	int rc = 0;
3031	u32 sid = current_sid();	3031	u32 sid = current_sid();
3032		3032
3033	if (addr < mmap_min_addr)	3033	/*
		3034	* notice that we are intentionally putting the SELinux check before
		3035	* the secondary cap_file_mmap check. This is such a likely attempt
		3036	* at bad behaviour/exploit that we always want to get the AVC, even
		3037	* if DAC would have also denied the operation.
		3038	*/
		3039	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3034	rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,	3040	rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3035	MEMPROTECT__MMAP_ZERO, NULL);	3041	MEMPROTECT__MMAP_ZERO, NULL);
		3042	if (rc)
		3043	return rc;
		3044	}
		3045
		3046	/* do DAC check on address space usage */
		3047	rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3036	if (rc \|\| addr_only)	3048	if (rc \|\| addr_only)
3037	return rc;	3049	return rc;
3038		3050