8 files changed, 119 insertions, 14 deletions
diff --git a/security/Kconfig b/security/Kconfig
index d23c839038f0..4c865345caa0 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -113,6 +113,22 @@ config SECURITY_ROOTPLUG
          If you are unsure how to answer this question, answer N.
+config LSM_MMAP_MIN_ADDR
+        int "Low address space for LSM to protect from user allocation"
+        depends on SECURITY && SECURITY_SELINUX
+        default 65536
+        help
+          This is the portion of low virtual memory which should be protected
+          from userspace allocation.  Keeping a user from writing to low pages
+          can help reduce the impact of kernel NULL pointer bugs.
+          For most ia64, ppc64 and x86 users with lots of address space
+          a value of 65536 is reasonable and should cause no problems.
+          On arm and other archs it should not be higher than 32768.
+          Programs which use vm86 functionality or have some need to map
+          this low address space will need the permission specific to the
+          systems running LSM.
 source security/selinux/Kconfig
 source security/smack/Kconfig
 source security/tomoyo/Kconfig
diff --git a/security/Makefile b/security/Makefile
index c67557cdaa85..b56e7f9ecbc2 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -8,7 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK)		+= smack
 subdir-$(CONFIG_SECURITY_TOMOYO)        += tomoyo
 # always enable default capabilities
-obj-y           += commoncap.o
+obj-y           += commoncap.o min_addr.o
 # Object file lists
 obj-$(CONFIG_SECURITY)                  += security.o capability.o
diff --git a/security/capability.c b/security/capability.c
index 21b6cead6a8e..88f752e8152c 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -330,15 +330,6 @@ static int cap_file_ioctl(struct file *file, unsigned int command,
        return 0;
 }
-static int cap_file_mmap(struct file *file, unsigned long reqprot,
-                         unsigned long prot, unsigned long flags,
-                         unsigned long addr, unsigned long addr_only)
-{
-        if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
-                return -EACCES;
-        return 0;
-}
 static int cap_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
                             unsigned long prot)
 {
diff --git a/security/commoncap.c b/security/commoncap.c
index 48b7e0228fa3..e3097c0a1311 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -984,3 +984,33 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
                cap_sys_admin = 1;
        return __vm_enough_memory(mm, pages, cap_sys_admin);
 }
+/*
+ * cap_file_mmap - check if able to map given addr
+ * @file: unused
+ * @reqprot: unused
+ * @prot: unused
+ * @flags: unused
+ * @addr: address attempting to be mapped
+ * @addr_only: unused
+ *
+ * If the process is attempting to map memory below mmap_min_addr they need
+ * CAP_SYS_RAWIO.  The other parameters to this function are unused by the
+ * capability security module.  Returns 0 if this mapping should be allowed
+ * -EPERM if not.
+ */
+int cap_file_mmap(struct file *file, unsigned long reqprot,
+                  unsigned long prot, unsigned long flags,
+                  unsigned long addr, unsigned long addr_only)
+{
+        int ret = 0;
+        if (addr < dac_mmap_min_addr) {
+                ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
+                                  SECURITY_CAP_AUDIT);
+                /* set PF_SUPERPRIV if it turns out we allow the low mmap */
+                if (ret == 0)
+                        current->flags |= PF_SUPERPRIV;
+        }
+        return ret;
+}
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 63003a63aaee..46642a19bc78 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -45,9 +45,9 @@ int ima_calc_hash(struct file *file, char *digest)
 {
        struct hash_desc desc;
        struct scatterlist sg[1];
-        loff_t i_size;
+        loff_t i_size, offset = 0;
        char *rbuf;
-        int rc, offset = 0;
+        int rc;
        rc = init_desc(&desc);
        if (rc != 0)
@@ -67,6 +67,8 @@ int ima_calc_hash(struct file *file, char *digest)
                        rc = rbuf_len;
                        break;
                }
+                if (rbuf_len == 0)
+                        break;
                offset += rbuf_len;
                sg_init_one(sg, rbuf, rbuf_len);
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 101c512564ec..4732f5e5d127 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -262,6 +262,8 @@ void ima_counts_put(struct path *path, int mask)
        else if (mask & (MAY_READ | MAY_EXEC))
                iint->readcount--;
        mutex_unlock(&iint->mutex);
+        kref_put(&iint->refcount, iint_free);
 }
 /*
@@ -291,6 +293,8 @@ void ima_counts_get(struct file *file)
        if (file->f_mode & FMODE_WRITE)
                iint->writecount++;
        mutex_unlock(&iint->mutex);
+        kref_put(&iint->refcount, iint_free);
 }
 EXPORT_SYMBOL_GPL(ima_counts_get);
diff --git a/security/min_addr.c b/security/min_addr.c
new file mode 100644
index 000000000000..14cc7b3b8d03
--- /dev/null
+++ b/security/min_addr.c
@@ -0,0 +1,49 @@
+#include <linux/init.h>
+#include <linux/mm.h>
+#include <linux/security.h>
+#include <linux/sysctl.h>
+/* amount of vm to protect from userspace access by both DAC and the LSM*/
+unsigned long mmap_min_addr;
+/* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */
+unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
+/* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */
+/*
+ * Update mmap_min_addr = max(dac_mmap_min_addr, CONFIG_LSM_MMAP_MIN_ADDR)
+ */
+static void update_mmap_min_addr(void)
+{
+#ifdef CONFIG_LSM_MMAP_MIN_ADDR
+        if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
+                mmap_min_addr = dac_mmap_min_addr;
+        else
+                mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR;
+#else
+        mmap_min_addr = dac_mmap_min_addr;
+#endif
+}
+/*
+ * sysctl handler which just sets dac_mmap_min_addr = the new value and then
+ * calls update_mmap_min_addr() so non MAP_FIXED hints get rounded properly
+ */
+int mmap_min_addr_handler(struct ctl_table *table, int write, struct file *filp,
+                          void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+        int ret;
+        ret = proc_doulongvec_minmax(table, write, filp, buffer, lenp, ppos);
+        update_mmap_min_addr();
+        return ret;
+}
+int __init init_mmap_min_addr(void)
+{
+        update_mmap_min_addr();
+        return 0;
+}
+pure_initcall(init_mmap_min_addr);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 15c2a08a66f1..8d8b69c5664e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1285,6 +1285,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
                                           context, len);
                if (rc == -ERANGE) {
+                        kfree(context);
                        /* Need a larger buffer.  Query for the right size. */
                        rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
                                                   NULL, 0);
@@ -1292,7 +1294,6 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                                dput(dentry);
                                goto out_unlock;
                        }
-                        kfree(context);
                        len = rc;
                        context = kmalloc(len+1, GFP_NOFS);
                        if (!context) {
@@ -3029,9 +3030,21 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
        int rc = 0;
        u32 sid = current_sid();
-        if (addr < mmap_min_addr)
+        /*
+         * notice that we are intentionally putting the SELinux check before
+         * the secondary cap_file_mmap check.  This is such a likely attempt
+         * at bad behaviour/exploit that we always want to get the AVC, even
+         * if DAC would have also denied the operation.
+         */
+        if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
                rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
                                  MEMPROTECT__MMAP_ZERO, NULL);
+                if (rc)
+                        return rc;
+        }
+        /* do DAC check on address space usage */
+        rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
        if (rc || addr_only)
                return rc;

diff --git a/security/Kconfig b/security/Kconfig index d23c839038f0..4c865345caa0 100644 --- a/security/Kconfig +++ b/security/Kconfig
@@ -113,6 +113,22 @@ config SECURITY_ROOTPLUG
113		113
114	If you are unsure how to answer this question, answer N.	114	If you are unsure how to answer this question, answer N.
115		115
		116	config LSM_MMAP_MIN_ADDR
		117	int "Low address space for LSM to protect from user allocation"
		118	depends on SECURITY && SECURITY_SELINUX
		119	default 65536
		120	help
		121	This is the portion of low virtual memory which should be protected
		122	from userspace allocation. Keeping a user from writing to low pages
		123	can help reduce the impact of kernel NULL pointer bugs.
		124
		125	For most ia64, ppc64 and x86 users with lots of address space
		126	a value of 65536 is reasonable and should cause no problems.
		127	On arm and other archs it should not be higher than 32768.
		128	Programs which use vm86 functionality or have some need to map
		129	this low address space will need the permission specific to the
		130	systems running LSM.
		131
116	source security/selinux/Kconfig	132	source security/selinux/Kconfig
117	source security/smack/Kconfig	133	source security/smack/Kconfig
118	source security/tomoyo/Kconfig	134	source security/tomoyo/Kconfig


diff --git a/security/Makefile b/security/Makefile index c67557cdaa85..b56e7f9ecbc2 100644 --- a/security/Makefile +++ b/security/Makefile
@@ -8,7 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK) += smack
8	subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo	8	subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
9		9
10	# always enable default capabilities	10	# always enable default capabilities
11	obj-y += commoncap.o	11	obj-y += commoncap.o min_addr.o
12		12
13	# Object file lists	13	# Object file lists
14	obj-$(CONFIG_SECURITY) += security.o capability.o	14	obj-$(CONFIG_SECURITY) += security.o capability.o


diff --git a/security/capability.c b/security/capability.c index 21b6cead6a8e..88f752e8152c 100644 --- a/security/capability.c +++ b/security/capability.c
@@ -330,15 +330,6 @@ static int cap_file_ioctl(struct file *file, unsigned int command,
330	return 0;	330	return 0;
331	}	331	}
332		332
333	static int cap_file_mmap(struct file *file, unsigned long reqprot,
334	unsigned long prot, unsigned long flags,
335	unsigned long addr, unsigned long addr_only)
336	{
337	if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
338	return -EACCES;
339	return 0;
340	}
341
342	static int cap_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,	333	static int cap_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
343	unsigned long prot)	334	unsigned long prot)
344	{	335	{


diff --git a/security/commoncap.c b/security/commoncap.c index 48b7e0228fa3..e3097c0a1311 100644 --- a/security/commoncap.c +++ b/security/commoncap.c
@@ -984,3 +984,33 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
984	cap_sys_admin = 1;	984	cap_sys_admin = 1;
985	return __vm_enough_memory(mm, pages, cap_sys_admin);	985	return __vm_enough_memory(mm, pages, cap_sys_admin);
986	}	986	}
		987
		988	/*
		989	* cap_file_mmap - check if able to map given addr
		990	* @file: unused
		991	* @reqprot: unused
		992	* @prot: unused
		993	* @flags: unused
		994	* @addr: address attempting to be mapped
		995	* @addr_only: unused
		996	*
		997	* If the process is attempting to map memory below mmap_min_addr they need
		998	* CAP_SYS_RAWIO. The other parameters to this function are unused by the
		999	* capability security module. Returns 0 if this mapping should be allowed
		1000	* -EPERM if not.
		1001	*/
		1002	int cap_file_mmap(struct file *file, unsigned long reqprot,
		1003	unsigned long prot, unsigned long flags,
		1004	unsigned long addr, unsigned long addr_only)
		1005	{
		1006	int ret = 0;
		1007
		1008	if (addr < dac_mmap_min_addr) {
		1009	ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
		1010	SECURITY_CAP_AUDIT);
		1011	/* set PF_SUPERPRIV if it turns out we allow the low mmap */
		1012	if (ret == 0)
		1013	current->flags \|= PF_SUPERPRIV;
		1014	}
		1015	return ret;
		1016	}


diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index 63003a63aaee..46642a19bc78 100644 --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c
@@ -45,9 +45,9 @@ int ima_calc_hash(struct file file, char digest)
45	{	45	{
46	struct hash_desc desc;	46	struct hash_desc desc;
47	struct scatterlist sg[1];	47	struct scatterlist sg[1];
48	loff_t i_size;	48	loff_t i_size, offset = 0;
49	char *rbuf;	49	char *rbuf;
50	int rc, offset = 0;	50	int rc;
51		51
52	rc = init_desc(&desc);	52	rc = init_desc(&desc);
53	if (rc != 0)	53	if (rc != 0)
@@ -67,6 +67,8 @@ int ima_calc_hash(struct file file, char digest)
67	rc = rbuf_len;	67	rc = rbuf_len;
68	break;	68	break;
69	}	69	}
		70	if (rbuf_len == 0)
		71	break;
70	offset += rbuf_len;	72	offset += rbuf_len;
71	sg_init_one(sg, rbuf, rbuf_len);	73	sg_init_one(sg, rbuf, rbuf_len);
72		74


diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 101c512564ec..4732f5e5d127 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c
@@ -262,6 +262,8 @@ void ima_counts_put(struct path *path, int mask)
262	else if (mask & (MAY_READ \| MAY_EXEC))	262	else if (mask & (MAY_READ \| MAY_EXEC))
263	iint->readcount--;	263	iint->readcount--;
264	mutex_unlock(&iint->mutex);	264	mutex_unlock(&iint->mutex);
		265
		266	kref_put(&iint->refcount, iint_free);
265	}	267	}
266		268
267	/*	269	/*
@@ -291,6 +293,8 @@ void ima_counts_get(struct file *file)
291	if (file->f_mode & FMODE_WRITE)	293	if (file->f_mode & FMODE_WRITE)
292	iint->writecount++;	294	iint->writecount++;
293	mutex_unlock(&iint->mutex);	295	mutex_unlock(&iint->mutex);
		296
		297	kref_put(&iint->refcount, iint_free);
294	}	298	}
295	EXPORT_SYMBOL_GPL(ima_counts_get);	299	EXPORT_SYMBOL_GPL(ima_counts_get);
296		300


diff --git a/security/min_addr.c b/security/min_addr.c new file mode 100644 index 000000000000..14cc7b3b8d03 --- /dev/null +++ b/security/min_addr.c
@@ -0,0 +1,49 @@
		1	#include <linux/init.h>
		2	#include <linux/mm.h>
		3	#include <linux/security.h>
		4	#include <linux/sysctl.h>
		5
		6	/* amount of vm to protect from userspace access by both DAC and the LSM*/
		7	unsigned long mmap_min_addr;
		8	/* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */
		9	unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
		10	/* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */
		11
		12	/*
		13	* Update mmap_min_addr = max(dac_mmap_min_addr, CONFIG_LSM_MMAP_MIN_ADDR)
		14	*/
		15	static void update_mmap_min_addr(void)
		16	{
		17	#ifdef CONFIG_LSM_MMAP_MIN_ADDR
		18	if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
		19	mmap_min_addr = dac_mmap_min_addr;
		20	else
		21	mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR;
		22	#else
		23	mmap_min_addr = dac_mmap_min_addr;
		24	#endif
		25	}
		26
		27	/*
		28	* sysctl handler which just sets dac_mmap_min_addr = the new value and then
		29	* calls update_mmap_min_addr() so non MAP_FIXED hints get rounded properly
		30	*/
		31	int mmap_min_addr_handler(struct ctl_table table, int write, struct file filp,
		32	void __user buffer, size_t lenp, loff_t *ppos)
		33	{
		34	int ret;
		35
		36	ret = proc_doulongvec_minmax(table, write, filp, buffer, lenp, ppos);
		37
		38	update_mmap_min_addr();
		39
		40	return ret;
		41	}
		42
		43	int __init init_mmap_min_addr(void)
		44	{
		45	update_mmap_min_addr();
		46
		47	return 0;
		48	}
		49	pure_initcall(init_mmap_min_addr);


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 15c2a08a66f1..8d8b69c5664e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -1285,6 +1285,8 @@ static int inode_doinit_with_dentry(struct inode inode, struct dentry opt_dent
1285	rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,	1285	rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1286	context, len);	1286	context, len);
1287	if (rc == -ERANGE) {	1287	if (rc == -ERANGE) {
		1288	kfree(context);
		1289
1288	/* Need a larger buffer. Query for the right size. */	1290	/* Need a larger buffer. Query for the right size. */
1289	rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,	1291	rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1290	NULL, 0);	1292	NULL, 0);
@@ -1292,7 +1294,6 @@ static int inode_doinit_with_dentry(struct inode inode, struct dentry opt_dent
1292	dput(dentry);	1294	dput(dentry);
1293	goto out_unlock;	1295	goto out_unlock;
1294	}	1296	}
1295	kfree(context);
1296	len = rc;	1297	len = rc;
1297	context = kmalloc(len+1, GFP_NOFS);	1298	context = kmalloc(len+1, GFP_NOFS);
1298	if (!context) {	1299	if (!context) {
@@ -3029,9 +3030,21 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3029	int rc = 0;	3030	int rc = 0;
3030	u32 sid = current_sid();	3031	u32 sid = current_sid();
3031		3032
3032	if (addr < mmap_min_addr)	3033	/*
		3034	* notice that we are intentionally putting the SELinux check before
		3035	* the secondary cap_file_mmap check. This is such a likely attempt
		3036	* at bad behaviour/exploit that we always want to get the AVC, even
		3037	* if DAC would have also denied the operation.
		3038	*/
		3039	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3033	rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,	3040	rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3034	MEMPROTECT__MMAP_ZERO, NULL);	3041	MEMPROTECT__MMAP_ZERO, NULL);
		3042	if (rc)
		3043	return rc;
		3044	}
		3045
		3046	/* do DAC check on address space usage */
		3047	rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3035	if (rc \|\| addr_only)	3048	if (rc \|\| addr_only)
3036	return rc;	3049	return rc;
3037		3050