From: Kees Cook <keescook@chromium.org>
To: Michael McCracken <michael.mccracken@gmail.com>
Cc: linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com, serge@hallyn.com,
tycho@tycho.pizza, Luis Chamberlain <mcgrof@kernel.org>,
Iurii Zaikin <yzaikin@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org
Subject: Re: [PATCH] sysctl: add config to make randomize_va_space RO
Date: Tue, 16 May 2023 13:17:34 -0700 [thread overview]
Message-ID: <202305161312.078E5E7@keescook> (raw)
In-Reply-To: <20230504213002.56803-1-michael.mccracken@gmail.com>
On Thu, May 04, 2023 at 02:30:02PM -0700, Michael McCracken wrote:
> Add config RO_RANDMAP_SYSCTL to set the mode of the randomize_va_space
> sysctl to 0444 to disallow all runtime changes. This will prevent
> accidental changing of this value by a root service.
>
> The config is disabled by default to avoid surprises.
>
> Signed-off-by: Michael McCracken <michael.mccracken@gmail.com>
> ---
> kernel/sysctl.c | 4 ++++
> mm/Kconfig | 7 +++++++
> 2 files changed, 11 insertions(+)
>
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index bfe53e835524..c5aafb734abe 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -1913,7 +1913,11 @@ static struct ctl_table kern_table[] = {
> .procname = "randomize_va_space",
> .data = &randomize_va_space,
> .maxlen = sizeof(int),
> +#if defined(CONFIG_RO_RANDMAP_SYSCTL)
> + .mode = 0444,
> +#else
> .mode = 0644,
> +#endif
The way we've dealt with this in the past for similarly sensitive
sysctl variables to was set a "locked" position. (e.g. 0==off, 1==on,
2==cannot be turned off). In this case, we could make it, 0, 1, 2,
3==forced on full.
I note that there is actually no min/max (extra1/extra2) for this sysctl,
which is itself a bug, IMO. And there is just a magic "> 1" test that
should be a define or enum:
fs/binfmt_elf.c: if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) {
I think much of this should be improved.
Regardless, take a look at yama_dointvec_minmax(), which could, perhaps,
be generalized and used here.
Then we have a run-time way to manage this bit, without needing full
kernel rebuilds, etc, etc.
-Kees
--
Kees Cook
prev parent reply other threads:[~2023-05-16 20:17 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-04 21:30 [PATCH] sysctl: add config to make randomize_va_space RO Michael McCracken
2023-05-05 7:35 ` David Hildenbrand
2023-05-05 7:46 ` Sam James
2023-05-05 15:15 ` David Hildenbrand
2023-05-05 15:16 ` David Hildenbrand
2023-05-05 15:23 ` Paul Moore
2023-05-06 7:04 ` Kaiwan N Billimoria
2023-05-07 19:53 ` Paul Moore
2023-05-15 21:43 ` Serge Hallyn
2023-05-16 20:17 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202305161312.078E5E7@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mcgrof@kernel.org \
--cc=michael.mccracken@gmail.com \
--cc=serge@hallyn.com \
--cc=tycho@tycho.pizza \
--cc=yzaikin@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.