From: Joshua Brindle <jbrindle@snu.edu>
To: SELinux <SELinux@tycho.nsa.gov>
Subject: PaX + selinux integration update
Date: Wed, 25 Feb 2004 13:34:03 -0600 [thread overview]
Message-ID: <403CF8AB.5080309@snu.edu> (raw)
[-- Attachment #1: Type: text/plain, Size: 224 bytes --]
These are the fixed up versions thanks to Chris Pebenito, the kernel
patch no longer specifies defaults, so now all decisions come directly
from policy.
Also the excess amount of denials will not be displayed per policy
[-- Attachment #2: pax-selinux-hooks-2.4.24-hardened-r1 --]
[-- Type: text/plain, Size: 5581 bytes --]
diff -urN linux-2.4.24-hardened-r1.orig/security/selinux/hooks.c linux-2.4.24-hardened-r1/security/selinux/hooks.c
--- linux-2.4.24-hardened-r1.orig/security/selinux/hooks.c 2004-02-22 23:03:26.000000000 -0600
+++ linux-2.4.24-hardened-r1/security/selinux/hooks.c 2004-02-22 23:46:53.000000000 -0600
@@ -3190,6 +3190,68 @@
return size;
}
+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
+static void avc_pax_set_flags(struct linux_binprm * bprm)
+{
+ struct inode_security_struct *isec;
+ unsigned long flags = 0;
+ int rc;
+
+ char *scontext;
+ u32 scontext_len;
+
+ /*
+ * get the security struct from the inode of the file
+ * since the bprm security struct will just point to
+ * the user running the binary
+ */
+ struct inode *inode = bprm->file->f_dentry->d_inode;
+ isec = inode->i_security;
+
+ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__PAGEEXEC, &isec->avcr,NULL);
+ if (!rc) {
+ flags |= PF_PAX_PAGEEXEC;
+ }
+ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__EMUTRAMP, &isec->avcr, NULL);
+ if (!rc) {
+ flags |= PF_PAX_EMUTRAMP;
+ }
+ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__RANDEXEC, &isec->avcr, NULL);
+ if (!rc) {
+ flags |= PF_PAX_RANDEXEC;
+ }
+ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__MPROTECT, &isec->avcr, NULL);
+ if (!rc) {
+ flags |= PF_PAX_MPROTECT;
+ }
+ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__RANDMMAP, &isec->avcr, NULL);
+ if (!rc) {
+ flags |= PF_PAX_RANDMMAP;
+ }
+ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__SEGMEXEC, &isec->avcr, NULL);
+ if (!rc) {
+ flags |= PF_PAX_SEGMEXEC;
+ }
+
+ if (selinux_enforcing) {
+ /* pull all the pax flags in current */
+ current->flags &= ~(PF_PAX_PAGEEXEC | PF_PAX_EMUTRAMP | PF_PAX_MPROTECT | PF_PAX_RANDMMAP | PF_PAX_RANDEXEC | PF_PAX_SEGMEXEC);
+ /* and add ours */
+ current->flags |= flags;
+
+ if (pax_check_flags(¤t->flags) < 0) {
+ security_sid_to_context(isec->sid, &scontext, &scontext_len);
+ printk(KERN_WARNING "avc: PaX flags overridden to %lx for %s (%s)\n",
+ current->flags,
+ scontext,
+ bprm->filename);
+ kfree(scontext);
+ }
+ }
+}
+#endif /* CONFIG_PAX_HOOK_ACL_FLAGS */
+
+
struct security_operations selinux_ops = {
.ptrace = selinux_ptrace,
.capget = selinux_capget,
@@ -3370,6 +3432,11 @@
{
printk(KERN_INFO "SELinux: Completing initialization.\n");
+ #ifdef CONFIG_PAX_HOOK_ACL_FLAGS
+ printk(KERN_INFO "SELinux: Setting PaX callback function.\n");
+ pax_set_flags_func = avc_pax_set_flags;
+ #endif
+
/* Set up any superblocks initialized prior to the policy load. */
printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
spin_lock(&sb_security_lock);
diff -urN linux-2.4.24-hardened-r1.orig/security/selinux/include/av_perm_to_string.h linux-2.4.24-hardened-r1/security/selinux/include/av_perm_to_string.h
--- linux-2.4.24-hardened-r1.orig/security/selinux/include/av_perm_to_string.h 2004-02-22 23:03:26.000000000 -0600
+++ linux-2.4.24-hardened-r1/security/selinux/include/av_perm_to_string.h 2004-02-20 16:50:39.000000000 -0600
@@ -114,6 +120,12 @@
{ SECCLASS_PASSWD, PASSWD__PASSWD, "passwd" },
{ SECCLASS_PASSWD, PASSWD__CHFN, "chfn" },
{ SECCLASS_PASSWD, PASSWD__CHSH, "chsh" },
+ { SECCLASS_PAX, PAX__PAGEEXEC, "pageexec" },
+ { SECCLASS_PAX, PAX__EMUTRAMP, "emutramp" },
+ { SECCLASS_PAX, PAX__MPROTECT, "mprotect" },
+ { SECCLASS_PAX, PAX__RANDMMAP, "randmmap" },
+ { SECCLASS_PAX, PAX__RANDEXEC, "randexec" },
+ { SECCLASS_PAX, PAX__SEGMEXEC, "segmexec" },
};
diff -urN linux-2.4.24-hardened-r1.orig/security/selinux/include/av_permissions.h linux-2.4.24-hardened-r1/security/selinux/include/av_permissions.h
--- linux-2.4.24-hardened-r1.orig/security/selinux/include/av_permissions.h 2004-02-22 23:03:26.000000000 -0600
+++ linux-2.4.24-hardened-r1/security/selinux/include/av_permissions.h 2004-02-20 16:50:40.000000000 -0600
@@ -546,5 +554,12 @@
#define PASSWD__CHFN 0x00000002UL
#define PASSWD__CHSH 0x00000004UL
+#define PAX__PAGEEXEC 0x00000001UL
+#define PAX__EMUTRAMP 0x00000002UL
+#define PAX__MPROTECT 0x00000004UL
+#define PAX__RANDMMAP 0x00000008UL
+#define PAX__RANDEXEC 0x00000010UL
+#define PAX__SEGMEXEC 0x00000020UL
+
/* FLASK */
diff -urN linux-2.4.24-hardened-r1.orig/security/selinux/include/class_to_string.h linux-2.4.24-hardened-r1/security/selinux/include/class_to_string.h
--- linux-2.4.24-hardened-r1.orig/security/selinux/include/class_to_string.h 2004-02-22 23:03:26.000000000 -0600
+++ linux-2.4.24-hardened-r1/security/selinux/include/class_to_string.h 2004-02-20 16:50:40.000000000 -0600
@@ -35,5 +35,6 @@
"shm",
"ipc",
"passwd",
+ "pax",
};
diff -urN linux-2.4.24-hardened-r1.orig/security/selinux/include/flask.h linux-2.4.24-hardened-r1/security/selinux/include/flask.h
--- linux-2.4.24-hardened-r1.orig/security/selinux/include/flask.h 2004-02-22 23:03:26.000000000 -0600
+++ linux-2.4.24-hardened-r1/security/selinux/include/flask.h 2004-02-20 16:50:41.000000000 -0600
@@ -35,6 +35,7 @@
#define SECCLASS_SHM 28
#define SECCLASS_IPC 29
#define SECCLASS_PASSWD 30
+#define SECCLASS_PAX 31
/*
* Security identifier indices for initial entities
[-- Attachment #3: pax-selinux-hooks-policy --]
[-- Type: text/plain, Size: 4371 bytes --]
diff --exclude=users --exclude=users.fc -ur cvs/assert.te policy-dev/assert.te
--- cvs/assert.te 2003-12-07 20:50:37.000000000 -0600
+++ policy-dev/assert.te 2004-02-22 22:15:56.000000000 -0600
@@ -157,3 +157,21 @@
neverallow * domain:file_class_set ~rw_file_perms;
neverallow * file_type:process *;
neverallow ~{ domain unlabeled_t } *:process *;
+
+ifdef(`pax.te',`
+#
+# PaX flags only on executables. However not all executables
+# are exec_type, so limit to file_types
+#
+neverallow ~file_type self:pax { pageexec segmexec mprotect randmmap emutramp randexec };
+
+#
+# Enforce flag exemptions
+#
+neverallow nopageexec self:pax pageexec;
+neverallow noemutramp self:pax emutramp;
+neverallow nomprotect self:pax mprotect;
+neverallow norandmmap self:pax randmmap;
+neverallow norandexec self:pax randexec;
+neverallow nosegmexec self:pax segmexec;
+')
diff --exclude=users --exclude=users.fc -ur cvs/attrib.te policy-dev/attrib.te
--- cvs/attrib.te 2003-12-07 20:50:37.000000000 -0600
+++ policy-dev/attrib.te 2004-02-22 22:19:15.000000000 -0600
@@ -319,3 +319,25 @@
# For a mail server process that takes TCP connections on port 25
attribute mail_server_domain;
+
+############################
+# Attributes for PaX flags:
+#
+
+# Do not enforce paging based non-executable pages
+attribute nopageexec;
+
+# Do not enforce segmentation based non-executable pages
+attribute nosegmexec;
+
+# Do not restrict mprotect()
+attribute nomprotect;
+
+# Do not randomize mmap() base [ELF only]
+attribute norandmmap;
+
+# Do not emulate trampolines
+attribute noemutramp;
+
+# Do not randomize ET_EXEC base [ELF only]
+attribute norandexec;
diff --exclude=users --exclude=users.fc -ur cvs/domains/program/pax.te policy-dev/domains/program/pax.te
--- cvs/domains/program/pax.te 2004-02-21 01:16:20.000000000 -0600
+++ policy-dev/domains/program/pax.te 2004-02-22 22:29:11.000000000 -0600
@@ -0,0 +1,41 @@
+##########################
+# Default PaX Flags
+#
+# Set flags for all file_type's since not all
+# executables are exec_type. It is suggested that
+# users become familiar with each flag before
+# enabling it on all executables.
+#
+
+# Paging based non-executable pages
+#allow { file_type -nopageexec } self:pax pageexec;
+
+# Segmentation based non-executable pages
+#allow { file_type -nosegmexec } self:pax segmexec;
+
+# Restrict mprotect()
+#allow { file_type -nomprotect } self:pax mprotect;
+
+# Randomize mmap() base
+#allow { file_type -norandmmap } self:pax randmmap;
+
+# Emulate trampolines
+#allow { file_type -noemutramp } self:pax emutramp;
+
+# Randomize ET_EXEC base
+#allow { file_type -norandexec } self:pax randexec;
+
+# Do not need to audit disabled flags
+dontaudit file_type self:pax { pageexec segmexec mprotect randmmap emutramp randexec };
+
+##########################
+# Set flags for specific executables:
+#
+
+
+##########################
+# Paxtest policy
+#
+type paxtest_exec_t, file_type, noemutramp;
+allow paxtest_exec_t self:pax { segmexec mprotect randmmap randexec };
+can_exec(sysadm_t,paxtest_exec_t)
diff --exclude=users --exclude=users.fc -ur cvs/file_contexts/program/pax.fc policy-dev/file_contexts/program/pax.fc
--- cvs/file_contexts/program/pax.fc 2004-02-21 01:16:33.000000000 -0600
+++ policy-dev/file_contexts/program/pax.fc 2004-02-21 00:57:21.000000000 -0600
@@ -0,0 +1,2 @@
+# paxtest programs
+/usr/lib/paxtest/.* -- system_u:object_r:paxtest_exec_t
diff --exclude=users --exclude=users.fc -ur cvs/flask/access_vectors policy-dev/flask/access_vectors
--- cvs/flask/access_vectors 2003-12-07 20:50:37.000000000 -0600
+++ policy-dev/flask/access_vectors 2004-02-19 20:16:44.000000000 -0600
@@ -353,3 +353,17 @@
chfn
chsh
}
+
+#
+# Define the access vector interpretation for controlling
+# PaX flags
+#
+class pax
+{
+ pageexec # Paging based non-executable pages
+ emutramp # Emulate trampolines
+ mprotect # Restrict mprotect()
+ randmmap # Randomize mmap() base
+ randexec # Randomize ET_EXEC base
+ segmexec # Segmentation based non-executable pages
+}
diff --exclude=users --exclude=users.fc -ur cvs/flask/security_classes policy-dev/flask/security_classes
--- cvs/flask/security_classes 2003-12-07 20:50:37.000000000 -0600
+++ policy-dev/flask/security_classes 2004-02-19 20:16:44.000000000 -0600
@@ -47,4 +47,7 @@
# passwd/chfn/chsh
class passwd
+# pax flags
+class pax
+
# FLASK
next reply other threads:[~2004-02-25 19:34 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-02-25 19:34 Joshua Brindle [this message]
2004-02-26 16:47 ` PaX + selinux integration update Thomas Bleher
2004-02-28 5:02 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=403CF8AB.5080309@snu.edu \
--to=jbrindle@snu.edu \
--cc=SELinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.