Date: Sat, 6 Jul 2019 10:14:24 -0700 From: Randy Dunlap <rdunlap@...radead.org> To: Salvatore Mesoraca <s.mesoraca16@...il.com>, linux-kernel@...r.kernel.org Cc: kernel-hardening@...ts.openwall.com, linux-mm@...ck.org, linux-security-module@...r.kernel.org, Alexander Viro <viro@...iv.linux.org.uk>, Brad Spengler <spender@...ecurity.net>, Casey Schaufler <casey@...aufler-ca.com>, Christoph Hellwig <hch@...radead.org>, James Morris <james.l.morris@...cle.com>, Jann Horn <jannh@...gle.com>, Kees Cook <keescook@...omium.org>, PaX Team <pageexec@...email.hu>, "Serge E. Hallyn" <serge@...lyn.com>, Thomas Gleixner <tglx@...utronix.de> Subject: Re: [PATCH v5 01/12] S.A.R.A.: add documentation Hi, Just a few typo fixes (inline). On 7/6/19 3:54 AM, Salvatore Mesoraca wrote: > Adding documentation for S.A.R.A. LSM. > > Signed-off-by: Salvatore Mesoraca <s.mesoraca16@...il.com> > --- > Documentation/admin-guide/LSM/SARA.rst | 177 ++++++++++++++++++++++++ > Documentation/admin-guide/LSM/index.rst | 1 + > Documentation/admin-guide/kernel-parameters.txt | 24 ++++ > 3 files changed, 202 insertions(+) > create mode 100644 Documentation/admin-guide/LSM/SARA.rst > > diff --git a/Documentation/admin-guide/LSM/SARA.rst b/Documentation/admin-guide/LSM/SARA.rst > new file mode 100644 > index 0000000..fdde04c > --- /dev/null > +++ b/Documentation/admin-guide/LSM/SARA.rst > @@ -0,0 +1,177 @@ > +.. SPDX-License-Identifier: GPL-2.0 > + > +======== > +S.A.R.A. > +======== > + > +S.A.R.A. (S.A.R.A. is Another Recursive Acronym) is a stacked Linux Security > +Module that aims to collect heterogeneous security measures, providing a common > +interface to manage them. > +As of today it consists of one submodule: > + > +- WX Protection > + > + > +The kernel-space part is complemented by its user-space counterpart: `saractl` > +_. > +A test suite for WX Protection, called `sara-test` _, is also available. > +More information about where to find these tools and the full S.A.R.A. > +documentation are in the `External Links and Documentation`_ section. > + > +------------------------------------------------------------------------------- > + > +S.A.R.A.'s Submodules > +===================== > + > +WX Protection > +------------- > +WX Protection aims to improve user-space programs security by applying: > + > +- `W^X enforcement`_ > +- `W!->X (once writable never executable) mprotect restriction`_ > +- `Executable MMAP prevention`_ > + > +All of the above features can be enabled or disabled both system wide > +or on a per executable basis through the use of configuration files managed by > +`saractl` _. > + > +It is important to note that some programs may have issues working with > +WX Protection. In particular: > + > +- **W^X enforcement** will cause problems to any programs that needs > + memory pages mapped both as writable and executable at the same time e.g. > + programs with executable stack markings in the *PT_GNU_STACK* segment. > +- **W!->X mprotect restriction** will cause problems to any program that > + needs to generate executable code at run time or to modify executable > + pages e.g. programs with a *JIT* compiler built-in or linked against a > + *non-PIC* library. > +- **Executable MMAP prevention** can work only with programs that have at least > + partial *RELRO* support. It's disabled automatically for programs that > + lack this feature. It will cause problems to any program that uses *dlopen* > + or tries to do an executable mmap. Unfortunately this feature is the one > + that could create most problems and should be enabled only after careful > + evaluation. > + > +To extend the scope of the above features, despite the issues that they may > +cause, they are complemented by **/proc/PID/attr/sara/wxprot** interface > +and **trampoline emulation**. > + > +At the moment, WX Protection (unless specified otherwise) should work on > +any architecture supporting the NX bit, including, but not limited to: > +`x86_64`, `x86_32` (with PAE), `ARM` and `ARM64`. > + > +Parts of WX Protection are inspired by some of the features available in PaX. > + > +For further information about configuration file format and user-space > +utilities please take a look at the full documentation _. > + > +W^X enforcement > +^^^^^^^^^^^^^^^ > +W^X means that a program can't have a page of memory that is marked, at the > +same time, writable and executable. This also allow to detect many bad allows > +behaviours that make life much more easy for attackers. Programs running with > +this feature enabled will be more difficult to exploit in the case they are > +affected by some vulnerabilities, because the attacker will be forced > +to make more steps in order to exploit them. > +This feature also blocks accesses to /proc/*/mem files that would allow to > +write the current process read-only memory, bypassing any protection. > + > +W!->X (once writable never executable) mprotect restriction > +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > +"Once writable never executable" means that any page that could have been > +marked as writable in the past won't ever be allowed to be marked (e.g. via > +an mprotect syscall) as executable. > +This goes on the same track as W^X, but is much stricter and prevents > +the runtime creation of new executable code in memory. > +Obviously, this feature does not prevent a program from creating a new file and > +*mmapping* it as executable, however, it will be way more difficult for > +attackers to exploit vulnerabilities if this feature is enabled. > + > +Executable MMAP prevention > +^^^^^^^^^^^^^^^^^^^^^^^^^^ > +This feature prevents the creation of new executable mmaps after the dynamic > +libraries have been loaded. When used in combination with **W!->X mprotect > +restriction** this feature will completely prevent the creation of new > +executable code from the current thread. > +Obviously, this feature does not prevent cases in which an attacker uses an > +*execve* to start a completely new program. This kind of restriction, if > +needed, can be applied using one of the other LSM that focuses on MAC. LSMs > +Please be aware that this feature can break many programs and so it should be > +enabled after careful evaluation. > + > +/proc/PID/attr/sara/wxprot interface > +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > +The `procattr` interface can be used by a thread to discover which > +WX Protection features are enabled and/or to tighten them: protection > +can't be softened via procattr. > +The interface is simple: it's a text file with an hexadecimal with a > +number in it representing enabled features (more information can be > +found in the `Flags values`_ section). Via this interface it is also > +possible to perform a complete memory scan to remove the write permission > +from pages that are both writable and executable, please note that this > +change will also affect other threads of the same process. [snip] cheers. -- ~Randy
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.