Re: Updated: [PATCH] hardening: add PROT_FINAL prot flag to mmap/mprotect
From: Mikael Pettersson
Date: Thu Oct 04 2012 - 04:20:56 EST
Ard Biesheuvel writes:
> This patch adds support for the PROT_FINAL flag to
> the mmap() and mprotect() syscalls.
>
> The PROT_FINAL flag indicates that the requested set
> of protection bits should be final, i.e., it shall
> not be allowed for a subsequent mprotect call to
> set protection bits that were not set already.
>
> This is mainly intended for the dynamic linker,
> which sets up the address space on behalf of
> dynamic binaries. By using this flag, it can
> prevent exploited code from remapping read-only
> executable code or data sections read-write.
I can see why you might think this is a good idea, but I don't
like it for several reasons:
- If .text is mapped non-writable and final, how would a debugger
(or any ptrace-using monitor-like application) plant a large
number of breakpoints in a target process? Breakpoint registers
aren't enough because (a) they're few in number, and (b) not
all CPUs have them.
- You're proposing to give one component (the dynamic linker/
loader) absolute power to impose new policies on all
applications. How would an application that _deliberately_
does something the new policies don't allow tell the dynamic
linker or kernel to get out of its way?
This clearly changes the de-facto ABIs, and as such I think
it needs much more detailed analysis than what you've done
here.
At the very least I think this change should be opt-in, but
that would require a kernel option or sysctl, or some config
file for the user-space dynamic linker/loader.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/