Re: [RFC PATCH v1] ima: verify mprotect change is consistent with mmap policy

From: Lakshmi Ramasubramanian
Date: Tue May 05 2020 - 13:52:16 EST

Next message: Paul E. McKenney: "Re: [patch V4 part 1 12/36] x86/kvm: Sanitize kvm_async_pf_task_wait()"
Previous message: Randy Dunlap: "Re: [PATCH] bpf: Tweak BPF jump table optimizations for objtool compatibility"
In reply to: Mimi Zohar: "[RFC PATCH v1] ima: verify mprotect change is consistent with mmap policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5/5/20 10:30 AM, Mimi Zohar wrote:

Files can be mmap'ed read/write and later changed to execute to circumvent
IMA's mmap appraise policy rules. Due to locking issues (mmap semaphore
would be taken prior to i_mutex), files can not be measured or appraised at
this point. Eliminate this integrity gap, by denying the mprotect
PROT_EXECUTE change, if an mmap appraise policy rule exists.

On mprotect change success, return 0. On failure, return -EACESS.

Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
Changelog v1:
- Reverse tests to remove code indentation. (Lakshmi Ramasubramanian)
- General code cleanup, including adding comments.

include/linux/ima.h | 7 ++++++
security/integrity/ima/ima_main.c | 51 +++++++++++++++++++++++++++++++++++++++
security/security.c | 7 +++++-
3 files changed, 64 insertions(+), 1 deletion(-)

Reviewed-by: Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx>

Next message: Paul E. McKenney: "Re: [patch V4 part 1 12/36] x86/kvm: Sanitize kvm_async_pf_task_wait()"
Previous message: Randy Dunlap: "Re: [PATCH] bpf: Tweak BPF jump table optimizations for objtool compatibility"
In reply to: Mimi Zohar: "[RFC PATCH v1] ima: verify mprotect change is consistent with mmap policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]