Re: [gentoo-hardened] rsbac+pax fixation Patch to kernel 3.8 - gentoo-hardened

From:	"Javier Juan Martínez Cabezón" <tazok.id0@×××××.com>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] rsbac+pax fixation Patch to kernel 3.8
Date:	Wed, 31 Jul 2013 01:18:33
Message-Id:	`CAD98N_GUbUN_kdDN+BKHecu8LpnE0D8Ka3JzDD-9DZsWvpJVMA@mail.gmail.com`
In Reply to:	Re: [gentoo-hardened] rsbac+pax fixation Patch to kernel 3.8 by "Javier Juan Martínez Cabezón"

1

To be able to compile rsbac kernel  CONFIG_UIDGIT_STRICT_TYPE_CHECKS and

2

CONFIG_USER_NS have to be disabled in kernel config. To apply PaX patch

3

fixation patch in kernel 3.10 with PaX Patch to this kernel, a

4

#include<sched/sysctl.h> have to be included in mprotect.c

5

6

7

2013/7/29 Javier Juan Martínez Cabezón <tazok.id0@×××××.com>

8

9

> Tomwij, blueness, as rsbac_sources maintainers, if you want to test

10

> fixation Patch with the source I have pointed in my initial mail, expect

11

> some troubles in compilation (conflicting types with k_uidt. I think it's

12

> not related with fixation Patch, but with rsbac instead, and git in

13

> particular an something puntual :-S.  So when I could make it compile (I

14

> have asked about this to ao, tested with rsbac 3.10 too...with same result)

15

> I will tell you,

16

>

17

> Rsbac git is now (as I have seen this night) with troubles and I could

18

> only get rsbac sources from webgit clicking in "snapshot"

19

>

20

>

21

>

22

>

23

>

24

>

25

> 2013/7/29 Javier Juan Martínez Cabezón <tazok.id0@×××××.com>

26

>

27

>> Hi and thanks for your answer, in rsbac code in namei.c  this code:

28

>>

29

>>

30

>>  rsbac_name = rsbac_symlink_redirect(dentry-

31

>> >d_inode, link, buflen);

32

>>

33

>> assigns to rsbac_name the result of rsbac_symlink_redirect()

34

>>

35

>> the part I have found about rsbac_symlink_redirect definition is this

36

>> (from adf_main.c, rsbac only code)

37

>>

38

>> (

39

>> http://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-3.8.y.git;a=blob;f=rsbac/adf/adf_main.c;h=decb72b3648cf4353deead1b880048bbfa17a035;hb=HEAD:

40

>>

41

>> #ifdef CONFIG_RSBAC_SYM_REDIR

42

>> 2741 EXPORT_SYMBOL(rsbac_symlink_redirect);

43

>> 2742

44

>> 2743 /* This function changes the symlink content by adding a suffix, if

45

>> 2744  * requested. It returns NULL, if unchanged, or a pointer to a

46

>> 2745  * kmalloc'd new char * otherwise, which has to be kfree'd after use.

47

>> 2746  */

48

>> 2747 *char * rsbac_symlink_redirect(

49

>> 2748   struct inode * inode_p,

50

>> 2749   const char * name,

51

>> 2750   u_int maxlen)*

52

>> 2751   {

53

>> 2752 #if defined(CONFIG_RSBAC_SYM_REDIR_REMOTE_IP) ||

54

>> defined(CONFIG_RSBAC_SYM_REDIR_MAC) || defined(CONFIG_RSBAC_SYM_REDIR_RC)

55

>> || defined(CONFIG_RSBAC_SYM_REDIR_UID)

56

>> 2753   *  union rsbac_target_id_t * i_tid_p;

57

>> 2754     int err;

58

>> 2755     union rsbac_attribute_value_t i_attr_val;*

59

>> 2756 #endif

60

>> .

61

>> .

62

>> .

63

>>  #if defined(CONFIG_RSBAC_SYM_REDIR_REMOTE_IP) ||

64

>> defined(CONFIG_RSBAC_SYM_REDIR_MAC) || defined(CONFIG_RSBAC_SYM_REDIR_RC)

65

>> || defined(CONFIG_RSBAC_SYM_REDIR_UID)

66

>> 2793   *  i_tid_p = kmalloc(sizeof(*i_tid_p), GFP_KERNEL);*

67

>> 2794     if(!i_tid_p)

68

>> 2795       {

69

>> 2796         rsbac_printk(KERN_DEBUG

70

>> 2797            "rsbac_symlink_redirect(): not enough memory for symlink

71

>> redir remote ip inode %u on dev %02u:%02u!\n",

72

>> 2798            inode_p->i_ino,

73

>> 2799            RSBAC_MAJOR(inode_p->i_sb->s_dev),

74

>> RSBAC_MINOR(inode_p->i_sb->s_dev) );

75

>> 2800         return NULL;

76

>> 2801       }

77

>> 2802     i_tid_p->symlink.device = inode_p->i_sb->s_dev;

78

>> 2803     i_tid_p->symlink.inode = inode_p->i_ino;

79

>> 2804     i_tid_p->symlink.dentry_p = NULL;

80

>> 2805 #endif

81

>>

82

>>

83

>> So,  Would be safe maintain the namei.c related part from fixation patch

84

>> as is isn't it?

85

>>

86

>> This in particular:

87

>>

88

>>

89

>> #ifdef CONFIG_RSBAC_SYM_REDIR

90

>>     rsbac_name = rsbac_symlink_redirect(dentry->d_inode, link, buflen);

91

>>     if (rsbac_name) {

92

>>         len = strlen(rsbac_name);

93

>>         if (copy_to_user(buffer, rsbac_name, len))

94

>>             len = -EFAULT;

95

>>         kfree(rsbac_name);

96

>>     }

97

>>     else

98

>> #endif

99

>>     if (len < sizeof(tmpbuf)) {

100

>>         memcpy(tmpbuf, link, len);

101

>>         newlink = tmpbuf;

102

>>     } else

103

>>         newlink = link;

104

>>

105

>>     if (copy_to_user(buffer, newlink, len))

106

>>         len = -EFAULT;

107

>> out:

108

>>     return len;

109

>> }

110

>>

111

>> This piece of code doesn't change usually change in rsbac as I would had

112

>> seen, so fixation patch should stay equal towards (if switched correct PaX

113

>> patch and rsbac patch it only rejects in this four positions and always the

114

>> same ones, so fixation patch should work for another versions too..

115

>>

116

>> Thanks a lot pageexec.

117

>>

118

>>

119

>>

120

>> 2013/7/29 PaX Team <pageexec@×××××.com>

121

>>

122

>>> On 29 Jul 2013 at 6:23, Javier Juan Martínez Cabezón wrote:

123

>>>

124

>>> > PaX tries to do this modification to rsbac git code:

125

>>> >

126

>>> > --- fs/namei.c    2013-03-19 01:53:21.091281869 +0100

127

>>> > +++ fs/namei.c    2013-03-19 01:53:31.251281326 +0100

128

>>> > @@ -3954,7 +3956,14 @@

129

>>> >      len = strlen(link);

130

>>> >      if (len > (unsigned) buflen)

131

>>> >          len = buflen;

132

>>> > -    if (copy_to_user(buffer, link, len))

133

>>> > +

134

>>> > +    if (len < sizeof(tmpbuf)) {

135

>>> > +        memcpy(tmpbuf, link, len);

136

>>> > +        newlink = tmpbuf;

137

>>> > +    } else

138

>>> > +        newlink = link;

139

>>> > +

140

>>> > +    if (copy_to_user(buffer, newlink, len))

141

>>> >          len = -EFAULT;

142

>>> >  out:

143

>>> >      return len;

144

>>>

145

>>> this change is done for USERCOPY to prevent false positive reports when

146

>>> the

147

>>> name comes from a dentry field (vs. a normal kmalloc slab) or something

148

>>> like that. if you want to enable USERCOPY under RSBAC as well then you'll

149

>>> have to ensure that either rsbac_name is allocated by a normal kmalloc

150

>>> (this

151

>>> seems to be the case already from a quick look) or you'll have to do the

152

>>> temporary stack copy as done in the above snippet.

153

>>>

154

>>>

155

>>>

156

>>>

157

>>

158

>

Gentoo Archives: gentoo-hardened

Replies

1	To be able to compile rsbac kernel CONFIG_UIDGIT_STRICT_TYPE_CHECKS and
2	CONFIG_USER_NS have to be disabled in kernel config. To apply PaX patch
3	fixation patch in kernel 3.10 with PaX Patch to this kernel, a
4	#include<sched/sysctl.h> have to be included in mprotect.c
5
6
7	2013/7/29 Javier Juan Martínez Cabezón <tazok.id0@×××××.com>
8
9	> Tomwij, blueness, as rsbac_sources maintainers, if you want to test
10	> fixation Patch with the source I have pointed in my initial mail, expect
11	> some troubles in compilation (conflicting types with k_uidt. I think it's
12	> not related with fixation Patch, but with rsbac instead, and git in
13	> particular an something puntual :-S. So when I could make it compile (I
14	> have asked about this to ao, tested with rsbac 3.10 too...with same result)
15	> I will tell you,
16	>
17	> Rsbac git is now (as I have seen this night) with troubles and I could
18	> only get rsbac sources from webgit clicking in "snapshot"
19	>
20	>
21	>
22	>
23	>
24	>
25	> 2013/7/29 Javier Juan Martínez Cabezón <tazok.id0@×××××.com>
26	>
27	>> Hi and thanks for your answer, in rsbac code in namei.c this code:
28	>>
29	>>
30	>> rsbac_name = rsbac_symlink_redirect(dentry-
31	>> >d_inode, link, buflen);
32	>>
33	>> assigns to rsbac_name the result of rsbac_symlink_redirect()
34	>>
35	>> the part I have found about rsbac_symlink_redirect definition is this
36	>> (from adf_main.c, rsbac only code)
37	>>
38	>> (
39	>> http://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-3.8.y.git;a=blob;f=rsbac/adf/adf_main.c;h=decb72b3648cf4353deead1b880048bbfa17a035;hb=HEAD:
40	>>
41	>> #ifdef CONFIG_RSBAC_SYM_REDIR
42	>> 2741 EXPORT_SYMBOL(rsbac_symlink_redirect);
43	>> 2742
44	>> 2743 /* This function changes the symlink content by adding a suffix, if
45	>> 2744 * requested. It returns NULL, if unchanged, or a pointer to a
46	>> 2745 * kmalloc'd new char * otherwise, which has to be kfree'd after use.
47	>> 2746 */
48	>> 2747 char rsbac_symlink_redirect(
49	>> 2748 struct inode * inode_p,
50	>> 2749 const char * name,
51	>> 2750 u_int maxlen)*
52	>> 2751 {
53	>> 2752 #if defined(CONFIG_RSBAC_SYM_REDIR_REMOTE_IP) \|\|
54	>> defined(CONFIG_RSBAC_SYM_REDIR_MAC) \|\| defined(CONFIG_RSBAC_SYM_REDIR_RC)
55	>> \|\| defined(CONFIG_RSBAC_SYM_REDIR_UID)
56	>> 2753 * union rsbac_target_id_t * i_tid_p;
57	>> 2754 int err;
58	>> 2755 union rsbac_attribute_value_t i_attr_val;*
59	>> 2756 #endif
60	>> .
61	>> .
62	>> .
63	>> #if defined(CONFIG_RSBAC_SYM_REDIR_REMOTE_IP) \|\|
64	>> defined(CONFIG_RSBAC_SYM_REDIR_MAC) \|\| defined(CONFIG_RSBAC_SYM_REDIR_RC)
65	>> \|\| defined(CONFIG_RSBAC_SYM_REDIR_UID)
66	>> 2793 * i_tid_p = kmalloc(sizeof(i_tid_p), GFP_KERNEL);
67	>> 2794 if(!i_tid_p)
68	>> 2795 {
69	>> 2796 rsbac_printk(KERN_DEBUG
70	>> 2797 "rsbac_symlink_redirect(): not enough memory for symlink
71	>> redir remote ip inode %u on dev %02u:%02u!\n",
72	>> 2798 inode_p->i_ino,
73	>> 2799 RSBAC_MAJOR(inode_p->i_sb->s_dev),
74	>> RSBAC_MINOR(inode_p->i_sb->s_dev) );
75	>> 2800 return NULL;
76	>> 2801 }
77	>> 2802 i_tid_p->symlink.device = inode_p->i_sb->s_dev;
78	>> 2803 i_tid_p->symlink.inode = inode_p->i_ino;
79	>> 2804 i_tid_p->symlink.dentry_p = NULL;
80	>> 2805 #endif
81	>>
82	>>
83	>> So, Would be safe maintain the namei.c related part from fixation patch
84	>> as is isn't it?
85	>>
86	>> This in particular:
87	>>
88	>>
89	>> #ifdef CONFIG_RSBAC_SYM_REDIR
90	>> rsbac_name = rsbac_symlink_redirect(dentry->d_inode, link, buflen);
91	>> if (rsbac_name) {
92	>> len = strlen(rsbac_name);
93	>> if (copy_to_user(buffer, rsbac_name, len))
94	>> len = -EFAULT;
95	>> kfree(rsbac_name);
96	>> }
97	>> else
98	>> #endif
99	>> if (len < sizeof(tmpbuf)) {
100	>> memcpy(tmpbuf, link, len);
101	>> newlink = tmpbuf;
102	>> } else
103	>> newlink = link;
104	>>
105	>> if (copy_to_user(buffer, newlink, len))
106	>> len = -EFAULT;
107	>> out:
108	>> return len;
109	>> }
110	>>
111	>> This piece of code doesn't change usually change in rsbac as I would had
112	>> seen, so fixation patch should stay equal towards (if switched correct PaX
113	>> patch and rsbac patch it only rejects in this four positions and always the
114	>> same ones, so fixation patch should work for another versions too..
115	>>
116	>> Thanks a lot pageexec.
117	>>
118	>>
119	>>
120	>> 2013/7/29 PaX Team <pageexec@×××××.com>
121	>>
122	>>> On 29 Jul 2013 at 6:23, Javier Juan Martínez Cabezón wrote:
123	>>>
124	>>> > PaX tries to do this modification to rsbac git code:
125	>>> >
126	>>> > --- fs/namei.c 2013-03-19 01:53:21.091281869 +0100
127	>>> > +++ fs/namei.c 2013-03-19 01:53:31.251281326 +0100
128	>>> > @@ -3954,7 +3956,14 @@
129	>>> > len = strlen(link);
130	>>> > if (len > (unsigned) buflen)
131	>>> > len = buflen;
132	>>> > - if (copy_to_user(buffer, link, len))
133	>>> > +
134	>>> > + if (len < sizeof(tmpbuf)) {
135	>>> > + memcpy(tmpbuf, link, len);
136	>>> > + newlink = tmpbuf;
137	>>> > + } else
138	>>> > + newlink = link;
139	>>> > +
140	>>> > + if (copy_to_user(buffer, newlink, len))
141	>>> > len = -EFAULT;
142	>>> > out:
143	>>> > return len;
144	>>>
145	>>> this change is done for USERCOPY to prevent false positive reports when
146	>>> the
147	>>> name comes from a dentry field (vs. a normal kmalloc slab) or something
148	>>> like that. if you want to enable USERCOPY under RSBAC as well then you'll
149	>>> have to ensure that either rsbac_name is allocated by a normal kmalloc
150	>>> (this
151	>>> seems to be the case already from a quick look) or you'll have to do the
152	>>> temporary stack copy as done in the above snippet.
153	>>>
154	>>>
155	>>>
156	>>>
157	>>
158	>