Re: [gentoo-hardened] rsbac+pax fixation Patch to kernel 3.8 - gentoo-hardened

From:	"Javier Juan Martínez Cabezón" <tazok.id0@×××××.com>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] rsbac+pax fixation Patch to kernel 3.8
Date:	Wed, 31 Jul 2013 05:28:27
Message-Id:	`CAD98N_E5i63XYCSQfpuTxm2S+Fwhsu8Rd4zk85yztsG8b=ZXxw@mail.gmail.com`
In Reply to:	Re: [gentoo-hardened] rsbac+pax fixation Patch to kernel 3.8 by "Javier Juan Martínez Cabezón"

1

excuse me by errata is #include <linux/sched/sysctl.h> :S

2

3

2013/7/31 Javier Juan Martínez Cabezón <tazok.id0@×××××.com>

4

5

> To be able to compile rsbac kernel  CONFIG_UIDGIT_STRICT_TYPE_CHECKS and

6

> CONFIG_USER_NS have to be disabled in kernel config. To apply PaX patch

7

> fixation patch in kernel 3.10 with PaX Patch to this kernel, a

8

> #include<sched/sysctl.h> have to be included in mprotect.c

9

>

10

>

11

>

12

> 2013/7/29 Javier Juan Martínez Cabezón <tazok.id0@×××××.com>

13

>

14

>> Tomwij, blueness, as rsbac_sources maintainers, if you want to test

15

>> fixation Patch with the source I have pointed in my initial mail, expect

16

>> some troubles in compilation (conflicting types with k_uidt. I think it's

17

>> not related with fixation Patch, but with rsbac instead, and git in

18

>> particular an something puntual :-S.  So when I could make it compile (I

19

>> have asked about this to ao, tested with rsbac 3.10 too...with same result)

20

>> I will tell you,

21

>>

22

>> Rsbac git is now (as I have seen this night) with troubles and I could

23

>> only get rsbac sources from webgit clicking in "snapshot"

24

>>

25

>>

26

>>

27

>>

28

>>

29

>>

30

>> 2013/7/29 Javier Juan Martínez Cabezón <tazok.id0@×××××.com>

31

>>

32

>>> Hi and thanks for your answer, in rsbac code in namei.c  this code:

33

>>>

34

>>>

35

>>>  rsbac_name = rsbac_symlink_redirect(dentry-

36

>>> >d_inode, link, buflen);

37

>>>

38

>>> assigns to rsbac_name the result of rsbac_symlink_redirect()

39

>>>

40

>>> the part I have found about rsbac_symlink_redirect definition is this

41

>>> (from adf_main.c, rsbac only code)

42

>>>

43

>>> (

44

>>> http://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-3.8.y.git;a=blob;f=rsbac/adf/adf_main.c;h=decb72b3648cf4353deead1b880048bbfa17a035;hb=HEAD:

45

>>>

46

>>> #ifdef CONFIG_RSBAC_SYM_REDIR

47

>>> 2741 EXPORT_SYMBOL(rsbac_symlink_redirect);

48

>>> 2742

49

>>> 2743 /* This function changes the symlink content by adding a suffix, if

50

>>> 2744  * requested. It returns NULL, if unchanged, or a pointer to a

51

>>> 2745  * kmalloc'd new char * otherwise, which has to be kfree'd after

52

>>> use.

53

>>> 2746  */

54

>>> 2747 *char * rsbac_symlink_redirect(

55

>>> 2748   struct inode * inode_p,

56

>>> 2749   const char * name,

57

>>> 2750   u_int maxlen)*

58

>>> 2751   {

59

>>> 2752 #if defined(CONFIG_RSBAC_SYM_REDIR_REMOTE_IP) ||

60

>>> defined(CONFIG_RSBAC_SYM_REDIR_MAC) || defined(CONFIG_RSBAC_SYM_REDIR_RC)

61

>>> || defined(CONFIG_RSBAC_SYM_REDIR_UID)

62

>>> 2753   *  union rsbac_target_id_t * i_tid_p;

63

>>> 2754     int err;

64

>>> 2755     union rsbac_attribute_value_t i_attr_val;*

65

>>> 2756 #endif

66

>>> .

67

>>> .

68

>>> .

69

>>>  #if defined(CONFIG_RSBAC_SYM_REDIR_REMOTE_IP) ||

70

>>> defined(CONFIG_RSBAC_SYM_REDIR_MAC) || defined(CONFIG_RSBAC_SYM_REDIR_RC)

71

>>> || defined(CONFIG_RSBAC_SYM_REDIR_UID)

72

>>> 2793   *  i_tid_p = kmalloc(sizeof(*i_tid_p), GFP_KERNEL);*

73

>>> 2794     if(!i_tid_p)

74

>>> 2795       {

75

>>> 2796         rsbac_printk(KERN_DEBUG

76

>>> 2797            "rsbac_symlink_redirect(): not enough memory for symlink

77

>>> redir remote ip inode %u on dev %02u:%02u!\n",

78

>>> 2798            inode_p->i_ino,

79

>>> 2799            RSBAC_MAJOR(inode_p->i_sb->s_dev),

80

>>> RSBAC_MINOR(inode_p->i_sb->s_dev) );

81

>>> 2800         return NULL;

82

>>> 2801       }

83

>>> 2802     i_tid_p->symlink.device = inode_p->i_sb->s_dev;

84

>>> 2803     i_tid_p->symlink.inode = inode_p->i_ino;

85

>>> 2804     i_tid_p->symlink.dentry_p = NULL;

86

>>> 2805 #endif

87

>>>

88

>>>

89

>>> So,  Would be safe maintain the namei.c related part from fixation patch

90

>>> as is isn't it?

91

>>>

92

>>> This in particular:

93

>>>

94

>>>

95

>>> #ifdef CONFIG_RSBAC_SYM_REDIR

96

>>>     rsbac_name = rsbac_symlink_redirect(dentry->d_inode, link, buflen);

97

>>>     if (rsbac_name) {

98

>>>         len = strlen(rsbac_name);

99

>>>         if (copy_to_user(buffer, rsbac_name, len))

100

>>>             len = -EFAULT;

101

>>>         kfree(rsbac_name);

102

>>>     }

103

>>>     else

104

>>> #endif

105

>>>     if (len < sizeof(tmpbuf)) {

106

>>>         memcpy(tmpbuf, link, len);

107

>>>         newlink = tmpbuf;

108

>>>     } else

109

>>>         newlink = link;

110

>>>

111

>>>     if (copy_to_user(buffer, newlink, len))

112

>>>         len = -EFAULT;

113

>>> out:

114

>>>     return len;

115

>>> }

116

>>>

117

>>> This piece of code doesn't change usually change in rsbac as I would had

118

>>> seen, so fixation patch should stay equal towards (if switched correct PaX

119

>>> patch and rsbac patch it only rejects in this four positions and always the

120

>>> same ones, so fixation patch should work for another versions too..

121

>>>

122

>>> Thanks a lot pageexec.

123

>>>

124

>>>

125

>>>

126

>>> 2013/7/29 PaX Team <pageexec@×××××.com>

127

>>>

128

>>>> On 29 Jul 2013 at 6:23, Javier Juan Martínez Cabezón wrote:

129

>>>>

130

>>>> > PaX tries to do this modification to rsbac git code:

131

>>>> >

132

>>>> > --- fs/namei.c    2013-03-19 01:53:21.091281869 +0100

133

>>>> > +++ fs/namei.c    2013-03-19 01:53:31.251281326 +0100

134

>>>> > @@ -3954,7 +3956,14 @@

135

>>>> >      len = strlen(link);

136

>>>> >      if (len > (unsigned) buflen)

137

>>>> >          len = buflen;

138

>>>> > -    if (copy_to_user(buffer, link, len))

139

>>>> > +

140

>>>> > +    if (len < sizeof(tmpbuf)) {

141

>>>> > +        memcpy(tmpbuf, link, len);

142

>>>> > +        newlink = tmpbuf;

143

>>>> > +    } else

144

>>>> > +        newlink = link;

145

>>>> > +

146

>>>> > +    if (copy_to_user(buffer, newlink, len))

147

>>>> >          len = -EFAULT;

148

>>>> >  out:

149

>>>> >      return len;

150

>>>>

151

>>>> this change is done for USERCOPY to prevent false positive reports when

152

>>>> the

153

>>>> name comes from a dentry field (vs. a normal kmalloc slab) or something

154

>>>> like that. if you want to enable USERCOPY under RSBAC as well then

155

>>>> you'll

156

>>>> have to ensure that either rsbac_name is allocated by a normal kmalloc

157

>>>> (this

158

>>>> seems to be the case already from a quick look) or you'll have to do the

159

>>>> temporary stack copy as done in the above snippet.

160

>>>>

161

>>>>

162

>>>>

163

>>>>

164

>>>

165

>>

166

>

1	excuse me by errata is #include <linux/sched/sysctl.h> :S
2
3	2013/7/31 Javier Juan Martínez Cabezón <tazok.id0@×××××.com>
4
5	> To be able to compile rsbac kernel CONFIG_UIDGIT_STRICT_TYPE_CHECKS and
6	> CONFIG_USER_NS have to be disabled in kernel config. To apply PaX patch
7	> fixation patch in kernel 3.10 with PaX Patch to this kernel, a
8	> #include<sched/sysctl.h> have to be included in mprotect.c
9	>
10	>
11	>
12	> 2013/7/29 Javier Juan Martínez Cabezón <tazok.id0@×××××.com>
13	>
14	>> Tomwij, blueness, as rsbac_sources maintainers, if you want to test
15	>> fixation Patch with the source I have pointed in my initial mail, expect
16	>> some troubles in compilation (conflicting types with k_uidt. I think it's
17	>> not related with fixation Patch, but with rsbac instead, and git in
18	>> particular an something puntual :-S. So when I could make it compile (I
19	>> have asked about this to ao, tested with rsbac 3.10 too...with same result)
20	>> I will tell you,
21	>>
22	>> Rsbac git is now (as I have seen this night) with troubles and I could
23	>> only get rsbac sources from webgit clicking in "snapshot"
24	>>
25	>>
26	>>
27	>>
28	>>
29	>>
30	>> 2013/7/29 Javier Juan Martínez Cabezón <tazok.id0@×××××.com>
31	>>
32	>>> Hi and thanks for your answer, in rsbac code in namei.c this code:
33	>>>
34	>>>
35	>>> rsbac_name = rsbac_symlink_redirect(dentry-
36	>>> >d_inode, link, buflen);
37	>>>
38	>>> assigns to rsbac_name the result of rsbac_symlink_redirect()
39	>>>
40	>>> the part I have found about rsbac_symlink_redirect definition is this
41	>>> (from adf_main.c, rsbac only code)
42	>>>
43	>>> (
44	>>> http://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-3.8.y.git;a=blob;f=rsbac/adf/adf_main.c;h=decb72b3648cf4353deead1b880048bbfa17a035;hb=HEAD:
45	>>>
46	>>> #ifdef CONFIG_RSBAC_SYM_REDIR
47	>>> 2741 EXPORT_SYMBOL(rsbac_symlink_redirect);
48	>>> 2742
49	>>> 2743 /* This function changes the symlink content by adding a suffix, if
50	>>> 2744 * requested. It returns NULL, if unchanged, or a pointer to a
51	>>> 2745 * kmalloc'd new char * otherwise, which has to be kfree'd after
52	>>> use.
53	>>> 2746 */
54	>>> 2747 char rsbac_symlink_redirect(
55	>>> 2748 struct inode * inode_p,
56	>>> 2749 const char * name,
57	>>> 2750 u_int maxlen)*
58	>>> 2751 {
59	>>> 2752 #if defined(CONFIG_RSBAC_SYM_REDIR_REMOTE_IP) \|\|
60	>>> defined(CONFIG_RSBAC_SYM_REDIR_MAC) \|\| defined(CONFIG_RSBAC_SYM_REDIR_RC)
61	>>> \|\| defined(CONFIG_RSBAC_SYM_REDIR_UID)
62	>>> 2753 * union rsbac_target_id_t * i_tid_p;
63	>>> 2754 int err;
64	>>> 2755 union rsbac_attribute_value_t i_attr_val;*
65	>>> 2756 #endif
66	>>> .
67	>>> .
68	>>> .
69	>>> #if defined(CONFIG_RSBAC_SYM_REDIR_REMOTE_IP) \|\|
70	>>> defined(CONFIG_RSBAC_SYM_REDIR_MAC) \|\| defined(CONFIG_RSBAC_SYM_REDIR_RC)
71	>>> \|\| defined(CONFIG_RSBAC_SYM_REDIR_UID)
72	>>> 2793 * i_tid_p = kmalloc(sizeof(i_tid_p), GFP_KERNEL);
73	>>> 2794 if(!i_tid_p)
74	>>> 2795 {
75	>>> 2796 rsbac_printk(KERN_DEBUG
76	>>> 2797 "rsbac_symlink_redirect(): not enough memory for symlink
77	>>> redir remote ip inode %u on dev %02u:%02u!\n",
78	>>> 2798 inode_p->i_ino,
79	>>> 2799 RSBAC_MAJOR(inode_p->i_sb->s_dev),
80	>>> RSBAC_MINOR(inode_p->i_sb->s_dev) );
81	>>> 2800 return NULL;
82	>>> 2801 }
83	>>> 2802 i_tid_p->symlink.device = inode_p->i_sb->s_dev;
84	>>> 2803 i_tid_p->symlink.inode = inode_p->i_ino;
85	>>> 2804 i_tid_p->symlink.dentry_p = NULL;
86	>>> 2805 #endif
87	>>>
88	>>>
89	>>> So, Would be safe maintain the namei.c related part from fixation patch
90	>>> as is isn't it?
91	>>>
92	>>> This in particular:
93	>>>
94	>>>
95	>>> #ifdef CONFIG_RSBAC_SYM_REDIR
96	>>> rsbac_name = rsbac_symlink_redirect(dentry->d_inode, link, buflen);
97	>>> if (rsbac_name) {
98	>>> len = strlen(rsbac_name);
99	>>> if (copy_to_user(buffer, rsbac_name, len))
100	>>> len = -EFAULT;
101	>>> kfree(rsbac_name);
102	>>> }
103	>>> else
104	>>> #endif
105	>>> if (len < sizeof(tmpbuf)) {
106	>>> memcpy(tmpbuf, link, len);
107	>>> newlink = tmpbuf;
108	>>> } else
109	>>> newlink = link;
110	>>>
111	>>> if (copy_to_user(buffer, newlink, len))
112	>>> len = -EFAULT;
113	>>> out:
114	>>> return len;
115	>>> }
116	>>>
117	>>> This piece of code doesn't change usually change in rsbac as I would had
118	>>> seen, so fixation patch should stay equal towards (if switched correct PaX
119	>>> patch and rsbac patch it only rejects in this four positions and always the
120	>>> same ones, so fixation patch should work for another versions too..
121	>>>
122	>>> Thanks a lot pageexec.
123	>>>
124	>>>
125	>>>
126	>>> 2013/7/29 PaX Team <pageexec@×××××.com>
127	>>>
128	>>>> On 29 Jul 2013 at 6:23, Javier Juan Martínez Cabezón wrote:
129	>>>>
130	>>>> > PaX tries to do this modification to rsbac git code:
131	>>>> >
132	>>>> > --- fs/namei.c 2013-03-19 01:53:21.091281869 +0100
133	>>>> > +++ fs/namei.c 2013-03-19 01:53:31.251281326 +0100
134	>>>> > @@ -3954,7 +3956,14 @@
135	>>>> > len = strlen(link);
136	>>>> > if (len > (unsigned) buflen)
137	>>>> > len = buflen;
138	>>>> > - if (copy_to_user(buffer, link, len))
139	>>>> > +
140	>>>> > + if (len < sizeof(tmpbuf)) {
141	>>>> > + memcpy(tmpbuf, link, len);
142	>>>> > + newlink = tmpbuf;
143	>>>> > + } else
144	>>>> > + newlink = link;
145	>>>> > +
146	>>>> > + if (copy_to_user(buffer, newlink, len))
147	>>>> > len = -EFAULT;
148	>>>> > out:
149	>>>> > return len;
150	>>>>
151	>>>> this change is done for USERCOPY to prevent false positive reports when
152	>>>> the
153	>>>> name comes from a dentry field (vs. a normal kmalloc slab) or something
154	>>>> like that. if you want to enable USERCOPY under RSBAC as well then
155	>>>> you'll
156	>>>> have to ensure that either rsbac_name is allocated by a normal kmalloc
157	>>>> (this
158	>>>> seems to be the case already from a quick look) or you'll have to do the
159	>>>> temporary stack copy as done in the above snippet.
160	>>>>
161	>>>>
162	>>>>
163	>>>>
164	>>>
165	>>
166	>

Gentoo Archives: gentoo-hardened