1 |
excuse me by errata is #include <linux/sched/sysctl.h> :S |
2 |
|
3 |
2013/7/31 Javier Juan Martínez Cabezón <tazok.id0@×××××.com> |
4 |
|
5 |
> To be able to compile rsbac kernel CONFIG_UIDGIT_STRICT_TYPE_CHECKS and |
6 |
> CONFIG_USER_NS have to be disabled in kernel config. To apply PaX patch |
7 |
> fixation patch in kernel 3.10 with PaX Patch to this kernel, a |
8 |
> #include<sched/sysctl.h> have to be included in mprotect.c |
9 |
> |
10 |
> |
11 |
> |
12 |
> 2013/7/29 Javier Juan Martínez Cabezón <tazok.id0@×××××.com> |
13 |
> |
14 |
>> Tomwij, blueness, as rsbac_sources maintainers, if you want to test |
15 |
>> fixation Patch with the source I have pointed in my initial mail, expect |
16 |
>> some troubles in compilation (conflicting types with k_uidt. I think it's |
17 |
>> not related with fixation Patch, but with rsbac instead, and git in |
18 |
>> particular an something puntual :-S. So when I could make it compile (I |
19 |
>> have asked about this to ao, tested with rsbac 3.10 too...with same result) |
20 |
>> I will tell you, |
21 |
>> |
22 |
>> Rsbac git is now (as I have seen this night) with troubles and I could |
23 |
>> only get rsbac sources from webgit clicking in "snapshot" |
24 |
>> |
25 |
>> |
26 |
>> |
27 |
>> |
28 |
>> |
29 |
>> |
30 |
>> 2013/7/29 Javier Juan Martínez Cabezón <tazok.id0@×××××.com> |
31 |
>> |
32 |
>>> Hi and thanks for your answer, in rsbac code in namei.c this code: |
33 |
>>> |
34 |
>>> |
35 |
>>> rsbac_name = rsbac_symlink_redirect(dentry- |
36 |
>>> >d_inode, link, buflen); |
37 |
>>> |
38 |
>>> assigns to rsbac_name the result of rsbac_symlink_redirect() |
39 |
>>> |
40 |
>>> the part I have found about rsbac_symlink_redirect definition is this |
41 |
>>> (from adf_main.c, rsbac only code) |
42 |
>>> |
43 |
>>> ( |
44 |
>>> http://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-3.8.y.git;a=blob;f=rsbac/adf/adf_main.c;h=decb72b3648cf4353deead1b880048bbfa17a035;hb=HEAD: |
45 |
>>> |
46 |
>>> #ifdef CONFIG_RSBAC_SYM_REDIR |
47 |
>>> 2741 EXPORT_SYMBOL(rsbac_symlink_redirect); |
48 |
>>> 2742 |
49 |
>>> 2743 /* This function changes the symlink content by adding a suffix, if |
50 |
>>> 2744 * requested. It returns NULL, if unchanged, or a pointer to a |
51 |
>>> 2745 * kmalloc'd new char * otherwise, which has to be kfree'd after |
52 |
>>> use. |
53 |
>>> 2746 */ |
54 |
>>> 2747 *char * rsbac_symlink_redirect( |
55 |
>>> 2748 struct inode * inode_p, |
56 |
>>> 2749 const char * name, |
57 |
>>> 2750 u_int maxlen)* |
58 |
>>> 2751 { |
59 |
>>> 2752 #if defined(CONFIG_RSBAC_SYM_REDIR_REMOTE_IP) || |
60 |
>>> defined(CONFIG_RSBAC_SYM_REDIR_MAC) || defined(CONFIG_RSBAC_SYM_REDIR_RC) |
61 |
>>> || defined(CONFIG_RSBAC_SYM_REDIR_UID) |
62 |
>>> 2753 * union rsbac_target_id_t * i_tid_p; |
63 |
>>> 2754 int err; |
64 |
>>> 2755 union rsbac_attribute_value_t i_attr_val;* |
65 |
>>> 2756 #endif |
66 |
>>> . |
67 |
>>> . |
68 |
>>> . |
69 |
>>> #if defined(CONFIG_RSBAC_SYM_REDIR_REMOTE_IP) || |
70 |
>>> defined(CONFIG_RSBAC_SYM_REDIR_MAC) || defined(CONFIG_RSBAC_SYM_REDIR_RC) |
71 |
>>> || defined(CONFIG_RSBAC_SYM_REDIR_UID) |
72 |
>>> 2793 * i_tid_p = kmalloc(sizeof(*i_tid_p), GFP_KERNEL);* |
73 |
>>> 2794 if(!i_tid_p) |
74 |
>>> 2795 { |
75 |
>>> 2796 rsbac_printk(KERN_DEBUG |
76 |
>>> 2797 "rsbac_symlink_redirect(): not enough memory for symlink |
77 |
>>> redir remote ip inode %u on dev %02u:%02u!\n", |
78 |
>>> 2798 inode_p->i_ino, |
79 |
>>> 2799 RSBAC_MAJOR(inode_p->i_sb->s_dev), |
80 |
>>> RSBAC_MINOR(inode_p->i_sb->s_dev) ); |
81 |
>>> 2800 return NULL; |
82 |
>>> 2801 } |
83 |
>>> 2802 i_tid_p->symlink.device = inode_p->i_sb->s_dev; |
84 |
>>> 2803 i_tid_p->symlink.inode = inode_p->i_ino; |
85 |
>>> 2804 i_tid_p->symlink.dentry_p = NULL; |
86 |
>>> 2805 #endif |
87 |
>>> |
88 |
>>> |
89 |
>>> So, Would be safe maintain the namei.c related part from fixation patch |
90 |
>>> as is isn't it? |
91 |
>>> |
92 |
>>> This in particular: |
93 |
>>> |
94 |
>>> |
95 |
>>> #ifdef CONFIG_RSBAC_SYM_REDIR |
96 |
>>> rsbac_name = rsbac_symlink_redirect(dentry->d_inode, link, buflen); |
97 |
>>> if (rsbac_name) { |
98 |
>>> len = strlen(rsbac_name); |
99 |
>>> if (copy_to_user(buffer, rsbac_name, len)) |
100 |
>>> len = -EFAULT; |
101 |
>>> kfree(rsbac_name); |
102 |
>>> } |
103 |
>>> else |
104 |
>>> #endif |
105 |
>>> if (len < sizeof(tmpbuf)) { |
106 |
>>> memcpy(tmpbuf, link, len); |
107 |
>>> newlink = tmpbuf; |
108 |
>>> } else |
109 |
>>> newlink = link; |
110 |
>>> |
111 |
>>> if (copy_to_user(buffer, newlink, len)) |
112 |
>>> len = -EFAULT; |
113 |
>>> out: |
114 |
>>> return len; |
115 |
>>> } |
116 |
>>> |
117 |
>>> This piece of code doesn't change usually change in rsbac as I would had |
118 |
>>> seen, so fixation patch should stay equal towards (if switched correct PaX |
119 |
>>> patch and rsbac patch it only rejects in this four positions and always the |
120 |
>>> same ones, so fixation patch should work for another versions too.. |
121 |
>>> |
122 |
>>> Thanks a lot pageexec. |
123 |
>>> |
124 |
>>> |
125 |
>>> |
126 |
>>> 2013/7/29 PaX Team <pageexec@×××××.com> |
127 |
>>> |
128 |
>>>> On 29 Jul 2013 at 6:23, Javier Juan Martínez Cabezón wrote: |
129 |
>>>> |
130 |
>>>> > PaX tries to do this modification to rsbac git code: |
131 |
>>>> > |
132 |
>>>> > --- fs/namei.c 2013-03-19 01:53:21.091281869 +0100 |
133 |
>>>> > +++ fs/namei.c 2013-03-19 01:53:31.251281326 +0100 |
134 |
>>>> > @@ -3954,7 +3956,14 @@ |
135 |
>>>> > len = strlen(link); |
136 |
>>>> > if (len > (unsigned) buflen) |
137 |
>>>> > len = buflen; |
138 |
>>>> > - if (copy_to_user(buffer, link, len)) |
139 |
>>>> > + |
140 |
>>>> > + if (len < sizeof(tmpbuf)) { |
141 |
>>>> > + memcpy(tmpbuf, link, len); |
142 |
>>>> > + newlink = tmpbuf; |
143 |
>>>> > + } else |
144 |
>>>> > + newlink = link; |
145 |
>>>> > + |
146 |
>>>> > + if (copy_to_user(buffer, newlink, len)) |
147 |
>>>> > len = -EFAULT; |
148 |
>>>> > out: |
149 |
>>>> > return len; |
150 |
>>>> |
151 |
>>>> this change is done for USERCOPY to prevent false positive reports when |
152 |
>>>> the |
153 |
>>>> name comes from a dentry field (vs. a normal kmalloc slab) or something |
154 |
>>>> like that. if you want to enable USERCOPY under RSBAC as well then |
155 |
>>>> you'll |
156 |
>>>> have to ensure that either rsbac_name is allocated by a normal kmalloc |
157 |
>>>> (this |
158 |
>>>> seems to be the case already from a quick look) or you'll have to do the |
159 |
>>>> temporary stack copy as done in the above snippet. |
160 |
>>>> |
161 |
>>>> |
162 |
>>>> |
163 |
>>>> |
164 |
>>> |
165 |
>> |
166 |
> |