mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-17 10:27:26 -05:00
67 lines
1.8 KiB
Diff
67 lines
1.8 KiB
Diff
|
From 22f6b4d34fcf039c63a94e7670e0da24f8575a5a Mon Sep 17 00:00:00 2001
|
||
|
From: Jann Horn <jann@thejh.net>
|
||
|
Date: Fri, 16 Sep 2016 00:31:22 +0200
|
||
|
Subject: aio: mark AIO pseudo-fs noexec
|
||
|
|
||
|
This ensures that do_mmap() won't implicitly make AIO memory mappings
|
||
|
executable if the READ_IMPLIES_EXEC personality flag is set. Such
|
||
|
behavior is problematic because the security_mmap_file LSM hook doesn't
|
||
|
catch this case, potentially permitting an attacker to bypass a W^X
|
||
|
policy enforced by SELinux.
|
||
|
|
||
|
I have tested the patch on my machine.
|
||
|
|
||
|
To test the behavior, compile and run this:
|
||
|
|
||
|
#define _GNU_SOURCE
|
||
|
#include <unistd.h>
|
||
|
#include <sys/personality.h>
|
||
|
#include <linux/aio_abi.h>
|
||
|
#include <err.h>
|
||
|
#include <stdlib.h>
|
||
|
#include <stdio.h>
|
||
|
#include <sys/syscall.h>
|
||
|
|
||
|
int main(void) {
|
||
|
personality(READ_IMPLIES_EXEC);
|
||
|
aio_context_t ctx = 0;
|
||
|
if (syscall(__NR_io_setup, 1, &ctx))
|
||
|
err(1, "io_setup");
|
||
|
|
||
|
char cmd[1000];
|
||
|
sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'",
|
||
|
(int)getpid());
|
||
|
system(cmd);
|
||
|
return 0;
|
||
|
}
|
||
|
|
||
|
In the output, "rw-s" is good, "rwxs" is bad.
|
||
|
|
||
|
Signed-off-by: Jann Horn <jann@thejh.net>
|
||
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||
|
---
|
||
|
fs/aio.c | 7 ++++++-
|
||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/fs/aio.c b/fs/aio.c
|
||
|
index fb8e45b..4fe81d1 100644
|
||
|
--- a/fs/aio.c
|
||
|
+++ b/fs/aio.c
|
||
|
@@ -239,7 +239,12 @@ static struct dentry *aio_mount(struct file_system_type *fs_type,
|
||
|
static const struct dentry_operations ops = {
|
||
|
.d_dname = simple_dname,
|
||
|
};
|
||
|
- return mount_pseudo(fs_type, "aio:", NULL, &ops, AIO_RING_MAGIC);
|
||
|
+ struct dentry *root = mount_pseudo(fs_type, "aio:", NULL, &ops,
|
||
|
+ AIO_RING_MAGIC);
|
||
|
+
|
||
|
+ if (!IS_ERR(root))
|
||
|
+ root->d_sb->s_iflags |= SB_I_NOEXEC;
|
||
|
+ return root;
|
||
|
}
|
||
|
|
||
|
/* aio_setup
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|