On Thu, May 04, 2023 at 02:30:02PM -0700, Michael McCracken wrote:
> Add config RO_RANDMAP_SYSCTL to set the mode of the randomize_va_space
> sysctl to 0444 to disallow all runtime changes. This will prevent
> accidental changing of this value by a root service.
>
> The config is disabled by default to avoid surprises.
>
> Signed-off-by: Michael McCracken <michael.mccracken@xxxxxxxxx>
> ---
> kernel/sysctl.c | 4 ++++
> mm/Kconfig | 7 +++++++
> 2 files changed, 11 insertions(+)
>
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index bfe53e835524..c5aafb734abe 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -1913,7 +1913,11 @@ static struct ctl_table kern_table[] = {
> .procname = "randomize_va_space",
> .data = &randomize_va_space,
> .maxlen = sizeof(int),
> +#if defined(CONFIG_RO_RANDMAP_SYSCTL)
> + .mode = 0444,
> +#else
> .mode = 0644,
> +#endif
The way we've dealt with this in the past for similarly sensitive
sysctl variables to was set a "locked" position. (e.g. 0==off, 1==on,
2==cannot be turned off). In this case, we could make it, 0, 1, 2,
3==forced on full.
I note that there is actually no min/max (extra1/extra2) for this sysctl,
which is itself a bug, IMO. And there is just a magic "> 1" test that
should be a define or enum:
fs/binfmt_elf.c: if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) {
I think much of this should be improved.
Regardless, take a look at yama_dointvec_minmax(), which could, perhaps,
be generalized and used here.
Then we have a run-time way to manage this bit, without needing full
kernel rebuilds, etc, etc.
-Kees
--
Kees Cook
