Re: Should mprotect(..., PROT_EXEC) be checked by IMA?

[Igor Zhbanov <i.zhbanov@xxxxxxxxxxxx>]

Hi Mimi,

I guess similar to SELinux function:
---8<------------------------------------------------------------------------
static int selinux_file_mprotect(struct vm_area_struct *vma,
                                 unsigned long reqprot,
                                 unsigned long prot)
{
        const struct cred *cred = current_cred();
        u32 sid = cred_sid(cred);

        if (selinux_state.checkreqprot)
                prot = reqprot;

        if (default_noexec &&
            (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
                int rc = 0;
                if (vma->vm_start >= vma->vm_mm->start_brk &&
                    vma->vm_end <= vma->vm_mm->brk) {
                        rc = avc_has_perm(&selinux_state,
                                          sid, sid, SECCLASS_PROCESS,
                                          PROCESS__EXECHEAP, NULL);
                } else if (!vma->vm_file &&
                           ((vma->vm_start <= vma->vm_mm->start_stack &&
                             vma->vm_end >= vma->vm_mm->start_stack) ||
                            vma_is_stack_for_current(vma))) {
                        rc = avc_has_perm(&selinux_state,
                                          sid, sid, SECCLASS_PROCESS,
                                          PROCESS__EXECSTACK, NULL);
                } else if (vma->vm_file && vma->anon_vma) {
                        /*
                         * We are making executable a file mapping that has
                         * had some COW done. Since pages might have been
                         * written, check ability to execute the possibly
                         * modified content.  This typically should only
                         * occur for text relocations.
                         */
                        rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
                }
                if (rc)
                        return rc;
        }

        return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
}
---8<------------------------------------------------------------------------

The structure vm_area_struct has a pointer vm_file pointing to mapped file
so it could be used what file's xattrs to check.

Thanks.

On 19.03.2019 0:48, Mimi Zohar wrote:
> On Mon, 2019-03-18 at 18:18 +0300, Igor Zhbanov wrote:
> > Hello!
> >
> > I've found that IMA checks for executable mmap()s but not for the
> > combination of mmap(..., PROT_READ, ...) + mprotect(..., PROT_EXEC).
> >
> > So it looks like is possible to load arbitrary executable code
> > by rewriting dlopen() and dlsym() functions to map all ELF segments
> > read-only first then making them executable with mprotect().
> >
> > So should security_file_mprotect() be changed similarly
> > to security_mmap_file() to call IMA security hook?
>
> How?  security_mmap_file() is passed a file descriptor and the signature,
> stored as an xattr, can be verified.
>
> Mimi

--
Игорь Жбанов
зам. тех. директора по технологиям
ООО «Открытая мобильная платформа»
Тел.: +7 495 269-07-79, доб. 606
Моб.: +7 903 001-98-55
E-mail: i.zhbanov@xxxxxxxxxxxx