Re: [PATCH] security: add LSM hook at the memfd_create point

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/12/2021 11:43 PM, Li Qiang wrote:
> memfd_create is often used in the fileless attack.
> Let's create a LSM hook so that we can detect and prevent
> anonymous file creation.
>
> Signed-off-by: Li Qiang <liq3ea@xxxxxxx>

We don't add LSM hooks on speculation. Resubmit when you have
an LSM that needs the hook.

> ---
>  include/linux/lsm_hook_defs.h |  4 ++++
>  include/linux/lsm_hooks.h     |  5 +++++
>  include/linux/security.h      | 15 +++++++++++++++
>  mm/memfd.c                    |  6 ++++++
>  security/security.c           |  7 +++++++
>  5 files changed, 37 insertions(+)
>
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index 04c01794de83..955556d0d084 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -403,3 +403,7 @@ LSM_HOOK(void, LSM_RET_VOID, perf_event_free, struct perf_event *event)
>  LSM_HOOK(int, 0, perf_event_read, struct perf_event *event)
>  LSM_HOOK(int, 0, perf_event_write, struct perf_event *event)
>  #endif /* CONFIG_PERF_EVENTS */
> +
> +#ifdef CONFIG_MEMFD_CREATE
> +LSM_HOOK(int, 0, memfd_create, const char *name, unsigned int flags)
> +#endif /* CONFIG_MEMFD_CREATE */
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 5c4c5c0602cb..e9c31dbb2783 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -1557,6 +1557,11 @@
>   * 	Read perf_event security info if allowed.
>   * @perf_event_write:
>   * 	Write perf_event security info if allowed.
> + *
> + * Security hooks for anonymous file
> + *
> + * @memfd_create:
> + *	Check whether anonymous file creation is allowed
>   */
>  union security_list_options {
>  	#define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__);
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 06f7c50ce77f..44b43a7569b5 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -2037,4 +2037,19 @@ static inline int security_perf_event_write(struct perf_event *event)
>  #endif /* CONFIG_SECURITY */
>  #endif /* CONFIG_PERF_EVENTS */
>  
> +#ifdef CONFIG_MEMFD_CREATE
> +#ifdef CONFIG_SECURITY
> +
> +extern int security_memfd_create(const char *name, unsigned int flags);
> +
> +#else
> +
> +static inline int security_memfd_create(const char *name, unsigned int flags)
> +{
> +	return 0;
> +}
> +
> +#endif /* CONFIG_SECURITY */
> +#endif /* CONFIG_MEMFD_CREATE */
> +
>  #endif /* ! __LINUX_SECURITY_H */
> diff --git a/mm/memfd.c b/mm/memfd.c
> index 2647c898990c..dbd309e455d2 100644
> --- a/mm/memfd.c
> +++ b/mm/memfd.c
> @@ -18,6 +18,7 @@
>  #include <linux/hugetlb.h>
>  #include <linux/shmem_fs.h>
>  #include <linux/memfd.h>
> +#include <linux/security.h>
>  #include <uapi/linux/memfd.h>
>  
>  /*
> @@ -290,6 +291,11 @@ SYSCALL_DEFINE2(memfd_create,
>  		goto err_name;
>  	}
>  
> +	if (security_memfd_create(name, flags)) {
> +		error = -EPERM;
> +		goto err_name;
> +	}
> +
>  	fd = get_unused_fd_flags((flags & MFD_CLOEXEC) ? O_CLOEXEC : 0);
>  	if (fd < 0) {
>  		error = fd;
> diff --git a/security/security.c b/security/security.c
> index b38155b2de83..5723408c5d0b 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -2624,3 +2624,10 @@ int security_perf_event_write(struct perf_event *event)
>  	return call_int_hook(perf_event_write, 0, event);
>  }
>  #endif /* CONFIG_PERF_EVENTS */
> +
> +#ifdef CONFIG_MEMFD_CREATE
> +int security_memfd_create(const char *name, unsigned int flags)
> +{
> +	return call_int_hook(memfd_create, 0, name, flags);
> +}
> +#endif /* CONFIG_MEMFD_CREATE */




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux