On Fri, Dec 13, 2019 at 03:28:38PM -0500, Stephen Smalley wrote:
> Randomize the layout of key selinux data structures.
> Initially this is applied to the selinux_state, selinux_ss,
> policydb, and task_security_struct data structures.
>
> NB To test/use this mechanism, one must install the
> necessary build-time dependencies, e.g. gcc-plugin-devel on Fedora,
> and enable CONFIG_GCC_PLUGIN_RANDSTRUCT in the kernel configuration.
>
> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
-Kees
> ---
> I would have expected that two kernels built with the same config
> with this enabled would have yielded different struct layouts in
> pahole vmlinux output, but that doesn't appear to be the case. They
> do have different seeds. Am I doing something wrong?
> Also, does DEBUG_INFO_BTF effectively undermine/negate the benefits of this
> change if enabled?
>
> security/selinux/include/objsec.h | 2 +-
> security/selinux/include/security.h | 2 +-
> security/selinux/ss/policydb.h | 2 +-
> security/selinux/ss/services.h | 2 +-
> 4 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
> index a4a86cbcfb0a..330b7b6d44e0 100644
> --- a/security/selinux/include/objsec.h
> +++ b/security/selinux/include/objsec.h
> @@ -35,7 +35,7 @@ struct task_security_struct {
> u32 create_sid; /* fscreate SID */
> u32 keycreate_sid; /* keycreate SID */
> u32 sockcreate_sid; /* fscreate SID */
> -};
> +} __randomize_layout;
>
> enum label_initialized {
> LABEL_INVALID, /* invalid or not initialized */
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 49737087ad33..3ea406ad91b6 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -110,7 +110,7 @@ struct selinux_state {
> bool policycap[__POLICYDB_CAPABILITY_MAX];
> struct selinux_avc *avc;
> struct selinux_ss *ss;
> -};
> +} __randomize_layout;
>
> void selinux_ss_init(struct selinux_ss **ss);
> void selinux_avc_init(struct selinux_avc **avc);
> diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
> index bc56b14e2216..98afe52a3d19 100644
> --- a/security/selinux/ss/policydb.h
> +++ b/security/selinux/ss/policydb.h
> @@ -307,7 +307,7 @@ struct policydb {
>
> u16 process_class;
> u32 process_trans_perms;
> -};
> +} __randomize_layout;;
>
> extern void policydb_destroy(struct policydb *p);
> extern int policydb_load_isids(struct policydb *p, struct sidtab *s);
> diff --git a/security/selinux/ss/services.h b/security/selinux/ss/services.h
> index fc40640a9725..c5896f39e8f6 100644
> --- a/security/selinux/ss/services.h
> +++ b/security/selinux/ss/services.h
> @@ -31,7 +31,7 @@ struct selinux_ss {
> struct selinux_map map;
> struct page *status_page;
> struct mutex status_lock;
> -};
> +} __randomize_layout;
>
> void services_compute_xperms_drivers(struct extended_perms *xperms,
> struct avtab_node *node);
> --
> 2.23.0
>
--
Kees Cook
