On Tue, Dec 17, 2019 at 07:21:49PM -0500, Wenhui Zhang wrote: > In my understanding, evm is called whenever a security related attribute is > committed to VFS. > It is set as enabled by default. > (ref. > https://github.com/torvalds/linux/blob/8b68150883ca466a23e90902dd4113b22e692f04/security/integrity/evm/evm_main.c > ) Okay, so yes, complimentary. randstruct means attackers need use bugs to expose enough memory from the kernel to determine the order of structure members before they can manipulate them with a kernel bug. -Kees > > On Tue, Dec 17, 2019 at 7:16 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > > On Tue, Dec 17, 2019 at 07:12:28PM -0500, Wenhui Zhang wrote: > > > Hi, Sorry for bothering you again. > > > > > > However I came into some *evm code* in LSM, which calculates HMAC for > > data > > > structures. > > > It looks like HMAC could protect integrity of LSM data structures. > > > > > > IMHO, __randomize_layout and evm might duplicate the work, any > > instructions > > > on this please? > > > > When does the EVM code perform the checking? I would assume these are > > complimentary features rather than duplicate. > > > > -Kees > > > > > > > > > > > On Tue, Dec 17, 2019 at 6:50 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > > > > > > On Fri, Dec 13, 2019 at 03:28:38PM -0500, Stephen Smalley wrote: > > > > > Randomize the layout of key selinux data structures. > > > > > Initially this is applied to the selinux_state, selinux_ss, > > > > > policydb, and task_security_struct data structures. > > > > > > > > > > NB To test/use this mechanism, one must install the > > > > > necessary build-time dependencies, e.g. gcc-plugin-devel on Fedora, > > > > > and enable CONFIG_GCC_PLUGIN_RANDSTRUCT in the kernel configuration. > > > > > > > > > > Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > > > > > > > > Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> > > > > > > > > -Kees > > > > > > > > > --- > > > > > I would have expected that two kernels built with the same config > > > > > with this enabled would have yielded different struct layouts in > > > > > pahole vmlinux output, but that doesn't appear to be the case. They > > > > > do have different seeds. Am I doing something wrong? > > > > > Also, does DEBUG_INFO_BTF effectively undermine/negate the benefits > > of > > > > this > > > > > change if enabled? > > > > > > > > > > security/selinux/include/objsec.h | 2 +- > > > > > security/selinux/include/security.h | 2 +- > > > > > security/selinux/ss/policydb.h | 2 +- > > > > > security/selinux/ss/services.h | 2 +- > > > > > 4 files changed, 4 insertions(+), 4 deletions(-) > > > > > > > > > > diff --git a/security/selinux/include/objsec.h > > > > b/security/selinux/include/objsec.h > > > > > index a4a86cbcfb0a..330b7b6d44e0 100644 > > > > > --- a/security/selinux/include/objsec.h > > > > > +++ b/security/selinux/include/objsec.h > > > > > @@ -35,7 +35,7 @@ struct task_security_struct { > > > > > u32 create_sid; /* fscreate SID */ > > > > > u32 keycreate_sid; /* keycreate SID */ > > > > > u32 sockcreate_sid; /* fscreate SID */ > > > > > -}; > > > > > +} __randomize_layout; > > > > > > > > > > enum label_initialized { > > > > > LABEL_INVALID, /* invalid or not initialized */ > > > > > diff --git a/security/selinux/include/security.h > > > > b/security/selinux/include/security.h > > > > > index 49737087ad33..3ea406ad91b6 100644 > > > > > --- a/security/selinux/include/security.h > > > > > +++ b/security/selinux/include/security.h > > > > > @@ -110,7 +110,7 @@ struct selinux_state { > > > > > bool policycap[__POLICYDB_CAPABILITY_MAX]; > > > > > struct selinux_avc *avc; > > > > > struct selinux_ss *ss; > > > > > -}; > > > > > +} __randomize_layout; > > > > > > > > > > void selinux_ss_init(struct selinux_ss **ss); > > > > > void selinux_avc_init(struct selinux_avc **avc); > > > > > diff --git a/security/selinux/ss/policydb.h > > > > b/security/selinux/ss/policydb.h > > > > > index bc56b14e2216..98afe52a3d19 100644 > > > > > --- a/security/selinux/ss/policydb.h > > > > > +++ b/security/selinux/ss/policydb.h > > > > > @@ -307,7 +307,7 @@ struct policydb { > > > > > > > > > > u16 process_class; > > > > > u32 process_trans_perms; > > > > > -}; > > > > > +} __randomize_layout;; > > > > > > > > > > extern void policydb_destroy(struct policydb *p); > > > > > extern int policydb_load_isids(struct policydb *p, struct sidtab > > *s); > > > > > diff --git a/security/selinux/ss/services.h > > > > b/security/selinux/ss/services.h > > > > > index fc40640a9725..c5896f39e8f6 100644 > > > > > --- a/security/selinux/ss/services.h > > > > > +++ b/security/selinux/ss/services.h > > > > > @@ -31,7 +31,7 @@ struct selinux_ss { > > > > > struct selinux_map map; > > > > > struct page *status_page; > > > > > struct mutex status_lock; > > > > > -}; > > > > > +} __randomize_layout; > > > > > > > > > > void services_compute_xperms_drivers(struct extended_perms *xperms, > > > > > struct avtab_node *node); > > > > > -- > > > > > 2.23.0 > > > > > > > > > > > > > -- > > > > Kees Cook > > > > > > > > > > > > > -- > > > V/R, > > > > > > Wenhui Zhang > > > > > > Email: wenhui@xxxxxxxxxxxxxx > > > Telephone: 1-(703) 424 3193 > > > > -- > > Kees Cook > > > > > -- > V/R, > > Wenhui Zhang > > Email: wenhui@xxxxxxxxxxxxxx > Telephone: 1-(703) 424 3193 -- Kees Cook
