| Message ID | 20210613064359.389683-1-liq3ea@163.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | security: add LSM hook at the memfd_create point | expand |
On 6/12/2021 11:43 PM, Li Qiang wrote: > memfd_create is often used in the fileless attack. > Let's create a LSM hook so that we can detect and prevent > anonymous file creation. > > Signed-off-by: Li Qiang <liq3ea@163.com> We don't add LSM hooks on speculation. Resubmit when you have an LSM that needs the hook. > --- > include/linux/lsm_hook_defs.h | 4 ++++ > include/linux/lsm_hooks.h | 5 +++++ > include/linux/security.h | 15 +++++++++++++++ > mm/memfd.c | 6 ++++++ > security/security.c | 7 +++++++ > 5 files changed, 37 insertions(+) > > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h > index 04c01794de83..955556d0d084 100644 > --- a/include/linux/lsm_hook_defs.h > +++ b/include/linux/lsm_hook_defs.h > @@ -403,3 +403,7 @@ LSM_HOOK(void, LSM_RET_VOID, perf_event_free, struct perf_event *event) > LSM_HOOK(int, 0, perf_event_read, struct perf_event *event) > LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) > #endif /* CONFIG_PERF_EVENTS */ > + > +#ifdef CONFIG_MEMFD_CREATE > +LSM_HOOK(int, 0, memfd_create, const char *name, unsigned int flags) > +#endif /* CONFIG_MEMFD_CREATE */ > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index 5c4c5c0602cb..e9c31dbb2783 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -1557,6 +1557,11 @@ > * Read perf_event security info if allowed. > * @perf_event_write: > * Write perf_event security info if allowed. > + * > + * Security hooks for anonymous file > + * > + * @memfd_create: > + * Check whether anonymous file creation is allowed > */ > union security_list_options { > #define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__); > diff --git a/include/linux/security.h b/include/linux/security.h > index 06f7c50ce77f..44b43a7569b5 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -2037,4 +2037,19 @@ static inline int security_perf_event_write(struct perf_event *event) > #endif /* CONFIG_SECURITY */ > #endif /* CONFIG_PERF_EVENTS */ > > +#ifdef CONFIG_MEMFD_CREATE > +#ifdef CONFIG_SECURITY > + > +extern int security_memfd_create(const char *name, unsigned int flags); > + > +#else > + > +static inline int security_memfd_create(const char *name, unsigned int flags) > +{ > + return 0; > +} > + > +#endif /* CONFIG_SECURITY */ > +#endif /* CONFIG_MEMFD_CREATE */ > + > #endif /* ! __LINUX_SECURITY_H */ > diff --git a/mm/memfd.c b/mm/memfd.c > index 2647c898990c..dbd309e455d2 100644 > --- a/mm/memfd.c > +++ b/mm/memfd.c > @@ -18,6 +18,7 @@ > #include <linux/hugetlb.h> > #include <linux/shmem_fs.h> > #include <linux/memfd.h> > +#include <linux/security.h> > #include <uapi/linux/memfd.h> > > /* > @@ -290,6 +291,11 @@ SYSCALL_DEFINE2(memfd_create, > goto err_name; > } > > + if (security_memfd_create(name, flags)) { > + error = -EPERM; > + goto err_name; > + } > + > fd = get_unused_fd_flags((flags & MFD_CLOEXEC) ? O_CLOEXEC : 0); > if (fd < 0) { > error = fd; > diff --git a/security/security.c b/security/security.c > index b38155b2de83..5723408c5d0b 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -2624,3 +2624,10 @@ int security_perf_event_write(struct perf_event *event) > return call_int_hook(perf_event_write, 0, event); > } > #endif /* CONFIG_PERF_EVENTS */ > + > +#ifdef CONFIG_MEMFD_CREATE > +int security_memfd_create(const char *name, unsigned int flags) > +{ > + return call_int_hook(memfd_create, 0, name, flags); > +} > +#endif /* CONFIG_MEMFD_CREATE */
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 04c01794de83..955556d0d084 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -403,3 +403,7 @@ LSM_HOOK(void, LSM_RET_VOID, perf_event_free, struct perf_event *event) LSM_HOOK(int, 0, perf_event_read, struct perf_event *event) LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) #endif /* CONFIG_PERF_EVENTS */ + +#ifdef CONFIG_MEMFD_CREATE +LSM_HOOK(int, 0, memfd_create, const char *name, unsigned int flags) +#endif /* CONFIG_MEMFD_CREATE */ diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 5c4c5c0602cb..e9c31dbb2783 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1557,6 +1557,11 @@ * Read perf_event security info if allowed. * @perf_event_write: * Write perf_event security info if allowed. + * + * Security hooks for anonymous file + * + * @memfd_create: + * Check whether anonymous file creation is allowed */ union security_list_options { #define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__); diff --git a/include/linux/security.h b/include/linux/security.h index 06f7c50ce77f..44b43a7569b5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2037,4 +2037,19 @@ static inline int security_perf_event_write(struct perf_event *event) #endif /* CONFIG_SECURITY */ #endif /* CONFIG_PERF_EVENTS */ +#ifdef CONFIG_MEMFD_CREATE +#ifdef CONFIG_SECURITY + +extern int security_memfd_create(const char *name, unsigned int flags); + +#else + +static inline int security_memfd_create(const char *name, unsigned int flags) +{ + return 0; +} + +#endif /* CONFIG_SECURITY */ +#endif /* CONFIG_MEMFD_CREATE */ + #endif /* ! __LINUX_SECURITY_H */ diff --git a/mm/memfd.c b/mm/memfd.c index 2647c898990c..dbd309e455d2 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -18,6 +18,7 @@ #include <linux/hugetlb.h> #include <linux/shmem_fs.h> #include <linux/memfd.h> +#include <linux/security.h> #include <uapi/linux/memfd.h> /* @@ -290,6 +291,11 @@ SYSCALL_DEFINE2(memfd_create, goto err_name; } + if (security_memfd_create(name, flags)) { + error = -EPERM; + goto err_name; + } + fd = get_unused_fd_flags((flags & MFD_CLOEXEC) ? O_CLOEXEC : 0); if (fd < 0) { error = fd; diff --git a/security/security.c b/security/security.c index b38155b2de83..5723408c5d0b 100644 --- a/security/security.c +++ b/security/security.c @@ -2624,3 +2624,10 @@ int security_perf_event_write(struct perf_event *event) return call_int_hook(perf_event_write, 0, event); } #endif /* CONFIG_PERF_EVENTS */ + +#ifdef CONFIG_MEMFD_CREATE +int security_memfd_create(const char *name, unsigned int flags) +{ + return call_int_hook(memfd_create, 0, name, flags); +} +#endif /* CONFIG_MEMFD_CREATE */
memfd_create is often used in the fileless attack. Let's create a LSM hook so that we can detect and prevent anonymous file creation. Signed-off-by: Li Qiang <liq3ea@163.com> --- include/linux/lsm_hook_defs.h | 4 ++++ include/linux/lsm_hooks.h | 5 +++++ include/linux/security.h | 15 +++++++++++++++ mm/memfd.c | 6 ++++++ security/security.c | 7 +++++++ 5 files changed, 37 insertions(+)