preventing executable stack with file_mprotect hook
Dmitry Mastykin
dmastykin at astralinux.ru
Tue Jan 16 12:37:45 UTC 2024
Hello all,
I use the file_mprotect hook to prevent executable stack. It's called
from mprotect syscall and prevents linkage with execstack-flagged
libraries. But I don't see it called when I execute a simple
execstack-flagged binary: int main() { char shell[100] = "\xb0\x01" //
mov al, 1 "\x31\xdb" // xor ebx, ebx "\xcd\x80" ; // int 0x80
((void(*)())shell)(); return 0; } I'm thinking about a patch like one in
the end of this message. I would be glad to have a feedback, if someone
find this reasonable. Thank you! Kind regards Dmitry Mastykin
diff --git a/fs/exec.c b/fs/exec.c
index cebfe15bbad8..0288f14f11b2 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -50,6 +50,7 @@
#include <linux/module.h>
#include <linux/namei.h>
#include <linux/mount.h>
+#include <linux/mman.h>
#include <linux/security.h>
#include <linux/syscalls.h>
#include <linux/tsacct_kern.h>
@@ -759,6 +760,7 @@ int setup_arg_pages(struct linux_binprm *bprm,
struct vm_area_struct *vma = bprm->vma;
struct vm_area_struct *prev = NULL;
unsigned long vm_flags;
+ unsigned long prot = 0;
unsigned long stack_base;
unsigned long stack_size;
unsigned long stack_expand;
@@ -811,16 +813,19 @@ int setup_arg_pages(struct linux_binprm *bprm,
* EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
* (arch default) otherwise.
*/
- if (unlikely(executable_stack == EXSTACK_ENABLE_X))
+ if (unlikely(executable_stack == EXSTACK_ENABLE_X)) {
+ prot |= PROT_EXEC;
vm_flags |= VM_EXEC;
- else if (executable_stack == EXSTACK_DISABLE_X)
+ } else if (executable_stack == EXSTACK_DISABLE_X)
vm_flags &= ~VM_EXEC;
vm_flags |= mm->def_flags;
vm_flags |= VM_STACK_INCOMPLETE_SETUP;
tlb_gather_mmu(&tlb, mm);
- ret = mprotect_fixup(&tlb, vma, &prev, vma->vm_start, vma->vm_end,
- vm_flags);
+ ret = security_file_mprotect(vma, prot, prot);
+ if (!ret)
+ ret = mprotect_fixup(&tlb, vma, &prev,
+ vma->vm_start, vma->vm_end, vm_flags);
tlb_finish_mmu(&tlb);
if (ret)
More information about the Linux-security-module-archive
mailing list