| From 7c57d60d77d05ad26fe7ea6effb9c02fcf5208cc Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Date: Thu, 15 Dec 2016 13:07:19 -0800 |
| Subject: [PATCH 2/3] Introduce CONFIG_READONLY_USERMODEHELPER |
| |
| If you can write to kernel memory, an "easy" way to get the kernel to |
| run any application is to change the pointer of one of the usermode |
| helper program names. To try to mitigate this, create a new config |
| option, CONFIG_READONLY_USERMODEHELPER. |
| |
| This option only allows "predefined" binaries to be called. A number of |
| drivers and subsystems allow for the name of the binary to be changed, |
| and this config option disables that capability, so be aware of that. |
| |
| Note: Still a proof-of-concept at this point in time, doesn't cover all |
| of the call_usermodehelper() calls just yet, including the "fun" of |
| coredumps, it's still a work in progress. |
| |
| Not-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| include/linux/kmod.h | 6 ++++++ |
| security/Kconfig | 17 +++++++++++++++++ |
| 2 files changed, 23 insertions(+) |
| |
| --- a/include/linux/kmod.h |
| +++ b/include/linux/kmod.h |
| @@ -53,6 +53,12 @@ struct file; |
| #define UMH_WAIT_PROC 2 /* wait for the process to complete */ |
| #define UMH_KILLABLE 4 /* wait for EXEC/PROC killable */ |
| |
| +#ifdef CONFIG_READONLY_USERMODEHELPER |
| +# define __ro_umh const |
| +#else |
| +# define __ro_umh /**/ |
| +#endif |
| + |
| struct subprocess_info { |
| struct work_struct work; |
| struct completion *complete; |
| --- a/security/Kconfig |
| +++ b/security/Kconfig |
| @@ -193,6 +193,23 @@ config STATIC_USERMODEHELPER_PATH |
| If you wish for all usermode helper programs to be disabled, |
| specify an empty string here (i.e. ""). |
| |
| +config READONLY_USERMODEHELPER |
| + bool "Make User Mode Helper program names read-only" |
| + default N |
| + help |
| + Some user mode helper program names can be changed at runtime |
| + by userspace programs. Prevent this from happening by "hard |
| + coding" all user mode helper program names at kernel build |
| + time, moving the names into read-only memory, making it harder |
| + for any arbritrary program to be run as root if something were |
| + to go wrong. |
| + |
| + Note, some subsystems and drivers allow their user mode helper |
| + binary to be changed with a module parameter, sysctl, sysfs |
| + file, or some combination of these. Enabling this option |
| + prevents the binary name to be changed, which might not be |
| + good for some systems. |
| + |
| source security/selinux/Kconfig |
| source security/smack/Kconfig |
| source security/tomoyo/Kconfig |