diff --git a/xpm/Makefile b/xpm/Makefile index 3fddf33f57573afd5f0f23f7007b3b7771bbc6cd..61163a23062bb6129f8d210bbf98f6e2e35b81ae 100644 --- a/xpm/Makefile +++ b/xpm/Makefile @@ -14,7 +14,8 @@ obj-$(CONFIG_SECURITY_XPM) += \ core/xpm_report.o \ validator/elf_code_segment_info.o \ validator/exec_signature_info.o \ - developer/dsmm_developer.o + developer/dsmm_developer.o \ + secureshield/dsmm_secureshield.o obj-$(CONFIG_SECURITY_XPM_DEBUG) += \ core/xpm_debugfs.o @@ -23,6 +24,7 @@ ccflags-$(CONFIG_SECURITY_XPM) += \ -I$(srctree)/security/xpm/core \ -I$(srctree)/security/xpm/validator \ -I$(srctree)/security/xpm/developer \ + -I$(srctree)/security/xpm/secureshield \ -I$(srctree)/security/selinux/include \ -I$(srctree)/security/selinux \ -I$(srctree)/fs \ diff --git a/xpm/core/xpm_security_hooks.c b/xpm/core/xpm_security_hooks.c index bb60507f46ea969d8995823632173fce1cc5fee9..103a7c6bfb25eac4b95bc41476c4bc3f575b75e8 100644 --- a/xpm/core/xpm_security_hooks.c +++ b/xpm/core/xpm_security_hooks.c @@ -12,6 +12,7 @@ #include "exec_signature_info.h" #include "fsverity_private.h" #include "code_sign_ext.h" +#include "dsmm_secureshield.h" #include "xpm_common.h" #include "xpm_debugfs.h" #include "xpm_log.h" @@ -319,15 +320,22 @@ static int xpm_check_prot(struct vm_area_struct *vma, unsigned long prot) /* check for anonymous vma prot, anonymous executable permission need * controled by selinux + * in secure shield mode, all anon + x is forbidden + * in default mode, temporarily allow anon + x allocation */ - if (is_anon && (prot & PROT_EXEC)) { - ret = xpm_avc_has_perm(SECCLASS_XPM, XPM__EXEC_ANON_MEM); - if (ret) { - report_mmap_event(ANON_EXEC, TYPE_ANON, vma, prot); - return -EPERM; + if (vma_is_anonymous(vma) && (prot & PROT_EXEC)) { + if (dsmm_is_secureshield_enabled()) { + ret = -EPERM; + report_mmap_event(ANON_EXEC, TYPE_ANON, vma, prot); + } else { + ret = xpm_avc_has_perm(SECCLASS_XPM, XPM__EXEC_ANON_MEM); + if (ret) { + ret = 0; + report_mmap_event(ANON_EXEC, TYPE_ANON, vma, prot); + } } - return 0; + return ret; } /* check for non-anonymous vma prot */ diff --git a/xpm/secureshield/dsmm_secureshield.c b/xpm/secureshield/dsmm_secureshield.c new file mode 100644 index 0000000000000000000000000000000000000000..c983bdcc1d43f4a8fcae0ca1cce87814fca37ea1 --- /dev/null +++ b/xpm/secureshield/dsmm_secureshield.c @@ -0,0 +1,40 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + */ + +#include + +#include "dsmm_secureshield.h" +#include "xpm_log.h" + +#define STATE_UNINT 0 +#define STATE_ON 1 +#define STATE_OFF 2 + +static uint32_t secureshield_state = STATE_UNINT; +static int init_secureshield_state(void) +{ + if (strstr(saved_command_line, "advsecmode.state=1")) { + secureshield_state = STATE_ON; + } else { + // secureshield is defaultly set to off + secureshield_state = STATE_OFF; + } + xpm_log_info("secureshield init to %d", secureshield_state); + return secureshield_state; +} + +static int get_secureshield_state(void) +{ + if (secureshield_state == STATE_UNINT) { + return init_secureshield_state(); + } else { + return secureshield_state; + } +} + +bool dsmm_is_secureshield_enabled(void) +{ + return get_secureshield_state() == STATE_ON; +} \ No newline at end of file diff --git a/xpm/secureshield/dsmm_secureshield.h b/xpm/secureshield/dsmm_secureshield.h new file mode 100644 index 0000000000000000000000000000000000000000..4cd0ccb45fd1324aeb90ecc9a8e4ab6314e436b1 --- /dev/null +++ b/xpm/secureshield/dsmm_secureshield.h @@ -0,0 +1,10 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + */ +#ifndef _DSMM_SECURESHIELD_H +#define _DSMM_SECURESHIELD_H + +bool dsmm_is_secureshield_enabled(void); + +#endif /* _DSMM_SECURESHIELD_H */ \ No newline at end of file