From 8083d4c0533585c84b06408007fd3d702cdc584c Mon Sep 17 00:00:00 2001 From: luyifan <842825214@qq.com> Date: Tue, 5 Nov 2024 10:44:08 +0800 Subject: [PATCH] Xpm: check secure shield and disable jit Signed-off-by: luyifan<842825214@qq.com> --- xpm/Makefile | 4 ++- xpm/core/xpm_security_hooks.c | 20 +++++++++----- xpm/secureshield/dsmm_secureshield.c | 40 ++++++++++++++++++++++++++++ xpm/secureshield/dsmm_secureshield.h | 10 +++++++ 4 files changed, 67 insertions(+), 7 deletions(-) create mode 100644 xpm/secureshield/dsmm_secureshield.c create mode 100644 xpm/secureshield/dsmm_secureshield.h diff --git a/xpm/Makefile b/xpm/Makefile index 3fddf33..61163a2 100644 --- a/xpm/Makefile +++ b/xpm/Makefile @@ -14,7 +14,8 @@ obj-$(CONFIG_SECURITY_XPM) += \ core/xpm_report.o \ validator/elf_code_segment_info.o \ validator/exec_signature_info.o \ - developer/dsmm_developer.o + developer/dsmm_developer.o \ + secureshield/dsmm_secureshield.o obj-$(CONFIG_SECURITY_XPM_DEBUG) += \ core/xpm_debugfs.o @@ -23,6 +24,7 @@ ccflags-$(CONFIG_SECURITY_XPM) += \ -I$(srctree)/security/xpm/core \ -I$(srctree)/security/xpm/validator \ -I$(srctree)/security/xpm/developer \ + -I$(srctree)/security/xpm/secureshield \ -I$(srctree)/security/selinux/include \ -I$(srctree)/security/selinux \ -I$(srctree)/fs \ diff --git a/xpm/core/xpm_security_hooks.c b/xpm/core/xpm_security_hooks.c index bb60507..103a7c6 100644 --- a/xpm/core/xpm_security_hooks.c +++ b/xpm/core/xpm_security_hooks.c @@ -12,6 +12,7 @@ #include "exec_signature_info.h" #include "fsverity_private.h" #include "code_sign_ext.h" +#include "dsmm_secureshield.h" #include "xpm_common.h" #include "xpm_debugfs.h" #include "xpm_log.h" @@ -319,15 +320,22 @@ static int xpm_check_prot(struct vm_area_struct *vma, unsigned long prot) /* check for anonymous vma prot, anonymous executable permission need * controled by selinux + * in secure shield mode, all anon + x is forbidden + * in default mode, temporarily allow anon + x allocation */ - if (is_anon && (prot & PROT_EXEC)) { - ret = xpm_avc_has_perm(SECCLASS_XPM, XPM__EXEC_ANON_MEM); - if (ret) { - report_mmap_event(ANON_EXEC, TYPE_ANON, vma, prot); - return -EPERM; + if (vma_is_anonymous(vma) && (prot & PROT_EXEC)) { + if (dsmm_is_secureshield_enabled()) { + ret = -EPERM; + report_mmap_event(ANON_EXEC, TYPE_ANON, vma, prot); + } else { + ret = xpm_avc_has_perm(SECCLASS_XPM, XPM__EXEC_ANON_MEM); + if (ret) { + ret = 0; + report_mmap_event(ANON_EXEC, TYPE_ANON, vma, prot); + } } - return 0; + return ret; } /* check for non-anonymous vma prot */ diff --git a/xpm/secureshield/dsmm_secureshield.c b/xpm/secureshield/dsmm_secureshield.c new file mode 100644 index 0000000..c983bdc --- /dev/null +++ b/xpm/secureshield/dsmm_secureshield.c @@ -0,0 +1,40 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + */ + +#include + +#include "dsmm_secureshield.h" +#include "xpm_log.h" + +#define STATE_UNINT 0 +#define STATE_ON 1 +#define STATE_OFF 2 + +static uint32_t secureshield_state = STATE_UNINT; +static int init_secureshield_state(void) +{ + if (strstr(saved_command_line, "advsecmode.state=1")) { + secureshield_state = STATE_ON; + } else { + // secureshield is defaultly set to off + secureshield_state = STATE_OFF; + } + xpm_log_info("secureshield init to %d", secureshield_state); + return secureshield_state; +} + +static int get_secureshield_state(void) +{ + if (secureshield_state == STATE_UNINT) { + return init_secureshield_state(); + } else { + return secureshield_state; + } +} + +bool dsmm_is_secureshield_enabled(void) +{ + return get_secureshield_state() == STATE_ON; +} \ No newline at end of file diff --git a/xpm/secureshield/dsmm_secureshield.h b/xpm/secureshield/dsmm_secureshield.h new file mode 100644 index 0000000..4cd0ccb --- /dev/null +++ b/xpm/secureshield/dsmm_secureshield.h @@ -0,0 +1,10 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + */ +#ifndef _DSMM_SECURESHIELD_H +#define _DSMM_SECURESHIELD_H + +bool dsmm_is_secureshield_enabled(void); + +#endif /* _DSMM_SECURESHIELD_H */ \ No newline at end of file -- Gitee