From 02c884291237e2e14d204891ada4783c459e0441 Mon Sep 17 00:00:00 2001
From: c30043414 <caobaolong5@huawei.com>
Date: Tue, 10 Oct 2023 22:16:57 +0800
Subject: [PATCH] memory_security: Hide the render process JIT anonymous
 executable memory address

Output: The anonymized executable memory address of the JIT region of the rendering process cannot be queried through cat proc/pid/maps
A new memory security enhancement module has been added to the rendering, and this submission is a custom function that can perform memory address hiding for the rendering process

Signed-off-by: caobaolong <caobaolong5@huawei.com>

Change-Id: I302f45f92d41d0df3db0e54c018247890d244028
---
 LICENSE                           |  2 +
 OAT.xml                           |  5 ++
 memory_security/Kconfig           | 16 ++++++
 memory_security/Makefile          | 21 ++++++++
 memory_security/README_zh.md      | 51 +++++++++++++++++++
 memory_security/apply_hideaddr.sh | 30 +++++++++++
 memory_security/hideaddr.c        | 83 +++++++++++++++++++++++++++++++
 7 files changed, 208 insertions(+)
 create mode 100755 memory_security/Kconfig
 create mode 100755 memory_security/Makefile
 create mode 100644 memory_security/README_zh.md
 create mode 100755 memory_security/apply_hideaddr.sh
 create mode 100644 memory_security/hideaddr.c

diff --git a/LICENSE b/LICENSE
index fc48fd2..aa97504 100644
--- a/LICENSE
+++ b/LICENSE
@@ -2,5 +2,7 @@
     ./newip/
     ./xpm/
     ./qos_auth/
+    ./ucollection/
+    ./memory_security/
 
 As for the specific use of the licenses,  please refer to the relevant description in the documents.
diff --git a/OAT.xml b/OAT.xml
index 9de7aac..0c71260 100644
--- a/OAT.xml
+++ b/OAT.xml
@@ -59,10 +59,14 @@ Note:If the text contains special characters, please escape them according to th
 			<policy name="newipPolicy" desc="New IP protocol stack">
 				<policyitem type="compatibility" name="GPL" path="newip/.*" rule="may" group="defaultGroup" filefilter="defaultPolicyFilter"/>
 				<policyitem type="compatibility" name="GPL" path="xpm/.*" rule="may" group="defaultGroup" filefilter="defaultPolicyFilter"/>
+				<policyitem type="compatibility" name="GPL" path="memory_security/.*" rule="may" group="defaultGroup" filefilter="defaultPolicyFilter"/>
 				<policyitem type="compatibility" name="GPL" path="qos_auth/.*" rule="may" group="defaultGroup" filefilter="defaultPolicyFilter"/>
+				<policyitem type="compatibility" name="GPL" path="ucollection/.*" rule="may" group="defaultGroup" filefilter="defaultPolicyFilter"/>
 				<policyitem type="license" name="GPL" path="newip/.*" rule="may" group="defaultGroup" filefilter="defaultPolicyFilter"/>
 				<policyitem type="license" name="GPL" path="xpm/.*" rule="may" group="defaultGroup" filefilter="defaultPolicyFilter"/>
+				<policyitem type="license" name="GPL" path="memory_security/.*" rule="may" group="defaultGroup" filefilter="defaultPolicyFilter"/>
 				<policyitem type="license" name="GPL" path="qos_auth/.*" rule="may" group="defaultGroup" filefilter="defaultPolicyFilter"/>
+				<policyitem type="license" name="GPL" path="ucollection/.*" rule="may" group="defaultGroup" filefilter="defaultPolicyFilter"/>
 			</policy>
 		</policylist>
 		<filefilterlist>
@@ -81,6 +85,7 @@ Note:If the text contains special characters, please escape them according to th
 				<filteritem type="filepath" name="newip/figures/.*"/>
 				<filteritem type="filepath" name="xpm/figures/.*"/>
 				<filteritem type="filepath" name="qos_auth/figures/.*"/>
+				<filteritem type="filepath" name="ucollection/figures/.*"/>
 			</filefilter>
 		</filefilterlist>
 	</oatconfig>
diff --git a/memory_security/Kconfig b/memory_security/Kconfig
new file mode 100755
index 0000000..f3a2762
--- /dev/null
+++ b/memory_security/Kconfig
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+#
+# Config for hide excutable memory address of process manager
+#
+
+menu "Hide memory address manager"
+
+config HIDE_MEM_ADDRESS
+	default n
+	bool "Hide excutable memory address in proc/[pid]/maps "
+ 	help
+	  Select show address about anonymous area of the process memory
+	  with -rx- permissions or not.
+endmenu
+# a blank line must be existed
\ No newline at end of file
diff --git a/memory_security/Makefile b/memory_security/Makefile
new file mode 100755
index 0000000..41e5324
--- /dev/null
+++ b/memory_security/Makefile
@@ -0,0 +1,21 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+#
+# Makefile for memory_security manager module
+#
+obj-$(CONFIG_HIDE_MEM_ADDRESS) += hideaddr.o
+
+ccflags-$(CONFIG_HIDE_MEM_ADDRESS) += \
+	-I$(srctree)/fs/proc \
+	-I$(srctree)/security/selinux/include \
+	-I$(srctree)/security/selinux
+
+$(addprefix $(obj)/,$(obj-y)): $(obj)/flask.h
+
+quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h
+      cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h
+
+targets += flask.h av_permissions.h
+$(obj)/flask.h: $(srctree)/security/selinux/include/classmap.h FORCE
+	$(call if_changed,flask)
diff --git a/memory_security/README_zh.md b/memory_security/README_zh.md
new file mode 100644
index 0000000..062ded5
--- /dev/null
+++ b/memory_security/README_zh.md
@@ -0,0 +1,51 @@
+## 背景
+
+当前linux内核在内存安全方面还有需要加固的空间，memory_security模块为内存安全定制相应的功能来增强安全能力。
+
+## MEMORY_SECURITY 模块
+
+memory_security模块定制化内存的安全增强能力
+
+### MEMORY_SECURITY/hideaddr 模块
+
+MEMORY_SECURITY/hideaddr模块通过检查渲染进程映射的匿名内存是否具有可执行的权限，来针对性的将映射后的内存地址的start和end值设置为NULL，以此达到隐藏内存地址的目的
+
+#### 1.进程类型检查
+
+通过进程的selinux安全上下文来判定当前proc/[pid]/maps中的pid对应的进程是否为渲染进程
+
+#### 2.匿名内存区域权限检查
+
+内存区域的权限由vm_flags_t结构体的 flags成员呈现，通过检查flags是否具有-x-权限来决定是否将其所对应的地址隐藏起来。
+
+## 目录
+
+## MEMORY_SECURITY执行权限管控的主要代码目录结构如下：
+
+```
+# 代码路径 /kernel/linux/common_modules/memory_security
+├── hideaddr.h                   # memory_security 头文件
+├── hideaddr.c                   # memory_security 管控代码
+├── Konfig
+├── Makefile
+```
+
+## MEMORY_SECURITY配置指导
+
+1. MEMORY_SECURITY/HIDEADDR使能
+   `CONFIG_HIDE_MEM_ADDRESS=y`
+
+2. MEMORY_SECURITY/HIDEADDR禁用
+   `CONFIG_HIDE_MEM_ADDRESS=n`
+
+## 相关仓
+
+[内核子系统](https://gitee.com/openharmony/docs/blob/master/zh-cn/readme/%E5%86%85%E6%A0%B8%E5%AD%90%E7%B3%BB%E7%BB%9F.md)
+
+[kernel_linux_5.10](https://gitee.com/openharmony/kernel_linux_5.10)
+
+[kernel_linux_config](https://gitee.com/openharmony/kernel_linux_config)
+
+[device_board_hihope](https://gitee.com/openharmony/device_board_hihope)
+
+[security_selinux_adapter](https://gitee.com/openharmony/security_selinux_adapter)
diff --git a/memory_security/apply_hideaddr.sh b/memory_security/apply_hideaddr.sh
new file mode 100755
index 0000000..bbc2662
--- /dev/null
+++ b/memory_security/apply_hideaddr.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (c) 2022 Huawei Device Co., Ltd.
+#
+#Description: Create a symbolic link for memory_security in Linux 5.10
+#
+
+set -e
+
+OHOS_SOURCE_ROOT=$1
+KERNEL_BUILD_ROOT=$2
+PRODUCT_NAME=$3
+KERNEL_VERSION=$4
+MEMORY_SECURITY_SOURCE_ROOT=$OHOS_SOURCE_ROOT/kernel/linux/common_modules/memory_security
+
+function main()
+{
+	pushd .
+
+	if [ ! -d "$KERNEL_BUILD_ROOT/fs/proc/memory_security" ]; then
+		mkdir $KERNEL_BUILD_ROOT/fs/proc/memory_security
+	fi
+
+	cd $KERNEL_BUILD_ROOT/fs/proc/memory_security
+	ln -s -f $(realpath --relative-to=$KERNEL_BUILD_ROOT/fs/proc/memory_security/   $MEMORY_SECURITY_SOURCE_ROOT)/* ./
+
+	popd
+}
+
+main
diff --git a/memory_security/hideaddr.c b/memory_security/hideaddr.c
new file mode 100644
index 0000000..259d382
--- /dev/null
+++ b/memory_security/hideaddr.c
@@ -0,0 +1,83 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2023 Huawei Device Co., Ltd.
+ */
+
+#include <internal.h>
+#include <linux/security.h>
+#include <linux/seq_file.h>
+#include <linux/mm_types.h>
+#include <linux/mm.h>
+#include <linux/mm_inline.h>
+#include <linux/hck/lite_hck_hideaddr.h>
+#include <linux/hck/lite_vendor_hooks.h>
+#include <linux/init.h>
+#include <linux/module.h>
+
+#include "avc.h"
+#include "objsec.h"
+
+static bool is_anon_exec(struct vm_area_struct *vma)
+{
+	const char *name = NULL;
+	vm_flags_t flags = vma->vm_flags;
+
+	if (!(flags & VM_EXEC))
+		return false;
+
+	name = arch_vma_name(vma);
+	if (!name) {
+		struct anon_vma_name *anon_name;
+		anon_name = anon_vma_name(vma);
+		if (!anon_name)
+			return false;
+	}
+	return true;
+}
+
+static int hideaddr_avc_has_perm(u16 tclass, u32 requested, struct seq_file *m)
+{
+	struct av_decision avd;
+	struct inode *inode_task = file_inode(m->file);
+	struct task_struct *task = get_proc_task(inode_task);
+	u32 secid;
+
+	security_cred_getsecid(task->cred, &secid);
+	return avc_has_perm_noaudit(&selinux_state, secid, secid, tclass, requested,
+		AVC_STRICT, &avd);
+}
+
+static void hideaddr_header_prefix(unsigned long *start, unsigned long *end,
+			vm_flags_t *flags, struct seq_file *m, struct vm_area_struct *vma)
+{
+	if (!is_anon_exec(vma))
+		return;
+
+	if (hideaddr_avc_has_perm(SECCLASS_HIDEADDR, HIDEADDR__HIDE_EXEC_ANON_MEM, m))
+		return;
+
+	if (!hideaddr_avc_has_perm(SECCLASS_HIDEADDR, HIDEADDR__HIDE_EXEC_ANON_MEM_DEBUG, m))
+		return;
+
+	*start = 0;
+	*end = 0;
+	*flags = 0;
+}
+
+static void hideaddr_header_prefix_lhck_register(void)
+{
+	REGISTER_HCK_LITE_HOOK(hideaddr_header_prefix_lhck, hideaddr_header_prefix);
+}
+
+static int __init hideaddr_hooks_init(void)
+{
+	hideaddr_header_prefix_lhck_register();
+	return 0;
+}
+
+static void __exit hideaddr_hooks_exit(void)
+{
+}
+
+module_init(hideaddr_hooks_init);
+module_exit(hideaddr_hooks_exit);
-- 
Gitee