diff --git a/LICENSE b/LICENSE index 28a5856373cce52c59708ad93f38842cd6dd5082..a109a53ddad8b7f46899b2d3597658ece71ce537 100644 --- a/LICENSE +++ b/LICENSE @@ -3,6 +3,7 @@ ./xpm/ ./qos_auth/ ./ucollection/ + ./vma/ ./memory_security/ ./code_sign diff --git a/OAT.xml b/OAT.xml index 7235b7bd33458cfca44d02fffe3cde93af32c55d..5de178f608a67b7e51a76a42a43316ad7ce1d11b 100644 --- a/OAT.xml +++ b/OAT.xml @@ -59,12 +59,14 @@ Note:If the text contains special characters, please escape them according to th + + diff --git a/vma/Kconfig b/vma/Kconfig new file mode 100755 index 0000000000000000000000000000000000000000..ab6cb621d9dac860862dcde8d4669704d030cf5f --- /dev/null +++ b/vma/Kconfig @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) 2023 Huawei Device Co., Ltd. +# +# Config for hide excutable memory address of render process manager +# +config HIDE_RENDER_ADDRESS + default n + bool "Hide excutable memory address in proc/[render]/maps " + help + Select show address about anonymous area of the render process memory + with -rx- permissions or not. diff --git a/vma/Makefile b/vma/Makefile new file mode 100755 index 0000000000000000000000000000000000000000..d5f1b87d7aa37a534affc3cc8d713fb3d99bd537 --- /dev/null +++ b/vma/Makefile @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# +# Copyright (c) 2023 Huawei Device Co., Ltd. +# +# Makefile for hide excutable memory address of render objess manager module +# +obj-$(CONFIG_HIDE_RENDER_ADDRESS) += vma_render.o + +ccflags-$(CONFIG_HIDE_RENDER_ADDRESS) += \ + -I$(srctree)/fs/proc \ + -I$(srctree)/security/selinux/include \ + -I$(srctree)/security/selinux + +$(addprefix $(obj)/,$(obj-y)): $(obj)/flask.h + +quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h + cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h + +targets += flask.h av_permissions.h +$(obj)/flask.h: $(srctree)/security/selinux/include/classmap.h FORCE + $(call if_changed,flask) diff --git a/vma/README_zh.md b/vma/README_zh.md new file mode 100644 index 0000000000000000000000000000000000000000..2d181a8553c9423c62ca7e726b6327fe77439afc --- /dev/null +++ b/vma/README_zh.md @@ -0,0 +1,47 @@ +## 背景 + +当前linux内核proc文件系统的机制,在maps文件里面输出了进程的内存映射信息,对于渲染进程而言,此进程的JIT区域具有可执行权限的内存地址也同时暴露在proc文件系统中。 + +为防止黑客通过读取proc下的rx内存地址, 把shellcode写入这块可执行内存区域,通过将这块内存地址隐藏起来的方式来提高黑客攻破render进程的难度。 + +## VMA(render vma address manager)模块 + +VMA模块通过检查渲染进程映射的匿名内存是否具有可执行的权限,来针对性的将映射后的内存地址的start和end值设置为NULL,以此达到隐藏内存地址的目的 + +### 1.进程类型检查 + +通过进程的selinux安全上下文来判定当前proc/[pid]/maps中的pid对应的进程是否为渲染进程 + +### 2.匿名内存区域权限检查 + +内存区域的权限由vm_flags_t结构体的 flags成员呈现,通过检查flags是否具有-x-权限来决定是否将其所对应的地址隐藏起来。 + +## 目录 + +VMA执行权限管控的主要代码目录结构如下: + +``` +# 代码路径 /kernel/linux/common_modules/vma +├── vma_render.h # vma 头文件 +├── vma_render.c # vma 管控代码 +├── Konfig +├── Makefile +``` + +## VMA配置指导 + +1. VMA使能 + `CONFIG_HIDE_RENDER_ADDRESS=y` + +2. VMA禁用 + `CONFIG_HIDE_RENDER_ADDRESS=n` + +## 相关仓 + +[内核子系统](https://gitee.com/openharmony/docs/blob/master/zh-cn/readme/%E5%86%85%E6%A0%B8%E5%AD%90%E7%B3%BB%E7%BB%9F.md) + +[kernel_linux_5.10](https://gitee.com/openharmony/kernel_linux_5.10) + +[kernel_linux_config](https://gitee.com/openharmony/kernel_linux_config) + +[device_board_hihope](https://gitee.com/openharmony/device_board_hihope) diff --git a/vma/apply_vma.sh b/vma/apply_vma.sh new file mode 100755 index 0000000000000000000000000000000000000000..25b4df1df8eea790a31c049bc20a541884bf0d27 --- /dev/null +++ b/vma/apply_vma.sh @@ -0,0 +1,30 @@ +#!/bin/bash +#SPDX-License-Identifier: GPL-2.0 +#Copyright (c) 2022 Huawei Device Co., Ltd. +# +#Description: Create a symbolic link for vma_render in Linux 5.10 +# + +set -e + +OHOS_SOURCE_ROOT=$1 +KERNEL_BUILD_ROOT=$2 +PRODUCT_NAME=$3 +KERNEL_VERSION=$4 +XPM_SOURCE_ROOT=$OHOS_SOURCE_ROOT/kernel/linux/common_modules/vma + +function main() +{ + pushd . + + if [ ! -d "$KERNEL_BUILD_ROOT/fs/proc/vma" ]; then + mkdir $KERNEL_BUILD_ROOT/fs/proc/vma + fi + + cd $KERNEL_BUILD_ROOT/fs/proc/vma + ln -s -f $(realpath --relative-to=$KERNEL_BUILD_ROOT/fs/proc/vma/ $VMA_SOURCE_ROOT)/* ./ + + popd +} + +main diff --git a/vma/vma_render.c b/vma/vma_render.c new file mode 100644 index 0000000000000000000000000000000000000000..edd08f53af6e2630aaa1ee30b49d9f89ebae8a83 --- /dev/null +++ b/vma/vma_render.c @@ -0,0 +1,86 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + */ + +#include "vma_render.h" +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include "avc.h" +#include "objsec.h" + + +static int is_render_task_vma(struct seq_file *m, struct vm_area_struct *vma) +{ + bool is_exec = false; + bool is_anon = false; + const char *name = NULL; + vm_flags_t flags = vma->vm_flags; + + if (flags & VM_EXEC) { + is_exec = true; + } + + name = arch_vma_name(vma); + if (!name) { + struct anon_vma_name *anon_name; + anon_name = anon_vma_name(vma); + if (anon_name) { + is_anon = true; + } + } + + return is_anon && is_exec; +} + +static int vma_avc_has_perm(u16 tclass, u32 requested, struct seq_file *m) +{ + struct av_decision avd; + struct inode *inode_task = file_inode(m->file); + struct task_struct *task = get_proc_task(inode_task); + u32 secid; + security_cred_getsecid(task->cred, &secid); + u32 sid = secid; + + return avc_has_perm_noaudit(&selinux_state, sid, sid, tclass, requested, + AVC_STRICT, &avd); +} + +static void render_vma_header_prefix(unsigned long *start, unsigned long *end, vm_flags_t *flags, + struct seq_file *m, struct vm_area_struct *vma) { + int ret; + ret = vma_avc_has_perm(SECCLASS_VMA, VMA__HIDE_EXEC_ANON_MEM, m); + if (!ret && is_render_task_vma(m, vma)) { + *start = NULL; + *end = NULL; + *flags = NULL; + } +} + +static void render_vma_header_prefix_lhck_register(void) +{ + REGISTER_HCK_LITE_HOOK(render_vma_header_prefix_lhck, render_vma_header_prefix); +} + +int __init vma_hooks_init(void) +{ + render_vma_header_prefix_lhck_register(); + return 0; +} + +void __exit vma_hooks_exit(void) +{ +} + +module_init(vma_hooks_init); +module_exit(vma_hooks_exit); diff --git a/vma/vma_render.h b/vma/vma_render.h new file mode 100644 index 0000000000000000000000000000000000000000..fe8cb9d3871b2c2a2fc18ebe2c9f4eee24dff664 --- /dev/null +++ b/vma/vma_render.h @@ -0,0 +1,14 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + */ + +#ifndef _VMA_RENDER +#define _VMA_RENDER +#include + +#ifdef CONFIG_HIDE_RENDER_ADDRESS +int __init vma_hooks_init(void); +#endif + +#endif /* _VMA_RENDER */