From 38a6f37040c528ac7eacb2a1ebf3221504354ff2 Mon Sep 17 00:00:00 2001 From: c30043414 Date: Tue, 10 Oct 2023 16:08:31 +0800 Subject: [PATCH 1/3] Signed-off-by: c30043414 Change-Id: Ifb4ca5ff805ec5fc4ed2be68d9db9a97bcca19e0 --- vma/Kconfig | 11 +++++++ vma/Makefile | 21 ++++++++++++ vma/README_zh.md | 47 ++++++++++++++++++++++++++ vma/apply_vma.sh | 30 +++++++++++++++++ vma/vma_render.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ vma/vma_render.h | 14 ++++++++ 6 files changed, 209 insertions(+) create mode 100644 vma/Kconfig create mode 100644 vma/Makefile create mode 100644 vma/README_zh.md create mode 100644 vma/apply_vma.sh create mode 100644 vma/vma_render.c create mode 100644 vma/vma_render.h diff --git a/vma/Kconfig b/vma/Kconfig new file mode 100644 index 0000000..ab6cb62 --- /dev/null +++ b/vma/Kconfig @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) 2023 Huawei Device Co., Ltd. +# +# Config for hide excutable memory address of render process manager +# +config HIDE_RENDER_ADDRESS + default n + bool "Hide excutable memory address in proc/[render]/maps " + help + Select show address about anonymous area of the render process memory + with -rx- permissions or not. diff --git a/vma/Makefile b/vma/Makefile new file mode 100644 index 0000000..d5f1b87 --- /dev/null +++ b/vma/Makefile @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# +# Copyright (c) 2023 Huawei Device Co., Ltd. +# +# Makefile for hide excutable memory address of render objess manager module +# +obj-$(CONFIG_HIDE_RENDER_ADDRESS) += vma_render.o + +ccflags-$(CONFIG_HIDE_RENDER_ADDRESS) += \ + -I$(srctree)/fs/proc \ + -I$(srctree)/security/selinux/include \ + -I$(srctree)/security/selinux + +$(addprefix $(obj)/,$(obj-y)): $(obj)/flask.h + +quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h + cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h + +targets += flask.h av_permissions.h +$(obj)/flask.h: $(srctree)/security/selinux/include/classmap.h FORCE + $(call if_changed,flask) diff --git a/vma/README_zh.md b/vma/README_zh.md new file mode 100644 index 0000000..2d181a8 --- /dev/null +++ b/vma/README_zh.md @@ -0,0 +1,47 @@ +## 背景 + +当前linux内核proc文件系统的机制,在maps文件里面输出了进程的内存映射信息,对于渲染进程而言,此进程的JIT区域具有可执行权限的内存地址也同时暴露在proc文件系统中。 + +为防止黑客通过读取proc下的rx内存地址, 把shellcode写入这块可执行内存区域,通过将这块内存地址隐藏起来的方式来提高黑客攻破render进程的难度。 + +## VMA(render vma address manager)模块 + +VMA模块通过检查渲染进程映射的匿名内存是否具有可执行的权限,来针对性的将映射后的内存地址的start和end值设置为NULL,以此达到隐藏内存地址的目的 + +### 1.进程类型检查 + +通过进程的selinux安全上下文来判定当前proc/[pid]/maps中的pid对应的进程是否为渲染进程 + +### 2.匿名内存区域权限检查 + +内存区域的权限由vm_flags_t结构体的 flags成员呈现,通过检查flags是否具有-x-权限来决定是否将其所对应的地址隐藏起来。 + +## 目录 + +VMA执行权限管控的主要代码目录结构如下: + +``` +# 代码路径 /kernel/linux/common_modules/vma +├── vma_render.h # vma 头文件 +├── vma_render.c # vma 管控代码 +├── Konfig +├── Makefile +``` + +## VMA配置指导 + +1. VMA使能 + `CONFIG_HIDE_RENDER_ADDRESS=y` + +2. VMA禁用 + `CONFIG_HIDE_RENDER_ADDRESS=n` + +## 相关仓 + +[内核子系统](https://gitee.com/openharmony/docs/blob/master/zh-cn/readme/%E5%86%85%E6%A0%B8%E5%AD%90%E7%B3%BB%E7%BB%9F.md) + +[kernel_linux_5.10](https://gitee.com/openharmony/kernel_linux_5.10) + +[kernel_linux_config](https://gitee.com/openharmony/kernel_linux_config) + +[device_board_hihope](https://gitee.com/openharmony/device_board_hihope) diff --git a/vma/apply_vma.sh b/vma/apply_vma.sh new file mode 100644 index 0000000..25b4df1 --- /dev/null +++ b/vma/apply_vma.sh @@ -0,0 +1,30 @@ +#!/bin/bash +#SPDX-License-Identifier: GPL-2.0 +#Copyright (c) 2022 Huawei Device Co., Ltd. +# +#Description: Create a symbolic link for vma_render in Linux 5.10 +# + +set -e + +OHOS_SOURCE_ROOT=$1 +KERNEL_BUILD_ROOT=$2 +PRODUCT_NAME=$3 +KERNEL_VERSION=$4 +XPM_SOURCE_ROOT=$OHOS_SOURCE_ROOT/kernel/linux/common_modules/vma + +function main() +{ + pushd . + + if [ ! -d "$KERNEL_BUILD_ROOT/fs/proc/vma" ]; then + mkdir $KERNEL_BUILD_ROOT/fs/proc/vma + fi + + cd $KERNEL_BUILD_ROOT/fs/proc/vma + ln -s -f $(realpath --relative-to=$KERNEL_BUILD_ROOT/fs/proc/vma/ $VMA_SOURCE_ROOT)/* ./ + + popd +} + +main diff --git a/vma/vma_render.c b/vma/vma_render.c new file mode 100644 index 0000000..5871030 --- /dev/null +++ b/vma/vma_render.c @@ -0,0 +1,86 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + */ + +#include "vma_render.h" +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include "avc.h" +#include "objsec.h" + + +static int is_render_task_vma(struct seq_file *m, struct vm_area_struct *vma) +{ + bool is_exec = false; + bool is_anon = false;; + const char *name = NULL; + vm_flags_t flags = vma->vm_flags; + + if (flags & VM_EXEC) { + is_exec = true; + } + + name = arch_vma_name(vma); + if (!name) { + struct anon_vma_name *anon_name; + anon_name = anon_vma_name(vma); + if (anon_name) { + is_anon = true; + } + } + + return is_anon && is_exec; +} + +static int vma_avc_has_perm(u16 tclass, u32 requested, struct seq_file *m) +{ + struct av_decision avd; + struct inode *inode_task = file_inode(m->file); + struct task_struct *task = get_proc_task(inode_task); + u32 secid; + security_cred_getsecid(task->cred, &secid); + u32 sid = secid; + + return avc_has_perm_noaudit(&selinux_state, sid, sid, tclass, requested, + AVC_STRICT, &avd); +} + +static void render_vma_header_prefix(unsigned long *start, unsigned long *end, vm_flags_t *flags, + struct seq_file *m, struct vm_area_struct *vma) { + int ret; + ret = vma_avc_has_perm(SECCLASS_VMA, VMA__HIDE_EXEC_ANON_MEM, m); + if (!ret && is_render_task_vma(m, vma)) { + *start = NULL; + *end = NULL; + *flags = NULL; + } +} + +static void render_vma_header_prefix_lhck_register(void) +{ + REGISTER_HCK_LITE_HOOK(render_vma_header_prefix_lhck, render_vma_header_prefix); +} + +int __init vma_hooks_init(void) +{ + render_vma_header_prefix_lhck_register(); + return 0; +} + +void __exit vma_hooks_exit(void) +{ +} + +module_init(vma_hooks_init); +module_exit(vma_hooks_exit); diff --git a/vma/vma_render.h b/vma/vma_render.h new file mode 100644 index 0000000..fe8cb9d --- /dev/null +++ b/vma/vma_render.h @@ -0,0 +1,14 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + */ + +#ifndef _VMA_RENDER +#define _VMA_RENDER +#include + +#ifdef CONFIG_HIDE_RENDER_ADDRESS +int __init vma_hooks_init(void); +#endif + +#endif /* _VMA_RENDER */ -- Gitee From 28ae4c505bb3d29e68e88a7829dfe9fe7876ff8c Mon Sep 17 00:00:00 2001 From: c30043414 Date: Tue, 10 Oct 2023 17:23:39 +0800 Subject: [PATCH 2/3] Signed-off-by: c30043414 Change-Id: I7ab78968cb475aa441479fa84da21c5813c5ddfa --- OAT.xml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/OAT.xml b/OAT.xml index 55a93aa..ca03774 100644 --- a/OAT.xml +++ b/OAT.xml @@ -59,10 +59,12 @@ Note:If the text contains special characters, please escape them according to th + + -- Gitee From ac28bac70edc161b4b9e75fe11b15aecf62f9c3d Mon Sep 17 00:00:00 2001 From: c30043414 Date: Tue, 10 Oct 2023 17:25:04 +0800 Subject: [PATCH 3/3] Signed-off-by: c30043414 Change-Id: Ic29b48df8ce7cc44282a8b0df4e2abf8453bc676 Change-Id: I415aa00fc9230cdce60f08a42f53339b3d3af0de --- LICENSE | 1 + vma/Kconfig | 0 vma/Makefile | 0 vma/apply_vma.sh | 0 vma/vma_render.c | 10 +++++----- 5 files changed, 6 insertions(+), 5 deletions(-) mode change 100644 => 100755 vma/Kconfig mode change 100644 => 100755 vma/Makefile mode change 100644 => 100755 vma/apply_vma.sh diff --git a/LICENSE b/LICENSE index 97c58d4..7ba43f7 100644 --- a/LICENSE +++ b/LICENSE @@ -3,5 +3,6 @@ ./xpm/ ./qos_auth/ ./ucollection/ + ./vma/ As for the specific use of the licenses, please refer to the relevant description in the documents. diff --git a/vma/Kconfig b/vma/Kconfig old mode 100644 new mode 100755 diff --git a/vma/Makefile b/vma/Makefile old mode 100644 new mode 100755 diff --git a/vma/apply_vma.sh b/vma/apply_vma.sh old mode 100644 new mode 100755 diff --git a/vma/vma_render.c b/vma/vma_render.c index 5871030..edd08f5 100644 --- a/vma/vma_render.c +++ b/vma/vma_render.c @@ -23,7 +23,7 @@ static int is_render_task_vma(struct seq_file *m, struct vm_area_struct *vma) { bool is_exec = false; - bool is_anon = false;; + bool is_anon = false; const char *name = NULL; vm_flags_t flags = vma->vm_flags; @@ -46,10 +46,10 @@ static int is_render_task_vma(struct seq_file *m, struct vm_area_struct *vma) static int vma_avc_has_perm(u16 tclass, u32 requested, struct seq_file *m) { struct av_decision avd; - struct inode *inode_task = file_inode(m->file); - struct task_struct *task = get_proc_task(inode_task); - u32 secid; - security_cred_getsecid(task->cred, &secid); + struct inode *inode_task = file_inode(m->file); + struct task_struct *task = get_proc_task(inode_task); + u32 secid; + security_cred_getsecid(task->cred, &secid); u32 sid = secid; return avc_has_perm_noaudit(&selinux_state, sid, sid, tclass, requested, -- Gitee