From owner-soc-status@FreeBSD.ORG Mon Aug 13 16:59:04 2012 Return-Path: Delivered-To: soc-status@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2E79B106566B for ; Mon, 13 Aug 2012 16:59:04 +0000 (UTC) (envelope-from gpf.kira@gmail.com) Received: from mail-qa0-f47.google.com (mail-qa0-f47.google.com [209.85.216.47]) by mx1.freebsd.org (Postfix) with ESMTP id DEC548FC08 for ; Mon, 13 Aug 2012 16:59:03 +0000 (UTC) Received: by qadc11 with SMTP id c11so1237022qad.13 for ; Mon, 13 Aug 2012 09:59:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=p5EZDEB+81futdr51mdqSps7/EFhac3chBOeMs3kz60=; b=zTDeji4P10VILvu4Z3FPgO92L5ese14pMZjMV/e0Rvuwn06TeCzHvUuN0kxbNilvIV CG6LQYcHtIl+L2/OGNRmDWs6AVMjhWJx0wI5cizHUF/BCov9uh07g6EQN0sr404DG/p5 5Fp/NsZ5IQ+h+pWByvC7E85v3ZnjJVtiN/uK5wT+hFUxkThuWfISSIhB1+MNSp1xMTMW wOyB1+jd/k02d6JRVAe8NU/KQbDQSjNQq0D/5bOpWeUIeBgvVWi4dFwI4AfbUA8BFqiz h4EvCelhg7YZc0OsHS58ocLFzSZYzxAvWYz4SSK8pHlFNSGy2Aqld5TvciTIytBCrALt yzRQ== MIME-Version: 1.0 Received: by 10.60.18.168 with SMTP id x8mr19718149oed.18.1344877142884; Mon, 13 Aug 2012 09:59:02 -0700 (PDT) Received: by 10.182.108.38 with HTTP; Mon, 13 Aug 2012 09:59:02 -0700 (PDT) Date: Mon, 13 Aug 2012 19:59:02 +0300 Message-ID: From: Efstratios Karatzas To: soc-status@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Kernel Level File Integrity Checker report #12 X-BeenThere: soc-status@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Summer of Code Status Reports and Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2012 16:59:04 -0000 During week #12: Most of the work done last week was focused in execution control. * Turned the sys/kern/kern_exec.c hack into a MAC hook. Pefs kernel module defines a MAC policy upon k-loading and uses the mac_vnode_check_exec hook. The issue with this hook is that in case of an executable that requires an interpreter, both the script file and the interpreter will be checked for the schg flag. * As a possible fix for the above behavior, I introduced a new MAC hook "mac_vnode_check_exec_noscript" that will not be called for script files as it is placed further down in do_execve(), right after we've looped back for the interpreter. I should note that I'm not convinced that this is the best approach to the issue at hand. * Instead of just checking the loading of libraries at rtld-elf/rtld.c with a dirty hack, I moved the checks for mmap(2) to kernel space. We make use of the mac_vnode_check_mmap hook to check if there's an attempt to mmap a vnode with the PROT_EXEC flag turned on. We require that the schg flag be turned on in that case. * Since for some strange reason the mac_vnode_check_mprotect hook is not actively used in the kernel, I introduced a new MAC hook, mac_vnode_set_mmap_maxprot, to guard against an attempt to mmap(2) a vnode and mprotect(2) those pages at a latter point with the PROT_EXEC flag. This new hook sets the MAX_PROT flag so that in the case of a vnode without the schg flag, the user will never be able to set the PROT_EXEC flag with mprotect(2). * Rework how nameids are used by the codebase. Next on the TODO list: The only TODO left is introducing DSA signature verification for .pefs.checksum when we mount the filesystem. Which means porting a library that supports asymmetric cryptography to the FreeBSD kernel; probably not doable in this week. Besides that, some code cleaning and documentation are in order. -- Efstratios "GPF" Karatzas