selinux: randomize layout of key structures
Randomize the layout of key selinux data structures. Initially this is applied to the selinux_state, selinux_ss, policydb, and task_security_struct data structures. NB To test/use this mechanism, one must install the necessary build-time dependencies, e.g. gcc-plugin-devel on Fedora, and enable CONFIG_GCC_PLUGIN_RANDSTRUCT in the kernel configuration. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Kees Cook <keescook@chromium.org> [PM: double semi-colon fixed] Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
parent
6c5a682e64
commit
5c108d4e18
|
@ -35,7 +35,7 @@ struct task_security_struct {
|
||||||
u32 create_sid; /* fscreate SID */
|
u32 create_sid; /* fscreate SID */
|
||||||
u32 keycreate_sid; /* keycreate SID */
|
u32 keycreate_sid; /* keycreate SID */
|
||||||
u32 sockcreate_sid; /* fscreate SID */
|
u32 sockcreate_sid; /* fscreate SID */
|
||||||
};
|
} __randomize_layout;
|
||||||
|
|
||||||
enum label_initialized {
|
enum label_initialized {
|
||||||
LABEL_INVALID, /* invalid or not initialized */
|
LABEL_INVALID, /* invalid or not initialized */
|
||||||
|
|
|
@ -110,7 +110,7 @@ struct selinux_state {
|
||||||
bool policycap[__POLICYDB_CAPABILITY_MAX];
|
bool policycap[__POLICYDB_CAPABILITY_MAX];
|
||||||
struct selinux_avc *avc;
|
struct selinux_avc *avc;
|
||||||
struct selinux_ss *ss;
|
struct selinux_ss *ss;
|
||||||
};
|
} __randomize_layout;
|
||||||
|
|
||||||
void selinux_ss_init(struct selinux_ss **ss);
|
void selinux_ss_init(struct selinux_ss **ss);
|
||||||
void selinux_avc_init(struct selinux_avc **avc);
|
void selinux_avc_init(struct selinux_avc **avc);
|
||||||
|
|
|
@ -307,7 +307,7 @@ struct policydb {
|
||||||
|
|
||||||
u16 process_class;
|
u16 process_class;
|
||||||
u32 process_trans_perms;
|
u32 process_trans_perms;
|
||||||
};
|
} __randomize_layout;
|
||||||
|
|
||||||
extern void policydb_destroy(struct policydb *p);
|
extern void policydb_destroy(struct policydb *p);
|
||||||
extern int policydb_load_isids(struct policydb *p, struct sidtab *s);
|
extern int policydb_load_isids(struct policydb *p, struct sidtab *s);
|
||||||
|
|
|
@ -31,7 +31,7 @@ struct selinux_ss {
|
||||||
struct selinux_map map;
|
struct selinux_map map;
|
||||||
struct page *status_page;
|
struct page *status_page;
|
||||||
struct mutex status_lock;
|
struct mutex status_lock;
|
||||||
};
|
} __randomize_layout;
|
||||||
|
|
||||||
void services_compute_xperms_drivers(struct extended_perms *xperms,
|
void services_compute_xperms_drivers(struct extended_perms *xperms,
|
||||||
struct avtab_node *node);
|
struct avtab_node *node);
|
||||||
|
|
Loading…
Reference in New Issue