Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

64-bit ARM MMAP_MIN_ADDR recommendation should be based on whether CONFIG_COMPAT is enabled #175

Open
thestinger opened this issue Jan 13, 2025 · 3 comments
Open

64-bit ARM MMAP_MIN_ADDR recommendation should be based on whether CONFIG_COMPAT is enabled #175

thestinger opened this issue Jan 13, 2025 · 3 comments
Labels
question Further information is requested

Comments

@thestinger
Copy link

This is meant to be 32768 not only on 32-bit ARM but also 64-bit ARM when 32-bit process compatibility is enabled. It should check for 32-bit compatibility and make the recommendation based on it. There's already a recommendation to disable 32-bit support for attack surface reduction and being able to raise MMAP_MIN_ADDR one a tiny, largely insignificant side benefit.

Here's a relevant snippet from security/Kconfig:

config LSM_MMAP_MIN_ADDR
	int "Low address space for LSM to protect from user allocation"
	depends on SECURITY && SECURITY_SELINUX
	default 32768 if ARM || (ARM64 && COMPAT)
	default 65536
@a13xp0p0v
Copy link
Owner

a13xp0p0v commented Jan 22, 2025
edited
Loading

Hello @thestinger,

Thanks for creating the issue!

Yes, kernel-hardening-checker recommends to disable CONFIG_COMPAT according to the KSPP recommendations:

    l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT', 'is not set')]

So it would be strange if we change the MMAP_MIN_ADDR check for ARM64 depending on the unwanted option and turn FAIL into OK if CONFIG_COMPAT is enabled.

Would you agree?

@a13xp0p0v a13xp0p0v added the question Further information is requested label Jan 22, 2025
@thestinger
Copy link
Author

Would you agree?

No, I think CONFIG_COMPAT being enabled should cause 1 failure. Right now, it's causing a 2nd one even when that's already set to what it should be when it's enabled. The recommendation also means encouraging people to set a broken configuration since 32-bit ARM is recommended to have a lower value for compatibility. I don't know how much that's actually needed in practice but it's what they recommended.

@a13xp0p0v
Copy link
Owner

I think we should not turn FAIL into OK depending on the CONFIG_COMPAT option that is not recommended.

But I also agree with your statement:

The recommendation also means encouraging people to set a broken configuration
since 32-bit ARM is recommended to have a lower value for compatibility.

What if we modify it this way for ARM64?

        l += [AND(KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536'),
                  KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT', 'is not set'))]

The output for Pixel 3a would look this way:

CONFIG_DEFAULT_MMAP_MIN_ADDR            |kconfig|   65536    |   kspp   | self_protection  | FAIL: CONFIG_COMPAT is not "is not set"

With this approach, we:

  • Don't say OK for the not recommended option
  • And also avoid encouraging people to set wrong value of CONFIG_DEFAULT_MMAP_MIN_ADDR if they have CONFIG_COMPAT enabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@a13xp0p0v @thestinger