allow execmod and execmem for self debugging process [targeted]

John Reiser jreiser at BitWagon.com
Sun Jun 19 19:18:33 UTC 2005 

A self-debugging process wants arbitrary mmap() and mprotect() on itself,
but gets EACCES with "avc: denied { execmod }" when it tries.
What needs to be done to allow this?  There are three cases:
  a) well-known named filesystem path as most-recent execve()
  b) process with "self-debug" as leaf name of most-recent execve()
  c) any execve() of a file with some assignable attribute [context]

Using selinux-policy-targeted-1.23.16-6 enforcing under Fedora Core 4
kernel-2.6.11-1.1369_FC4, I see complaints such as
----
  type=AVC_PATH msg=audit(1119151560.280:466428): \
     path="/path/to/self-debugger/shared-library"
  type=SYSCALL msg=audit(1119151560.280:466428): arch=40000003 syscall=125 per=400000 \
    success=no exit=-13 a0=3000 a1=1000 a2=5 a3=0 items=0 pid=2701 auid=4294967295 \
    uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 \
    comm="self-debug" exe="/path/to/self-debugger/self-debug"
  type=AVC msg=audit(1119151560.280:466428): avc:  denied  { execmod } for  pid=2701 \
    comm="self-debug" name=shared-library dev=hda7 ino=4104583 \
    scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:file_t tclass=file
----
Booting the kernel with "enforcing=0" allows the mprotect() to succeed;
auditd.log still shows similar messages, except with "success=yes exit=0".
I'd like to retain the safeguards of the targeted enforcing policy,
but allow "known cases" the capabilities that they need.
[Yes, this is a technique that malware may try to exploit.
"Bonware" deserves the chance to exploit it, too.]

/etc/selinux/targeted/booleans has
-----
allow_execmod=1
allow_execmem=1
-----
Shouldn't these two values have allowed any mprotect?

The self-debugger wants to re-write PROT_EXEC + MAP_PRIVATE pages
of itself and other files that have been mmap()ed into the same process.
Code in .a archive library such as  http://BitWagon.com/tub/tub.html
gives an application more control over its address space by "hooking"
all mmap(), etc.  Complicated watchpoints run thousands of times faster
in contrast to requiring ptrace() by a second process [gdb], etc.

--

More information about the fedora-selinux-list mailing list