Re: jit code and securelevel

[John Nemeth <jnemeth%cue.bc.ca@localhost>]

On Jan 1,  8:34pm, Alexander Nasonov wrote:
} Subject: Re: jit code and securelevel
} Christos Zoulas wrote:
} > On Jan 1,  6:21pm, alnsn%yandex.ru@localhost (Alexander Nasonov) wrote:
} > | They might spot use-after-free bug and reuse freed memory for bpf_d
} > | object which has a pointer to jit code.
} > 
} > The exploit takes advantage of being able to insert particular code
} > sequences that have different meanings at different code offsets (which
} > can happen naturally too -- there is a paper that describes such attacks),
} > and depends on other kernel bugs to be functional.
} 
} A hypothetical use-after-free bug alone wouldn't let you jump to
} a different offset, but those guys are very creative. If they ever
} succeed in exploiting a system with a help of bpfjit code, I'd very
} interested in details ;-)
} 
} > At the same time killing
} > jit at securelevel 1 it is not really fatal with the exception on npf.
} > 
} > Perhaps having a sysctl to enable/disable it that can only be enabled
} > at a low securelevel can let people choose the behavior they want.
} 
} I implemented it, see below, but I feel it's not right to query
} securelevel directly, adding new KAUTH_SYSTEM_BPFJIT would be
} a better approach. Not sure it's worth the effort.

     Keep in mind that securelevel is only one many possible security
models.  A different security model could be loaded that doesn't
have securelevel or an analogue.  Poking around in the guts of a
security model is extremely bad form.

}-- End of excerpt from Alexander Nasonov