From 6d41fb503aa77b8145d49b730b44f9b110ce7970 Mon Sep 17 00:00:00 2001
From: cbl <caobaolong5@huawei.com>
Date: Mon, 26 Aug 2024 15:27:51 +0800
Subject: [PATCH] =?UTF-8?q?=E5=AE=89=E5=85=A8=E7=89=B9=E6=80=A7=E5=8D=87?=
 =?UTF-8?q?=E7=BA=A7linux6.6=E5=86=85=E6=A0=B8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: cbl <caobaolong5@huawei.com>
---
 fs/Kconfig                             |  1 +
 fs/exec.c                              |  2 ++
 fs/proc/Makefile                       |  1 +
 fs/proc/task_mmu.c                     |  2 ++
 include/uapi/asm-generic/mman-common.h |  3 +++
 kernel/cred.c                          |  2 ++
 kernel/exit.c                          |  5 +++++
 kernel/fork.c                          |  2 ++
 kernel/nsproxy.c                       |  6 ++++++
 mm/mmap.c                              | 12 ++++++++++++
 mm/mprotect.c                          |  9 +++++++++
 security/Kconfig                       |  1 +
 security/Makefile                      |  2 ++
 security/selinux/hooks.c               |  2 ++
 security/selinux/include/classmap.h    |  6 ++++++
 15 files changed, 56 insertions(+)

diff --git a/fs/Kconfig b/fs/Kconfig
index 562a57bc7d04..b8ef9f997548 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -51,6 +51,7 @@ source "fs/btrfs/Kconfig"
 source "fs/nilfs2/Kconfig"
 source "fs/f2fs/Kconfig"
 source "fs/zonefs/Kconfig"
+source "fs/proc/memory_security/Kconfig"
 
 endif # BLOCK
 
diff --git a/fs/exec.c b/fs/exec.c
index 2f2b0acec4f0..e7e431e2a479 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -75,6 +75,7 @@
 #include "internal.h"
 
 #include <trace/events/sched.h>
+#include <linux/hck/lite_hck_ced.h>
 
 static int bprm_creds_from_file(struct linux_binprm *bprm);
 
@@ -1868,6 +1869,7 @@ static int bprm_execve(struct linux_binprm *bprm,
 	user_events_execve(current);
 	acct_update_integrals(current);
 	task_numa_free(current, false);
+	CALL_HCK_LITE_HOOK(ced_detection_lhck, current);
 	return retval;
 
 out:
diff --git a/fs/proc/Makefile b/fs/proc/Makefile
index bd08616ed8ba..04a0dd7256c2 100644
--- a/fs/proc/Makefile
+++ b/fs/proc/Makefile
@@ -34,3 +34,4 @@ proc-$(CONFIG_PROC_VMCORE)	+= vmcore.o
 proc-$(CONFIG_PRINTK)	+= kmsg.o
 proc-$(CONFIG_PROC_PAGE_MONITOR)	+= page.o
 proc-$(CONFIG_BOOT_CONFIG)	+= bootconfig.o
+obj-$(CONFIG_MEMORY_SECURITY) += memory_security/
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 3dd5be96691b..bd8285811728 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -25,6 +25,7 @@
 #include <asm/tlb.h>
 #include <asm/tlbflush.h>
 #include "internal.h"
+#include <linux/hck/lite_hck_hideaddr.h>
 
 #define SEQ_PUT_DEC(str, val) \
 		seq_put_decimal_ull_width(m, str, (val) << (PAGE_SHIFT-10), 8)
@@ -279,6 +280,7 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
 
 	start = vma->vm_start;
 	end = vma->vm_end;
+	CALL_HCK_LITE_HOOK(hideaddr_header_prefix_lhck, &start, &end, &flags, m, vma);
 	show_vma_header_prefix(m, start, end, flags, pgoff, dev, ino);
 	if (mm)
 		anon_name = anon_vma_name(vma);
diff --git a/include/uapi/asm-generic/mman-common.h b/include/uapi/asm-generic/mman-common.h
index 6ce1f1ceb432..2b18883487ac 100644
--- a/include/uapi/asm-generic/mman-common.h
+++ b/include/uapi/asm-generic/mman-common.h
@@ -33,6 +33,9 @@
 #define MAP_UNINITIALIZED 0x4000000	/* For anonymous mmap, memory could be
 					 * uninitialized */
 
+#define MAP_JIT 0x80000000 /* For JIT compiler which apply FORT_NONE memory
+								* and turn it into PORT_EXEC when code run */
+
 /*
  * Flags for mlock
  */
diff --git a/kernel/cred.c b/kernel/cred.c
index 64404d51c052..68e80acff295 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -19,6 +19,7 @@
 #include <linux/binfmts.h>
 #include <linux/cn_proc.h>
 #include <linux/uidgid.h>
+#include <linux/hck/lite_hck_ced.h>
 
 #if 0
 #define kdebug(FMT, ...)						\
@@ -390,6 +391,7 @@ int commit_creds(struct cred *new)
 	struct task_struct *task = current;
 	const struct cred *old = task->real_cred;
 
+	CALL_HCK_LITE_HOOK(ced_commit_creds_lhck, new);
 	kdebug("commit_creds(%p{%ld})", new,
 	       atomic_long_read(&new->usage));
 
diff --git a/kernel/exit.c b/kernel/exit.c
index 21a59a6e1f2e..e2a70a9f07c0 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -73,6 +73,8 @@
 #include <linux/uaccess.h>
 #include <asm/unistd.h>
 #include <asm/mmu_context.h>
+#include <linux/hck/lite_hck_jit_memory.h>
+#include <linux/hck/lite_hck_ced.h>
 
 /*
  * The default value should be high enough to not crash a system that randomly
@@ -811,6 +813,8 @@ void __noreturn do_exit(long code)
 	struct task_struct *tsk = current;
 	int group_dead;
 
+	CALL_HCK_LITE_HOOK(exit_jit_memory_lhck, current);
+
 	WARN_ON(irqs_disabled());
 
 	synchronize_group_exit(tsk, code);
@@ -890,6 +894,7 @@ void __noreturn do_exit(long code)
 
 	exit_tasks_rcu_start();
 	exit_notify(tsk, group_dead);
+	CALL_HCK_LITE_HOOK(ced_exit_lhck, tsk);
 	proc_exit_connector(tsk);
 	mpol_put_task_policy(tsk);
 #ifdef CONFIG_FUTEX
diff --git a/kernel/fork.c b/kernel/fork.c
index 486248a10b8b..75f01159c909 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -110,6 +110,7 @@
 
 #define CREATE_TRACE_POINTS
 #include <trace/events/task.h>
+#include <linux/hck/lite_hck_ced.h>
 
 /*
  * Minimum number of threads to boot the kernel
@@ -2942,6 +2943,7 @@ pid_t kernel_clone(struct kernel_clone_args *args)
 		task_unlock(p);
 	}
 
+	CALL_HCK_LITE_HOOK(ced_kernel_clone_lhck, p);
 	wake_up_new_task(p);
 
 	/* forking complete and child started to run, tell ptracer */
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index 15781acaac1c..945731754ff9 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -26,6 +26,7 @@
 #include <linux/syscalls.h>
 #include <linux/cgroup.h>
 #include <linux/perf_event.h>
+#include <linux/hck/lite_hck_ced.h>
 
 static struct kmem_cache *nsproxy_cachep;
 
@@ -240,6 +241,11 @@ void switch_task_namespaces(struct task_struct *p, struct nsproxy *new)
 {
 	struct nsproxy *ns;
 
+	int ret = 0;
+	CALL_HCK_LITE_HOOK(ced_switch_task_namespaces_lhck, new);
+	CALL_HCK_LITE_HOOK(ced_switch_task_namespaces_permission_lhck, new, &ret);
+	if (ret)
+		return;
 	might_sleep();
 
 	task_lock(p);
diff --git a/mm/mmap.c b/mm/mmap.c
index 9e018d8dd7d6..fb2022196845 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -52,6 +52,7 @@
 #include <asm/cacheflush.h>
 #include <asm/tlb.h>
 #include <asm/mmu_context.h>
+#include <linux/hck/lite_hck_jit_memory.h>
 
 #define CREATE_TRACE_POINTS
 #include <trace/events/mmap.h>
@@ -1418,6 +1419,12 @@ unsigned long ksys_mmap_pgoff(unsigned long addr, unsigned long len,
 	}
 
 	retval = vm_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+
+	if (!IS_ERR_VALUE(retval)) {
+		CALL_HCK_LITE_HOOK(check_jit_memory_lhck, current, fd, prot, flags, PAGE_ALIGN(len), &retval);
+		if (IS_ERR_VALUE(retval))
+			pr_info("JITINFO: jit request denied");
+	}
 out_fput:
 	if (file)
 		fput(file);
@@ -2629,6 +2636,11 @@ int do_vmi_munmap(struct vma_iterator *vmi, struct mm_struct *mm,
 	if (end == start)
 		return -EINVAL;
 
+	int errno = 0;
+	CALL_HCK_LITE_HOOK(delete_jit_memory_lhck, current, start, len, &errno);
+	if (errno)
+		return errno;
+
 	 /* arch_unmap() might do unmaps itself.  */
 	arch_unmap(mm, start, end);
 
diff --git a/mm/mprotect.c b/mm/mprotect.c
index b94fbb45d5c7..569072a152ee 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -38,6 +38,7 @@
 #include <asm/tlb.h>
 
 #include "internal.h"
+#include <linux/hck/lite_hck_jit_memory.h>
 
 bool can_change_pte_writable(struct vm_area_struct *vma, unsigned long addr,
 			     pte_t pte)
@@ -701,6 +702,14 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
 
 	start = untagged_addr(start);
 
+	if (prot & PROT_EXEC) {
+		CALL_HCK_LITE_HOOK(find_jit_memory_lhck, current, start, len, &error);
+		if (error) {
+			pr_info("JITINFO: mprotect protection triggered");
+			return error;
+		}
+	}
+
 	prot &= ~(PROT_GROWSDOWN|PROT_GROWSUP);
 	if (grows == (PROT_GROWSDOWN|PROT_GROWSUP)) /* can't be both */
 		return -EINVAL;
diff --git a/security/Kconfig b/security/Kconfig
index 52c9af08ad35..f01e53cce1d9 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -194,6 +194,7 @@ source "security/yama/Kconfig"
 source "security/safesetid/Kconfig"
 source "security/lockdown/Kconfig"
 source "security/landlock/Kconfig"
+source "security/container_escape_detection/Kconfig"
 
 source "security/integrity/Kconfig"
 
diff --git a/security/Makefile b/security/Makefile
index 18121f8f85cd..9405ac9c85fa 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -4,6 +4,7 @@
 #
 
 obj-$(CONFIG_KEYS)			+= keys/
+subdir-$(CONFIG_SECURITY_CONTAINER_ESCAPE_DETECTION) += container_escape_detection
 
 # always enable default capabilities
 obj-y					+= commoncap.o
@@ -24,6 +25,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown/
 obj-$(CONFIG_CGROUPS)			+= device_cgroup.o
 obj-$(CONFIG_BPF_LSM)			+= bpf/
 obj-$(CONFIG_SECURITY_LANDLOCK)		+= landlock/
+obj-$(CONFIG_SECURITY_CONTAINER_ESCAPE_DETECTION) += container_escape_detection/
 
 # Object integrity file lists
 obj-$(CONFIG_INTEGRITY)			+= integrity/
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 53cfeefb2f19..ff4b48f37a91 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -92,6 +92,7 @@
 #include <linux/fsnotify.h>
 #include <linux/fanotify.h>
 #include <linux/io_uring.h>
+#include <linux/hck/lite_hck_ced.h>
 
 #include "avc.h"
 #include "objsec.h"
@@ -6489,6 +6490,7 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
 	}
 
 	commit_creds(new);
+	CALL_HCK_LITE_HOOK(ced_setattr_insert_lhck, current);
 	return size;
 
 abort_change:
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index a3c380775d41..0f99d5834410 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -256,6 +256,12 @@ const struct security_class_mapping secclass_map[] = {
 	  { "override_creds", "sqpoll", "cmd", NULL } },
 	{ "user_namespace",
 	  { "create", NULL } },
+	{ "hideaddr",
+	  { "hide_exec_anon_mem", "hide_exec_anon_mem_debug", NULL } },
+	{ "jit_memory",
+	  { "exec_mem_ctrl", NULL} },
+	{ "ced",
+	  { "container_escape_check", NULL} },
 	{ NULL }
   };
 
-- 
Gitee