From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 425C4C433EF
	for <linux-mm@archiver.kernel.org>; Thu, 14 Apr 2022 18:52:23 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 86C026B0071; Thu, 14 Apr 2022 14:52:22 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 81A826B0073; Thu, 14 Apr 2022 14:52:22 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 6BB106B0074; Thu, 14 Apr 2022 14:52:22 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0026.hostedemail.com [216.40.44.26])
	by kanga.kvack.org (Postfix) with ESMTP id 5B88F6B0071
	for <linux-mm@kvack.org>; Thu, 14 Apr 2022 14:52:22 -0400 (EDT)
Received: from smtpin30.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 03986A835F
	for <linux-mm@kvack.org>; Thu, 14 Apr 2022 18:52:21 +0000 (UTC)
X-FDA: 79356380124.30.C46C459
Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174])
	by imf28.hostedemail.com (Postfix) with ESMTP id 476FBC000B
	for <linux-mm@kvack.org>; Thu, 14 Apr 2022 18:52:20 +0000 (UTC)
Received: by mail-pg1-f174.google.com with SMTP id i184so5052114pgc.2
        for <linux-mm@kvack.org>; Thu, 14 Apr 2022 11:52:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=KPncbYJNbA92y1tOvGAA/kfwDjyfM1X8IrkxMDKfJ+M=;
        b=oNJvsyY0dZL8jzpd34U1+lD1Mh8SQf6LfMh/R2x0RNJXbEdp0Xg7P85/Y+6PQt0AES
         rhaP4cro55hlKlnS+hw2JRDJMYhHFgA8+9OIE42iBmqFG6lmbZCLPNkLehXQLN21cuOM
         91/dtOApOgZJLABiR/avAVberdE2aWu4pBxhU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=KPncbYJNbA92y1tOvGAA/kfwDjyfM1X8IrkxMDKfJ+M=;
        b=iWftEoivRH3WSF5ldAVNg4/gDf8whDytQMX2xsJWtQ3tcLHU1eEI4QWNX+NU7HLU5d
         k2GXkxToaI8wQaWJYDFp3HAbTcriDVhErHGswLSGLjS7hXSSx1ZzlaSCA/XMJBp1xnMd
         vUamCVGiHGkSjW/PlSSKo78t9kKWdTeC0sywsfYtASpH6bW2K1Ix8tIGpBktiPC3T9Fo
         hTntJ8sRPt0OrkqZCPdHHaqaF/IFlDCnMSVS4RpwYQONdJbXmB6Iatjaw1OVll6Sjr5k
         yLgYQQqzlC/+2Vkfh03VqvT1yUIA4gp8gCIuJl1bQOkUieEVGIXl8tolYnoJ2KNB+3Tu
         SMjg==
X-Gm-Message-State: AOAM533FCMvchRUdsL2P1+NgjMl9cSAVts8kDMsMW0FD3xRJzCP8DRH0
	Y+XgM/TPfFtkgRWEii9j7zphoA==
X-Google-Smtp-Source: ABdhPJw+Fal9pBni7mp3U0SmabFGXSbaUnm/vG5K31I/eUCpSn6eG3IceNt4WGY+Pb6rg423uVG4qg==
X-Received: by 2002:a62:1548:0:b0:505:fd84:33f1 with SMTP id 69-20020a621548000000b00505fd8433f1mr5299523pfv.66.1649962338843;
        Thu, 14 Apr 2022 11:52:18 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id c64-20020a624e43000000b005081ec7d679sm613192pfb.1.2022.04.14.11.52.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 14 Apr 2022 11:52:18 -0700 (PDT)
Date: Thu, 14 Apr 2022 11:52:17 -0700
From: Kees Cook <keescook@chromium.org>
To: Catalin Marinas <catalin.marinas@arm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Christoph Hellwig <hch@infradead.org>,
	Lennart Poettering <lennart@poettering.net>,
	Zbigniew =?utf-8?Q?J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>,
	Will Deacon <will@kernel.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Eric Biederman <ebiederm@xmission.com>,
	Szabolcs Nagy <szabolcs.nagy@arm.com>,
	Mark Brown <broonie@kernel.org>,
	Jeremy Linton <jeremy.linton@arm.com>,
	Topi Miettinen <toiwoton@gmail.com>, linux-mm@kvack.org,
	linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
	linux-abi-devel@lists.sourceforge.net,
	linux-hardening@vger.kernel.org, Jann Horn <jannh@google.com>,
	Salvatore Mesoraca <s.mesoraca16@gmail.com>,
	Igor Zhbanov <izh1979@gmail.com>
Subject: Re: [PATCH RFC 0/4] mm, arm64: In-kernel support for
 memory-deny-write-execute (MDWE)
Message-ID: <202204141028.0482B08@keescook>
References: <20220413134946.2732468-1-catalin.marinas@arm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20220413134946.2732468-1-catalin.marinas@arm.com>
X-Rspam-User: 
X-Stat-Signature: ph48iw14hq5oue9gwf1gcynz3aus5nfy
Authentication-Results: imf28.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=oNJvsyY0;
	spf=pass (imf28.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.174 as permitted sender) smtp.mailfrom=keescook@chromium.org;
	dmarc=pass (policy=none) header.from=chromium.org
X-Rspamd-Server: rspam01
X-Rspamd-Queue-Id: 476FBC000B
X-HE-Tag: 1649962340-605399
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, Apr 13, 2022 at 02:49:42PM +0100, Catalin Marinas wrote:
> The background to this is that systemd has a configuration option called
> MemoryDenyWriteExecute [1], implemented as a SECCOMP BPF filter. Its aim
> is to prevent a user task from inadvertently creating an executable
> mapping that is (or was) writeable. Since such BPF filter is stateless,
> it cannot detect mappings that were previously writeable but
> subsequently changed to read-only. Therefore the filter simply rejects
> any mprotect(PROT_EXEC). The side-effect is that on arm64 with BTI
> support (Branch Target Identification), the dynamic loader cannot change
> an ELF section from PROT_EXEC to PROT_EXEC|PROT_BTI using mprotect().
> For libraries, it can resort to unmapping and re-mapping but for the
> main executable it does not have a file descriptor. The original bug
> report in the Red Hat bugzilla - [2] - and subsequent glibc workaround
> for libraries - [3].

Right, so, the systemd filter is a big hammer solution for the kernel
not having a very easy way to provide W^X mapping protections to
userspace. There's stuff in SELinux, and there have been several
attempts[1] at other LSMs to do it too, but nothing stuck.

Given the filter, and the implementation of how to enable BTI, I see two
solutions:

- provide a way to do W^X so systemd can implement the feature differently
- provide a way to turn on BTI separate from mprotect to bypass the filter

I would agree, the latter seems like the greater hack, so I welcome
this RFC, though I think it might need to explore a bit of the feature
space exposed by other solutions[1] (i.e. see SARA and NAX), otherwise
it risks being too narrowly implemented. For example, playing well with
JITs should be part of the design, and will likely need some kind of
ELF flags and/or "sealing" mode, and to handle the vma alias case as
Jann Horn pointed out[2].

> Add in-kernel support for such feature as a DENY_WRITE_EXEC personality
> flag, inherited on fork() and execve(). The kernel tracks a previously
> writeable mapping via a new VM_WAS_WRITE flag (64-bit only
> architectures). I went for a personality flag by analogy with the
> READ_IMPLIES_EXEC one. However, I'm happy to change it to a prctl() if
> we don't want more personality flags. A minor downside with the
> personality flag is that there is no way for the user to query which
> flags are supported, so in patch 3 I added an AT_FLAGS bit to advertise
> this.

My instinct here is to use a prctl(), which maps to other kinds of modern
inherited state (like no_new_privs).

> Posting this as an RFC to start a discussion and cc'ing some of the
> systemd guys and those involved in the earlier thread around the glibc
> workaround for dynamic libraries [4]. Before thinking of upstreaming
> this we'd need the systemd folk to buy into replacing the MDWE SECCOMP
> BPF filter with the in-kernel one.
> 
> Thanks,
> 
> Catalin
> 
> [1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute=
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1888842
> [3] https://sourceware.org/bugzilla/show_bug.cgi?id=26831
> [3] https://lore.kernel.org/r/cover.1604393169.git.szabolcs.nagy@arm.com

So, yes, let's do it. It's long long overdue in the kernel. :)

-Kees

[1] https://github.com/KSPP/linux/issues/32
[2] https://github.com/KSPP/linux/issues/32#issuecomment-1084859611

> 
> Catalin Marinas (4):
>   mm: Track previously writeable vma permission
>   mm, personality: Implement memory-deny-write-execute as a personality
>     flag
>   fs/binfmt_elf: Tell user-space about the DENY_WRITE_EXEC personality
>     flag
>   arm64: Select ARCH_ENABLE_DENY_WRITE_EXEC
> 
>  arch/arm64/Kconfig               |  1 +
>  fs/binfmt_elf.c                  |  2 ++
>  include/linux/mm.h               |  6 ++++++
>  include/linux/mman.h             | 18 +++++++++++++++++-
>  include/uapi/linux/binfmts.h     |  4 ++++
>  include/uapi/linux/personality.h |  1 +
>  mm/Kconfig                       |  4 ++++
>  mm/mmap.c                        |  3 +++
>  mm/mprotect.c                    |  5 +++++
>  9 files changed, 43 insertions(+), 1 deletion(-)
> 

-- 
Kees Cook