From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7384CC433F5 for ; Thu, 21 Apr 2022 17:41:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id CF7B56B0072; Thu, 21 Apr 2022 13:41:46 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id CA7A86B0073; Thu, 21 Apr 2022 13:41:46 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B47306B0074; Thu, 21 Apr 2022 13:41:46 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.28]) by kanga.kvack.org (Postfix) with ESMTP id A215A6B0072 for ; Thu, 21 Apr 2022 13:41:46 -0400 (EDT) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay11.hostedemail.com (Postfix) with ESMTP id 7CD30817AE for ; Thu, 21 Apr 2022 17:41:46 +0000 (UTC) X-FDA: 79381603812.18.A6AB9B7 Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by imf27.hostedemail.com (Postfix) with ESMTP id 152A340027 for ; Thu, 21 Apr 2022 17:41:44 +0000 (UTC) Received: by mail-pl1-f176.google.com with SMTP id c23so5572955plo.0 for ; Thu, 21 Apr 2022 10:41:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=7JRw6mNztMXZ06DOT43AeVGnBVZ54ZjCu5voH5Wt+y4=; b=DkcqPXe34K3PAhGnkPTX+ibi5dB0a2z7iquzGv/EAQKFz2t1gbypfJCkAfbaR50QG4 IsNm8YHG2VZIf/ZdRMJs2j/3wx/JobsKD94qawhcAqi6i3MReh1n5BtKRHlzGm3NA+bj zu2iC+BtGtQKoLhBDZQaC8EwyYyQkVmsJdNII= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=7JRw6mNztMXZ06DOT43AeVGnBVZ54ZjCu5voH5Wt+y4=; b=plcYtSjTLcR5ZqICy/4/4W4rCXuhDBEohPfEqNCDMo8g9pGsdhUr++K7dY0Y8Gb8l9 E9qangtSMNkGUW1j3s1l5vsOVY0GDoX8A0Vc7OJjWx6/DF6C2kCOGLAKFu/+gPDibqOt j1t5cLX9tNN3BLhi2ykNEH+vzDfPTJJQ6NrF3pBTfHA4pX3x7XIjjgd5xYV5Zx0oKY8X /+/wysAQHOxc1HgX/NkStUZ6V3OcsMOPAdCBIvWFmf7GOXq2v+mAgjAhLMm3Q87paTWy INU+ejkaraM2mWo1nvhwKuHjCix8j1RnxHOu/c2OqLymKYwDfzv6RMbx4NcWttPiVqnq hvXw== X-Gm-Message-State: AOAM532D8UuIvcNrP1HjyidPaH1/J0Z+KclOX4/s+zMrxdVGQcE/f8uW BHh+qLoeYoRegbqEGr2nyltKkQ== X-Google-Smtp-Source: ABdhPJzvJsBMz4TF2Ld0nZq3b3BGx5UhBL6r5l9SjnBtlfqWPBALbFZyZbFepVsc1TYIRd/JPiI0pw== X-Received: by 2002:a17:90a:c20a:b0:1d7:4cd5:ac82 with SMTP id e10-20020a17090ac20a00b001d74cd5ac82mr2242262pjt.212.1650562904943; Thu, 21 Apr 2022 10:41:44 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id n64-20020a622743000000b0050acf41bde9sm5885926pfn.117.2022.04.21.10.41.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Apr 2022 10:41:44 -0700 (PDT) Date: Thu, 21 Apr 2022 10:41:43 -0700 From: Kees Cook To: Catalin Marinas Cc: Topi Miettinen , Andrew Morton , Christoph Hellwig , Lennart Poettering , Zbigniew =?utf-8?Q?J=C4=99drzejewski-Szmek?= , Will Deacon , Alexander Viro , Eric Biederman , Szabolcs Nagy , Mark Brown , Jeremy Linton , linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-abi-devel@lists.sourceforge.net, linux-hardening@vger.kernel.org, Jann Horn , Salvatore Mesoraca , Igor Zhbanov Subject: Re: [PATCH RFC 0/4] mm, arm64: In-kernel support for memory-deny-write-execute (MDWE) Message-ID: <202204211030.B0093CC14@keescook> References: <20220413134946.2732468-1-catalin.marinas@arm.com> <202204141028.0482B08@keescook> <202204201610.093C9D5FE8@keescook> <202204210941.4318DE6E8@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 152A340027 X-Stat-Signature: wzxfa9aejnkopp9yk4jy9ah6wug65jjr Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=DkcqPXe3; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf27.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.176 as permitted sender) smtp.mailfrom=keescook@chromium.org X-HE-Tag: 1650562904-513009 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Apr 21, 2022 at 06:24:21PM +0100, Catalin Marinas wrote: > On Thu, Apr 21, 2022 at 09:42:23AM -0700, Kees Cook wrote: > > On Thu, Apr 21, 2022 at 04:35:15PM +0100, Catalin Marinas wrote: > > > Do we want the "was PROT_WRITE" or we just reject mprotect(PROT_EXEC) if > > > the vma is not already PROT_EXEC? The latter is closer to the current > > > systemd approach. The former allows an mprotect(PROT_EXEC) if the > > > mapping was PROT_READ only for example. > > > > > > I'd drop the "was PROT_WRITE" for now if the aim is a drop-in > > > replacement for BPF MDWE. > > > > I think "was PROT_WRITE" is an important part of the defense that > > couldn't be done with a simple seccomp filter (which is why the filter > > ended up being a problem in the first place). > > I would say "was PROT_WRITE" is slightly more relaxed than "is not > already PROT_EXEC". The seccomp filter can't do "is not already > PROT_EXEC" either since it only checks the mprotect() arguments, not the > current vma flags. > > So we have (with sub-cases): > > 1. Current BPF filter: > > a) mmap(PROT_READ|PROT_WRITE|PROT_EXEC); // fails > > b) mmap(PROT_READ|PROT_EXEC); > mprotect(PROT_READ|PROT_EXEC|PROT_BTI); // fails > > c) mmap(PROT_READ); > mprotect(PROT_READ|PROT_EXEC); // fails > > d) mmap(PROT_READ|PROT_WRITE); > mprotect(PROT_READ); > mprotect(PROT_READ|PROT_EXEC); // fails > > 2. "is not already PROT_EXEC": > > a) mmap(PROT_READ|PROT_WRITE|PROT_EXEC); // fails > > b) mmap(PROT_READ|PROT_EXEC); > mprotect(PROT_READ|PROT_EXEC|PROT_BTI); // passes > > c) mmap(PROT_READ); > mprotect(PROT_READ|PROT_EXEC); // fails > > d) mmap(PROT_READ|PROT_WRITE); > mprotect(PROT_READ); > mprotect(PROT_READ|PROT_EXEC); // fails > > 3. "is or was not PROT_WRITE": > > a) mmap(PROT_READ|PROT_WRITE|PROT_EXEC); // fails > > b) mmap(PROT_READ|PROT_EXEC); > mprotect(PROT_READ|PROT_EXEC|PROT_BTI); // passes > > c) mmap(PROT_READ); > mprotect(PROT_READ|PROT_EXEC); // passes > > d) mmap(PROT_READ|PROT_WRITE); > mprotect(PROT_READ); > mprotect(PROT_READ|PROT_EXEC); // fails [edited above to show each case] restated what was already summarized: Problem is 1.b. 2 and 3 solve it. 3 is more relaxed (c passes). > If we don't care about 3.c, we might as well go for (2). I don't mind, > already went for (3) in this series. I think either of them would not be > a regression on MDWE, unless there is some test that attempts 3.c and > expects it to fail. I should stop arguing for a less restrictive mode. ;) It just feels weird that the combinations are API-mediated, rather than logically defined: I can do PROT_READ|PROT_EXEC with mmap but not mprotect under 2. As opposed to saying "the vma cannot be executable if it is or ever was writable". I find the latter much easier to reason about as far as the expectations of system state. So, I'd still prefer 3, as that was the _goal_ of the systemd MDWE seccomp filter, but yes, 2 does provide the same protection while allowing BTI. -- Kees Cook