From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F9DFC4332F for ; Fri, 2 Dec 2022 22:43:59 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id BD2236B0071; Fri, 2 Dec 2022 17:43:58 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id B5C796B0072; Fri, 2 Dec 2022 17:43:58 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9D6376B0073; Fri, 2 Dec 2022 17:43:58 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 8E4026B0071 for ; Fri, 2 Dec 2022 17:43:58 -0500 (EST) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 5C2061C5D68 for ; Fri, 2 Dec 2022 22:43:58 +0000 (UTC) X-FDA: 80198845356.04.4A941F2 Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) by imf17.hostedemail.com (Postfix) with ESMTP id 102E040013 for ; Fri, 2 Dec 2022 22:43:56 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=kC0gZVYq; spf=pass (imf17.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.43 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1670021037; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=kIw6cuSEK90NH31AzQ1v2T7W5ZiOXTSu4ULwnQfkqVc=; b=p0V2BaoLnXJ8jhv+bvEy4h0rP+SBrZKd2ZjcIrGoB30+C4EZqc0Y/03QGSlJdLTabGywHH awd4vlYVu7u6uZFDjbPzXAdZRr2kwBnoTqFOQGuTtf65BXV2zxwTReTPRxLCu9l9VNgJCm bRdZ3PJCNkccZQbIFCz+kHLunXg2tr8= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=kC0gZVYq; spf=pass (imf17.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.43 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1670021037; a=rsa-sha256; cv=none; b=NNCxzmHYm0MV2hjMtdZZnBBGGOCvRFJX8hsoaYqj4ZSKCXJHeY1jdyD94SxRnndF0nG4Zu +soSWhyF3DVRADgUVeVuLqkX+vKepiKCOH0EcL36tL99jyoAJdoC9BYX74vXsFpTlz85+k m+aa4s1DT5Kyj9zZ7RjnOMeTg88jNEs= Received: by mail-pj1-f43.google.com with SMTP id q17-20020a17090aa01100b002194cba32e9so9619613pjp.1 for ; Fri, 02 Dec 2022 14:43:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=kIw6cuSEK90NH31AzQ1v2T7W5ZiOXTSu4ULwnQfkqVc=; b=kC0gZVYq27yEx2sH78OZLOAGSqTIlyl6SpBEpf5LadG6OUZ3p70QkSTVWxApijdSN6 15qLeNAyjFSnWyaV+diHTC3IQSgx0Uyz++2QI69mkac4a0QCqQREgIr5EwhrobwoLoAv TAsCaWwd8wpZize+t/vesLq/JwhZRDvxyiX18= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=kIw6cuSEK90NH31AzQ1v2T7W5ZiOXTSu4ULwnQfkqVc=; b=w4h70B3yvJ5jsDXi1gVVNx6L1OsbzSWnnJ8wlorGA392cWR9VYWQa67n91ehpacymD GZq7eWeeDZovUSqIIO60i3zs9CPCSOAwnRAgGWor/0AMWPuYlkvi2fHjj9m+yrSW3GJq hv4BTssZKQZXQ4mVKJvuqZ9qYfi3MA3juLtJcrnMud/yRvVW1njJON7W4nAzzqaKlfYZ +QPPMFHjUa1bx4KFvekIDM+GZxb9ddpeVASC1glfgdFmK5YSgcFXiFbGAskUYqi2hjvg m4fnjH+0vgtALdceqOXQl5+Zrz/BUU0wHvcu9kSGdrEztHWzxmjKrmSAWfWLjpDDP2Q4 jPUQ== X-Gm-Message-State: ANoB5pnHVO5tISIdsyvcBY+m621yRvGR9jtBmhMKGItvfILS5G6rZLTz VIqZ/WgMQG/Kwh581fTniYGiHQ== X-Google-Smtp-Source: AA0mqf4FHPfC3Xt/4K5UqFq2Exw5EJP5fAZMMa/RYHDJDthNxZmYvkMhAGg56BEB5/1STGolgNzlNw== X-Received: by 2002:a17:903:3052:b0:189:63f2:d58b with SMTP id u18-20020a170903305200b0018963f2d58bmr40883166pla.158.1670021035890; Fri, 02 Dec 2022 14:43:55 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id j4-20020a17090a2a8400b002137d3da760sm7050969pjd.39.2022.12.02.14.43.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Dec 2022 14:43:55 -0800 (PST) Date: Fri, 2 Dec 2022 14:43:54 -0800 From: Kees Cook To: jeffxu@chromium.org Cc: skhan@linuxfoundation.org, akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, mnissler@chromium.org, jannh@google.com, linux-hardening@vger.kernel.org Subject: Re: [PATCH v3] mm/memfd: add F_SEAL_EXEC Message-ID: <202212021443.0F684E33@keescook> References: <20221202013404.163143-1-jeffxu@google.com> <20221202013404.163143-2-jeffxu@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221202013404.163143-2-jeffxu@google.com> X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 102E040013 X-Rspam-User: X-Stat-Signature: ibg9mpb47y5qq4m8igzju35j44e5xd8q X-Spamd-Result: default: False [0.20 / 9.00]; BAYES_HAM(-5.90)[99.78%]; SORBS_IRL_BL(3.00)[209.85.216.43:from]; SUSPICIOUS_RECIPS(1.50)[]; SUBJECT_HAS_UNDERSCORES(1.00)[]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_NO_TLS_LAST(0.10)[]; MIME_GOOD(-0.10)[text/plain]; BAD_REP_POLICIES(0.10)[]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWELVE(0.00)[14]; ARC_NA(0.00)[]; R_DKIM_ALLOW(0.00)[chromium.org:s=google]; MIME_TRACE(0.00)[0:+]; PREVIOUSLY_DELIVERED(0.00)[linux-mm@kvack.org]; DMARC_POLICY_ALLOW(0.00)[chromium.org,none]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TAGGED_RCPT(0.00)[]; DKIM_TRACE(0.00)[chromium.org:+]; ARC_SIGNED(0.00)[hostedemail.com:s=arc-20220608:i=1]; RCVD_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(0.00)[+ip4:209.85.128.0/17]; RCVD_VIA_SMTP_AUTH(0.00)[] X-HE-Tag: 1670021036-492141 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Dec 02, 2022 at 01:33:59AM +0000, jeffxu@chromium.org wrote: > From: Daniel Verkamp > > The new F_SEAL_EXEC flag will prevent modification of the exec bits: > written as traditional octal mask, 0111, or as named flags, S_IXUSR | > S_IXGRP | S_IXOTH. Any chmod(2) or similar call that attempts to modify > any of these bits after the seal is applied will fail with errno EPERM. > > This will preserve the execute bits as they are at the time of sealing, > so the memfd will become either permanently executable or permanently > un-executable. > > Co-developed-by: Jeff Xu > Signed-off-by: Jeff Xu > Signed-off-by: Daniel Verkamp > --- > include/uapi/linux/fcntl.h | 1 + > mm/memfd.c | 2 ++ > mm/shmem.c | 6 ++++++ > 3 files changed, 9 insertions(+) > > diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h > index 2f86b2ad6d7e..e8c07da58c9f 100644 > --- a/include/uapi/linux/fcntl.h > +++ b/include/uapi/linux/fcntl.h > @@ -43,6 +43,7 @@ > #define F_SEAL_GROW 0x0004 /* prevent file from growing */ > #define F_SEAL_WRITE 0x0008 /* prevent writes */ > #define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */ > +#define F_SEAL_EXEC 0x0020 /* prevent chmod modifying exec bits */ > /* (1U << 31) is reserved for signed error codes */ > > /* > diff --git a/mm/memfd.c b/mm/memfd.c > index 08f5f8304746..4ebeab94aa74 100644 > --- a/mm/memfd.c > +++ b/mm/memfd.c > @@ -147,6 +147,7 @@ static unsigned int *memfd_file_seals_ptr(struct file *file) > } > > #define F_ALL_SEALS (F_SEAL_SEAL | \ > + F_SEAL_EXEC | \ > F_SEAL_SHRINK | \ > F_SEAL_GROW | \ > F_SEAL_WRITE | \ > @@ -175,6 +176,7 @@ static int memfd_add_seals(struct file *file, unsigned int seals) > * SEAL_SHRINK: Prevent the file from shrinking > * SEAL_GROW: Prevent the file from growing > * SEAL_WRITE: Prevent write access to the file > + * SEAL_EXEC: Prevent modification of the exec bits in the file mode > * > * As we don't require any trust relationship between two parties, we > * must prevent seals from being removed. Therefore, sealing a file > diff --git a/mm/shmem.c b/mm/shmem.c > index c1d8b8a1aa3b..e18a9cf9d937 100644 > --- a/mm/shmem.c > +++ b/mm/shmem.c > @@ -1085,6 +1085,12 @@ static int shmem_setattr(struct user_namespace *mnt_userns, > if (error) > return error; > > + if ((info->seals & F_SEAL_EXEC) && (attr->ia_valid & ATTR_MODE)) { > + if ((inode->i_mode ^ attr->ia_mode) & 0111) { > + return -EPERM; > + } > + } > + > if (S_ISREG(inode->i_mode) && (attr->ia_valid & ATTR_SIZE)) { > loff_t oldsize = inode->i_size; > loff_t newsize = attr->ia_size; > -- > 2.39.0.rc0.267.gcb52ba06e7-goog > This looks sensible to me! Reviewed-by: Kees Cook -- Kees Cook