From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 66BB2C4332F
	for <linux-mm@archiver.kernel.org>; Wed, 14 Dec 2022 18:54:46 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 88B988E0003; Wed, 14 Dec 2022 13:54:45 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 815078E0002; Wed, 14 Dec 2022 13:54:45 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 68F468E0003; Wed, 14 Dec 2022 13:54:45 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11])
	by kanga.kvack.org (Postfix) with ESMTP id 557648E0002
	for <linux-mm@kvack.org>; Wed, 14 Dec 2022 13:54:45 -0500 (EST)
Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id 2781BC0DA9
	for <linux-mm@kvack.org>; Wed, 14 Dec 2022 18:54:45 +0000 (UTC)
X-FDA: 80241813330.01.6014E27
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182])
	by imf26.hostedemail.com (Postfix) with ESMTP id 59CB2140005
	for <linux-mm@kvack.org>; Wed, 14 Dec 2022 18:54:43 +0000 (UTC)
Authentication-Results: imf26.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=ljRXDQoz;
	spf=pass (imf26.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.182 as permitted sender) smtp.mailfrom=keescook@chromium.org;
	dmarc=pass (policy=none) header.from=chromium.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1671044083;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=o2e1a6vpAxQHzaMqe1Zz1YgsBuyNkLZSUPq8vet5Q+E=;
	b=CLgJwHJrEUKgDwk9zlXaUjrAJsJGJ8qbiTinaMbUCb74XRrmQzVa7WW2YGvoxXAsxdN1k/
	07ZB8hEdvh0PpekJSF1SKPakyWTHf159OkTZiBi4sjNcTdjYG5t9HM9XDX5y+9D5Tt2igt
	griuY2Q68rl4NnpbMPBOui6TWw9Zkio=
ARC-Authentication-Results: i=1;
	imf26.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=ljRXDQoz;
	spf=pass (imf26.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.182 as permitted sender) smtp.mailfrom=keescook@chromium.org;
	dmarc=pass (policy=none) header.from=chromium.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1671044083; a=rsa-sha256;
	cv=none;
	b=W0/rKRrVgeCyGpQTUOT5lg84U83SZ1GFNizPsbXtuxK5/+OscUHAUoTBx4dMZzPDVbKgem
	s9KzpYE3kWT5A6aIZ+NsX1Q0zqtMn+21OIvXDee1F2vq8AjvoKKAHkqcXjsSsP2BwWnq/9
	wvgaUxAY/HWKht2asIceq64vUtOhVUc=
Received: by mail-pl1-f182.google.com with SMTP id 4so4326890plj.3
        for <linux-mm@kvack.org>; Wed, 14 Dec 2022 10:54:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date:from:to
         :cc:subject:date:message-id:reply-to;
        bh=o2e1a6vpAxQHzaMqe1Zz1YgsBuyNkLZSUPq8vet5Q+E=;
        b=ljRXDQoz8d06UpaHKC+SuGt8xrjQEfQSizAAs+M7Oa0UFCOyc+ZVFVtSu/m47RyC0P
         WJux7UP4wXmjSPCsUwuDwIDa9H/CfAsZyqgqoA57G2Fm50pMq3dHqVuXQUKJBj9giDuO
         9zDWG2mb8TECeq3VFaiiXxcz6/WlWRjsZr/D8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=o2e1a6vpAxQHzaMqe1Zz1YgsBuyNkLZSUPq8vet5Q+E=;
        b=1UkkwRWSR/+ivXHHXBiin7/FYvgWYh7b9TCB0+UvSRXYUuxq5sEU+boEya83Kv51Xb
         6DdyINkNQCJsvcVCIYZtOdfVh08JXSrFS9DoRn88wOfjiWnvpENssNeHVbdvtMd42tgP
         QhdWcky1c18zzKCFdpoFoVaGQQBqqv0SSf9TIP5Bc02UiHTPEXzn7jmG9FWkzHYc090Z
         GsR0rTvx/tXWF25OnZga5vLBG0O/U9qNTtcjPC8LS64BdN/+/DL8yCOPm9NxzfZtA443
         6uHVdfsxdOwUxu0Q500kOEfkmLQQ+s9OpMAs6PUBIHiG7iy3Tg/ObI8en5Dod5G/gwvB
         a72Q==
X-Gm-Message-State: ANoB5pk4wyvCjYOiSBAxnwqsIFVimt4FcOLpRUBOVgjHV6xuiJVTXptJ
	bcS21qIBfKj+NWHHg1g/J9jjEw==
X-Google-Smtp-Source: AA0mqf5EzxQYQAX02yhiiZgN1ZRrh5wT7FRtFv9+LhYZc4owjG2hoCS8v2lD4r8dZcTHO5Rdw9SJhw==
X-Received: by 2002:a17:90a:6506:b0:214:222:6ed3 with SMTP id i6-20020a17090a650600b0021402226ed3mr27015223pjj.43.1671044082079;
        Wed, 14 Dec 2022 10:54:42 -0800 (PST)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id k7-20020a17090a9d8700b00218f9bd50c7sm1710962pjp.50.2022.12.14.10.54.41
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 14 Dec 2022 10:54:41 -0800 (PST)
Date: Wed, 14 Dec 2022 10:54:40 -0800
From: Kees Cook <keescook@chromium.org>
To: jeffxu@chromium.org
Cc: skhan@linuxfoundation.org, akpm@linux-foundation.org,
	dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com,
	jeffxu@google.com, jorgelo@chromium.org,
	linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
	linux-mm@kvack.org, jannh@google.com,
	linux-hardening@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH v7 0/6] mm/memfd: introduce MFD_NOEXEC_SEAL and MFD_EXEC
Message-ID: <202212141053.7F5D1F6@keescook>
References: <20221209160453.3246150-1-jeffxu@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20221209160453.3246150-1-jeffxu@google.com>
X-Stat-Signature: kyqykr7aq4pwxbihy9tg8yk1tb9ptgeo
X-Rspam-User: 
X-Rspamd-Queue-Id: 59CB2140005
X-Rspamd-Server: rspam06
X-HE-Tag: 1671044083-888245
X-HE-Meta: U2FsdGVkX19oaMCnrotZ9zn5nCDqyPyxWwhQmBMPaYitvC9ajNEF2YXBVoEYwWHPmh7bQRnvbpC+JNFRJ9S46J5YXcWI2tcK5zJXQF6iNa7TYd6YJ4+X1ahjvj6UaGj0l///Gt7Uunk+QDk50bJzt6WUWE//YP78HUn9adk/Bebb/mrrCKySei6qta/Sr9NOYcu5XdGYiH2exTRaxvpPS2MYhdCDUl5KpPOzcCRVLhWZGDA/SdcibWhn+zNxw1xOHW23VP7p0pkbX/ia5h+ISDmuwO912UA+l8v/qi201lGow/KJWkRiSZx7yCYZCad7nBC5fqdfAVg/FnZBX+jYDeK6/oEXOEkgohqFJTCAi0ALTCSWosNqAJfXmxoxCILZ2uJMqydqU4RGwZ47icAcdF8UcjmUM1sheJdFQFKLoC6vsOxYMF9JFvdJjQavkpABVACBLkFO9cN+UUPt5DBsq6P2PMERnshNqZUpqGMaeiWmYWVxVC5fw61wdLcTLHZVEecMQgsccEs83mVnFutKgjLRM6awjrdo4MWDLAfVgl07sf5pYo+NS2LhqapE/MdMlPOz8VR46C9vLNzvWOAKHumRJmKkwctaTGFm+81ltWNZL3QLt6r19XOKz4w1Miw+nvhkkAc/cvHLrt6u2vhLkLvRc3suggH/PG3oHqlmUjv+8lWyc94JwLKrMAvfm43N76Lt+2aQrK37ncAiEJeGYnODxb4SHkBy61BxA1MtKKOnoshIETidl6LLv3ZSXZSxbFrh7oZXbT0d/++RkJApA6BEtmbF9sjmXwG/v2Iy++LDkavgkoi6lF7/93HH9vTuNEYCFRAo1ht01XY4hfQqXhI56Q4FtlECkUGluTMuSzz+FXjwIgCwJMVzPfT9nR92p9o2PgjNBy+X4N/L/HkuG+1fBxMarXpqYlpucTOE1aCvFdseWTa66Fhoap1MAUJS7bUNkaHgcnEPEhSH5hJ
 FOBm3YBs
 L3ZdSp940uzqjWc+Mc1F6lzFuDIP6fbI87Ss3QSdsRiX6ZEP+Saxr3iUW0IBbwt+iK3LmMpw5eKuyJ2Ahuojb/KLXbIZrvrX2q7mzptSOE0CvT+CiGGNXe1V65ccJb7KURAfgrnquWfWIw9j2zPSKjLE1wamaUx/rV3CUgnggx2qRqkeu+VGjDNSRCKZ+9qIbmaWAuXTqdrlj6aymheGU08E9wQ==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Fri, Dec 09, 2022 at 04:04:47PM +0000, jeffxu@chromium.org wrote:
> From: Jeff Xu <jeffxu@google.com>
> 
> Since Linux introduced the memfd feature, memfd have always had their
> execute bit set, and the memfd_create() syscall doesn't allow setting
> it differently.
> 
> However, in a secure by default system, such as ChromeOS, (where all
> executables should come from the rootfs, which is protected by Verified
> boot), this executable nature of memfd opens a door for NoExec bypass
> and enables “confused deputy attack”.  E.g, in VRP bug [1]: cros_vm
> process created a memfd to share the content with an external process,
> however the memfd is overwritten and used for executing arbitrary code
> and root escalation. [2] lists more VRP in this kind.
> 
> On the other hand, executable memfd has its legit use, runc uses memfd’s
> seal and executable feature to copy the contents of the binary then
> execute them, for such system, we need a solution to differentiate runc's
> use of  executable memfds and an attacker's [3].
> 
> To address those above, this set of patches add following:
> 1> Let memfd_create() set X bit at creation time.
> 2> Let memfd to be sealed for modifying X bit.
> 3> A new pid namespace sysctl: vm.memfd_noexec to control the behavior of
>    X bit.For example, if a container has vm.memfd_noexec=2, then
>    memfd_create() without MFD_NOEXEC_SEAL will be rejected.
> 4> A new security hook in memfd_create(). This make it possible to a new
> LSM, which rejects or allows executable memfd based on its security policy.

I think patch 1-5 look good to land. The LSM hook seems separable, and
could continue on its own. Thoughts?

(Which tree should memfd change go through?)

-Kees

-- 
Kees Cook