From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8940C77B7D for ; Wed, 17 May 2023 15:04:53 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 74D79900006; Wed, 17 May 2023 11:04:53 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6FD89900003; Wed, 17 May 2023 11:04:53 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 59F47900006; Wed, 17 May 2023 11:04:53 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 4A125900003 for ; Wed, 17 May 2023 11:04:53 -0400 (EDT) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id E7F59140590 for ; Wed, 17 May 2023 15:04:52 +0000 (UTC) X-FDA: 80800069224.11.B0DAADC Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) by imf09.hostedemail.com (Postfix) with ESMTP id 5F54714016C for ; Wed, 17 May 2023 15:03:55 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b="Rm1/o51a"; spf=pass (imf09.hostedemail.com: domain of revest@chromium.org designates 209.85.221.50 as permitted sender) smtp.mailfrom=revest@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684335835; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=PcjJGxge+F640GphIVPPWC0i7d+7dT4zRE3gQfpttMo=; b=PpEjIoJLvs9CBh0Vo2sJtwNOYBLXkSjRaUxN9RpzYlOBI9pTiPK6qcuN4KqeJ4LtMI/3uM LMqidPpkmC5Z6ypHrqz9SHKbPqJ/49Cj/qd+Yn1Yg1UIfprGUE4Q95p5obz0Jf5SzAAXXx Wd7TIus6POIH1waTLnRwuFSKHKdvC9E= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b="Rm1/o51a"; spf=pass (imf09.hostedemail.com: domain of revest@chromium.org designates 209.85.221.50 as permitted sender) smtp.mailfrom=revest@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684335835; a=rsa-sha256; cv=none; b=E/VcK7BrvzbDPmNZkflCmEpDzr/9ldLJFoKiLhgF60uKsYG+PuzI5FYQbz4iAL9W+8AvRX +Z6t+IVN4YGpJhIyFFQb4T/EFs+TVvcIRUNgWmm00EVvxsflKci00ve5/Mu2m8DSAOfR68 9jSUA+yg4Fx4m2THh3JTGR14ZpQlM84= Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-30644c18072so607507f8f.2 for ; Wed, 17 May 2023 08:03:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1684335833; x=1686927833; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PcjJGxge+F640GphIVPPWC0i7d+7dT4zRE3gQfpttMo=; b=Rm1/o51a2lpXg5BFBk6NXPTxOQL/+q5wPYqudYkYD0LO0vbb3G0X6cU/WUbHK9OmTT xyGPbYoI6XKipdHkAru8gZICWPEsUbwO6Jkk3dOBXa87Qq8BY6bIYCXC4rzbLx1Q5gZs 9jEBolPQhL6s6/L97SOAkqIjsQdHbRbx6RyLY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684335833; x=1686927833; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PcjJGxge+F640GphIVPPWC0i7d+7dT4zRE3gQfpttMo=; b=XdNIzWMvM3yY+hwkNXYPahg/FpuB/LL5KizQQpYsONMMgGNAIeO0oviy00rWljRepW qT5WSkIIvmckMVE8cvZz/ra56clnZ1ihZEK5+HTUbvlACinJcBtmZykKrsrMHwWsFspe XkWbzsc0V9dPIOsDGJAl4eHqcAstBm/rljlAy3Kfpcw1+9j9fxZNuBsEVP3xS/1eYHZj Npi9GOWzBAgUzka+u4TpIG4NIUdyH3ZdIHa7nUwGuVjdGOCQ2Vnh8MxHnCIdNXQfFHep Y7hYoC+xZSPhZtrzdaPfT4s1eVVZjUx+AvimGBYGv8LsZpCMZpGIIJ1p6w5iLAjDIKvs vCjg== X-Gm-Message-State: AC+VfDytKWyTZmxt1zgQCvldIdf+3doiU9x1i1y9Z0hL8cqD9xDgHSM7 dESIO8hOvottNq8aRUzz38hCGA== X-Google-Smtp-Source: ACHHUZ4O8rAQRY7/SDtireYdx2b2WsNyHeNpxz46Wl77Y6SHU0G8sbk4ZV8PBx+Me/5EbKQW1yjj/w== X-Received: by 2002:a5d:4a50:0:b0:2f6:1a30:605c with SMTP id v16-20020a5d4a50000000b002f61a30605cmr999306wrs.3.1684335832915; Wed, 17 May 2023 08:03:52 -0700 (PDT) Received: from revest.zrh.corp.google.com ([2a00:79e0:9d:6:e223:a0c2:d2c:c371]) by smtp.gmail.com with ESMTPSA id e17-20020adffd11000000b003047ea78b42sm3038211wrr.43.2023.05.17.08.03.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 May 2023 08:03:52 -0700 (PDT) From: Florent Revest To: linux-kernel@vger.kernel.org, linux-mm@kvack.org Cc: akpm@linux-foundation.org, catalin.marinas@arm.com, anshuman.khandual@arm.com, joey.gouly@arm.com, mhocko@suse.com, keescook@chromium.org, david@redhat.com, peterx@redhat.com, izbyshev@ispras.ru, broonie@kernel.org, szabolcs.nagy@arm.com, kpsingh@kernel.org, gthelen@google.com, toiwoton@gmail.com, Florent Revest Subject: [PATCH v2 4/5] mm: Add a NO_INHERIT flag to the PR_SET_MDWE prctl Date: Wed, 17 May 2023 17:03:20 +0200 Message-ID: <20230517150321.2890206-5-revest@chromium.org> X-Mailer: git-send-email 2.40.1.606.ga4b1b128d6-goog In-Reply-To: <20230517150321.2890206-1-revest@chromium.org> References: <20230517150321.2890206-1-revest@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Stat-Signature: y3c6kxdmj9de9jaeox3hoh4sokxb9oki X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 5F54714016C X-Rspam-User: X-HE-Tag: 1684335835-292127 X-HE-Meta: U2FsdGVkX1+j+LOmdo2OYu86ocIeMS9qvzxkzQRrEv7vmVnOaSoFselal4KZIS32MIVME4yNUkaSh4txgvtCcFb5+59T5pFxvIPjTvU5agEWpXOn/issZP3p+fuJipIFYiMUlqLKvCLwLx4XDljjdbJC7uJOP8BoxHBuxupxV5xTFkFdAfNKJOECy3pOAxTLttQ9reS99X2Fpd6vHp7KV4Jr3vgixRX8ImRj3VH3qLw52QyGrFjTEF5KVlxJWBGdeEd4O4nEVNkReFWM+aoFA5o6ZflKYhcF6ogMfP/sZMf0zonGqBXdv7AUmBk3R0njzclvS/LBCXb1bt9SDYusp2RK7mQ0C66fAJh1tCB+0aMSzwTrv8QcajOKRwPSWuy1rU4IQBiohsVpmX0Xf9LgkgRCUPM9R2ILVh/+AZ11/mrEK5c9zmf5+nYJMPjRpbHPPmuAJ7WLU2XoyHCv6GAkxVvVOF0jMoXT7FigEN5syj9JRICBgZgxktYEQ369FiVfEf5+mVEl68Hz0R3iaDj9Dh9x2EMnlpKDeFt29NG4ULjgHsX0lw8upoItXozkjLOTv/Qr4jskwQG/AflZYG40TAd9jBXy+Os55nukjAgmLDpelwtYE53hmSwaxYHEIfFuo5ivid1MJrdCReTTIzg3jlDyhbjYBf0JHzlzfBl4EKjIxFAC5paA6YJJdfgCwBf4FXz3WbGXY/PQcrYxKZHluJldEAx7HfEVlpXIIlnVsx1J4e54daTq5+4mj6XickqQNk7UdO5lePLSz8D1qPhCgWpWSEKc3BQFPE3EFA+wU/+j+3rdOKRFnoqh1GKSdNJEx8mDwNUHw7H0A2oRvoVGJ9f64qnDOtpq6sAaaIYO05Qn8WVINzUU5R4TG9+upXKkpxj2VFP9/YtDYMRRi3oWENi/zdf4ilDpb2X4yuQJvyc/E4xEv1sPrYWuhvXgxFdK0QNfCbLrr+8jSNCEHSM EjUz9vqx lwBp7Dk9hr8BtLpCHE+ElQhf5neZLaynXka8/0TUgZi6E1KC3Uw4V//VtxZVMs/ieCY6Q/+e0OanUrxf3x8QI9hK1wSXpUzR7vb3x2u8Xov7WZOWJr4i/JbpbX/TBtUoyDr4CPNfOcJ601vVyo/pFpBA0BRIUUVrKnJe407cLF0HFQx2tFajS0toNrQZoI56Q0uv83fk4fYxwjvkvqzrCbMktWgfC8hLbXfLP/r25zdv6bwXixwxeXmTH3kZFxA3gtccTUhuMP3a/RmvyUvCV/POLQLSSdNZIgZ6S6cbLnawm+B06HhHc/8E4oQVqKL+e7LyHGnNhdNkR4sUBtLtvioG22zxXC5P3DRL/g+uM0YKVyF8cR8Sj+Rm0f6QuoTIMxN8zRWqNWq2vsml38NRx6T7pVLBNBWIiABl5XrC1igx+NOqasIIhN9k53d0Be3a/mhK3cPtPMm4gvvk= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: This extends the current PR_SET_MDWE prctl arg with a bit to indicate that the process doesn't want MDWE protection to propagate to children. To implement this no-inherit mode, the tag in current->mm->flags must be absent from MMF_INIT_MASK. This means that the encoding for "MDWE but without inherit" is different in the prctl than in the mm flags. This leads to a bit of bit-mangling in the prctl implementation. Signed-off-by: Florent Revest --- include/linux/sched/coredump.h | 10 ++++++++++ include/uapi/linux/prctl.h | 1 + kernel/fork.c | 2 +- kernel/sys.c | 24 +++++++++++++++++++++--- tools/include/uapi/linux/prctl.h | 1 + 5 files changed, 34 insertions(+), 4 deletions(-) diff --git a/include/linux/sched/coredump.h b/include/linux/sched/coredump.h index 0ee96ea7a0e9..11f5e3dacb4e 100644 --- a/include/linux/sched/coredump.h +++ b/include/linux/sched/coredump.h @@ -91,4 +91,14 @@ static inline int get_dumpable(struct mm_struct *mm) MMF_DISABLE_THP_MASK | MMF_HAS_MDWE_MASK) #define MMF_VM_MERGE_ANY 29 +#define MMF_HAS_MDWE_NO_INHERIT 30 + +#define MMF_INIT_FLAGS(flags) ({ \ + unsigned long new_flags = flags; \ + if (new_flags & (1UL << MMF_HAS_MDWE_NO_INHERIT)) \ + new_flags &= ~((1UL << MMF_HAS_MDWE) | \ + (1UL << MMF_HAS_MDWE_NO_INHERIT)); \ + new_flags & MMF_INIT_MASK; \ +}) + #endif /* _LINUX_SCHED_COREDUMP_H */ diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h index 6e9af6cbc950..dacbe824e7c3 100644 --- a/include/uapi/linux/prctl.h +++ b/include/uapi/linux/prctl.h @@ -284,6 +284,7 @@ struct prctl_mm_map { /* Memory deny write / execute */ #define PR_SET_MDWE 65 # define PR_MDWE_REFUSE_EXEC_GAIN (1UL << 0) +# define PR_MDWE_NO_INHERIT (1UL << 1) #define PR_GET_MDWE 66 diff --git a/kernel/fork.c b/kernel/fork.c index d17995934eb4..62d52ad99937 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1284,7 +1284,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p, hugetlb_count_init(mm); if (current->mm) { - mm->flags = current->mm->flags & MMF_INIT_MASK; + mm->flags = MMF_INIT_FLAGS(current->mm->flags); mm->def_flags = current->mm->def_flags & VM_INIT_DEF_MASK; } else { mm->flags = default_dump_filter; diff --git a/kernel/sys.c b/kernel/sys.c index 339fee3eff6a..320eae3b12ab 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2368,9 +2368,25 @@ static inline int prctl_set_mdwe(unsigned long bits, unsigned long arg3, if (arg3 || arg4 || arg5) return -EINVAL; - if (bits & ~(PR_MDWE_REFUSE_EXEC_GAIN)) + if (bits & ~(PR_MDWE_REFUSE_EXEC_GAIN | PR_MDWE_NO_INHERIT)) return -EINVAL; + /* NO_INHERIT only makes sense with REFUSE_EXEC_GAIN */ + if (bits & PR_MDWE_NO_INHERIT && !(bits & PR_MDWE_REFUSE_EXEC_GAIN)) + return -EINVAL; + + /* Can't gain NO_INHERIT from !NO_INHERIT */ + if (bits & PR_MDWE_NO_INHERIT && + test_bit(MMF_HAS_MDWE, ¤t->mm->flags) && + !test_bit(MMF_HAS_MDWE_NO_INHERIT, ¤t->mm->flags)) + return -EPERM; + + if (bits & PR_MDWE_NO_INHERIT) + set_bit(MMF_HAS_MDWE_NO_INHERIT, ¤t->mm->flags); + else if (test_bit(MMF_HAS_MDWE_NO_INHERIT, ¤t->mm->flags) + && !(bits & PR_MDWE_REFUSE_EXEC_GAIN)) + return -EPERM; /* Cannot unset the flag */ + if (bits & PR_MDWE_REFUSE_EXEC_GAIN) set_bit(MMF_HAS_MDWE, ¤t->mm->flags); else if (test_bit(MMF_HAS_MDWE, ¤t->mm->flags)) @@ -2385,8 +2401,10 @@ static inline int prctl_get_mdwe(unsigned long arg2, unsigned long arg3, if (arg2 || arg3 || arg4 || arg5) return -EINVAL; - return test_bit(MMF_HAS_MDWE, ¤t->mm->flags) ? - PR_MDWE_REFUSE_EXEC_GAIN : 0; + return (test_bit(MMF_HAS_MDWE, ¤t->mm->flags) ? + PR_MDWE_REFUSE_EXEC_GAIN : 0) | + (test_bit(MMF_HAS_MDWE_NO_INHERIT, ¤t->mm->flags) ? + PR_MDWE_NO_INHERIT : 0); } static int prctl_get_auxv(void __user *addr, unsigned long len) diff --git a/tools/include/uapi/linux/prctl.h b/tools/include/uapi/linux/prctl.h index 6e6563e97fef..f7448d99520c 100644 --- a/tools/include/uapi/linux/prctl.h +++ b/tools/include/uapi/linux/prctl.h @@ -284,6 +284,7 @@ struct prctl_mm_map { /* Memory deny write / execute */ #define PR_SET_MDWE 65 # define PR_MDWE_REFUSE_EXEC_GAIN (1UL << 0) +# define PR_MDWE_NO_INHERIT (1UL << 1) #define PR_GET_MDWE 66 -- 2.40.1.606.ga4b1b128d6-goog