From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 79032C433EF
	for <linux-mm@archiver.kernel.org>; Thu, 21 Apr 2022 16:48:33 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id F0C156B0085; Thu, 21 Apr 2022 12:48:32 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id EB7DA6B0087; Thu, 21 Apr 2022 12:48:32 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id D80756B0088; Thu, 21 Apr 2022 12:48:32 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.25])
	by kanga.kvack.org (Postfix) with ESMTP id C89E06B0085
	for <linux-mm@kvack.org>; Thu, 21 Apr 2022 12:48:32 -0400 (EDT)
Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id A3772278E1
	for <linux-mm@kvack.org>; Thu, 21 Apr 2022 16:48:32 +0000 (UTC)
X-FDA: 79381469664.04.DAA2D85
Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42])
	by imf11.hostedemail.com (Postfix) with ESMTP id 551F24002C
	for <linux-mm@kvack.org>; Thu, 21 Apr 2022 16:48:30 +0000 (UTC)
Received: by mail-lf1-f42.google.com with SMTP id h3so5031981lfu.8
        for <linux-mm@kvack.org>; Thu, 21 Apr 2022 09:48:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=message-id:date:mime-version:user-agent:subject:content-language:to
         :cc:references:from:in-reply-to:content-transfer-encoding;
        bh=H01S+Z7PoKhXtthwBx3mI1VVb20IHa0ThHfpXV2OsWk=;
        b=Te5bNS7bK0yTicPlwPilL/FHzAHcCqm56DhGAmSHJVeyNBi761kWJGIb9kl8TOYuck
         BiTT/cBsA/F5VgqiWxOJFnnaOZHoAT4gI5awBPaMEgiyrEJmcMFoF8VPBkGOxFB/SDy4
         qqeDtPW45B92jzLhCXjMqi+0O7pfeh81IUjPs6/oytjFCbtCGr735rxBqlAvms8VYNT0
         Jvb9G02yo002YknsCfyrj5wNC6z46s/QYuddL1MP5fcS9CizCQNamFZpPEZ8NcHpIzT4
         CTDjLKjMhaRGxDTW8Gn5MvVYUXGQN4Ptv7zh47AOnsIAKcNf/WhNZKku9l22WYc3adFD
         kr+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
         :content-language:to:cc:references:from:in-reply-to
         :content-transfer-encoding;
        bh=H01S+Z7PoKhXtthwBx3mI1VVb20IHa0ThHfpXV2OsWk=;
        b=XHSZ4oblCLZzsQdLOH2G/qPBB5RY/gnotPDdPhpWDONVHC/rlT/E/1cHDY4KAAGYTc
         oaXHyiRT9qvWOVhWVlmncdiqsE7mkCRKDSQP09w4dApd4wO68yYSRK8RmO58+yFC1EQz
         wK2Wwpo80kA2rVobPlvE+7hzHV3cloP6zftIL8gu/2UOyPJVTOvvj/7Iqo/6Yry4RRMF
         swsqOHaoD6WWwvW1IxKsEUOG2l24S9hruQuQT4+yuxW1m50B8+G4cvKYL4vmgmRaI5iI
         QMhXW8jn2/TGhc31CG9nsYIEWeZPmDxz0rM0PFAJ3vOCeX6D0blOZWO0iwB+F4csuuuc
         I74w==
X-Gm-Message-State: AOAM531aWDZKv0+mISeiYeQHw73B22LP7HTjkKyv0THiUiL0qAvU+6Lh
	nD6plOx5UZCaj03tv9/6FS8=
X-Google-Smtp-Source: ABdhPJw+VLfbypfCSe9stpbubNdMGXl9HD4DhVxLcd/U9wA78sssgaQaPBzfy770WHdBH+UXBFl2ag==
X-Received: by 2002:a05:6512:151f:b0:44a:2508:1d01 with SMTP id bq31-20020a056512151f00b0044a25081d01mr228077lfb.675.1650559710555;
        Thu, 21 Apr 2022 09:48:30 -0700 (PDT)
Received: from [192.168.1.38] (91-159-150-194.elisa-laajakaista.fi. [91.159.150.194])
        by smtp.gmail.com with ESMTPSA id q64-20020a2e2a43000000b0024ee56ec2bbsm310284ljq.3.2022.04.21.09.48.29
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 21 Apr 2022 09:48:29 -0700 (PDT)
Message-ID: <400be309-ef3f-4175-594d-7dc45a43dc36@gmail.com>
Date: Thu, 21 Apr 2022 19:48:27 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.8.0
Subject: Re: [PATCH RFC 0/4] mm, arm64: In-kernel support for
 memory-deny-write-execute (MDWE)
Content-Language: en-US
To: Catalin Marinas <catalin.marinas@arm.com>,
 Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
 Christoph Hellwig <hch@infradead.org>,
 Lennart Poettering <lennart@poettering.net>,
 =?UTF-8?Q?Zbigniew_J=c4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>,
 Will Deacon <will@kernel.org>, Alexander Viro <viro@zeniv.linux.org.uk>,
 Eric Biederman <ebiederm@xmission.com>, Szabolcs Nagy
 <szabolcs.nagy@arm.com>, Mark Brown <broonie@kernel.org>,
 Jeremy Linton <jeremy.linton@arm.com>, linux-mm@kvack.org,
 linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
 linux-abi-devel@lists.sourceforge.net, linux-hardening@vger.kernel.org,
 Jann Horn <jannh@google.com>, Salvatore Mesoraca <s.mesoraca16@gmail.com>,
 Igor Zhbanov <izh1979@gmail.com>
References: <20220413134946.2732468-1-catalin.marinas@arm.com>
 <202204141028.0482B08@keescook> <YmAEDsGtxhim46UI@arm.com>
 <c62170c6-5993-2417-4143-5a37a98b227c@gmail.com>
 <202204201610.093C9D5FE8@keescook> <YmF5s4KqT5WL4O0G@arm.com>
From: Topi Miettinen <toiwoton@gmail.com>
In-Reply-To: <YmF5s4KqT5WL4O0G@arm.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Stat-Signature: axkxke4ek6xba8fon1yd3ohr4d3wzkzx
X-Rspam-User: 
Authentication-Results: imf11.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=Te5bNS7b;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (imf11.hostedemail.com: domain of toiwoton@gmail.com designates 209.85.167.42 as permitted sender) smtp.mailfrom=toiwoton@gmail.com
X-Rspamd-Server: rspam02
X-Rspamd-Queue-Id: 551F24002C
X-HE-Tag: 1650559710-729777
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On 21.4.2022 18.35, Catalin Marinas wrote:
> On Wed, Apr 20, 2022 at 04:21:45PM -0700, Kees Cook wrote:
>> On Wed, Apr 20, 2022 at 10:34:33PM +0300, Topi Miettinen wrote:
>>> For systemd, feature compatibility with the BPF version is important so that
>>> we could automatically switch to the kernel version once available without
>>> regressions. So I think PR_MDWX_MMAP (or maybe PR_MDWX_COMPAT) should match
>>> exactly what MemoryDenyWriteExecute=yes as implemented with BPF has: only
>>> forbid mmap(PROT_EXEC|PROT_WRITE) and mprotect(PROT_EXEC). Like BPF, once
>>> installed there should be no way to escape and ELF flags should be also
>>> ignored. ARM BTI should be allowed though (allow PROT_EXEC|PROT_BTI if the
>>> old flags had PROT_EXEC).
> 
> I agree.
> 
>>> Then we could have improved versions (other PR_MDWX_ prctls) with lots more
>>> checks. This could be enabled with MemoryDenyWriteExecute=strict or so.
>>>
>>> Perhaps also more relaxed versions (like SARA) could be interesting (system
>>> service running Python with FFI, or perhaps JVM etc), enabled with for
>>> example MemoryDenyWriteExecute=trampolines. That way even those programs
>>> would get some protection (though there would be a gap in the defences).
>>
>> Yup, I think we're all on the same page. Catalin, can you respin with a
>> prctl for enabling MDWE? I propose just:
>>
>> 	prctl(PR_MDWX_SET, flags);
>> 	prctl(PR_MDWX_GET);
>>
>> 	PR_MDWX_FLAG_MMAP
>> 		disallows PROT_EXEC on any VMA that is or was PROT_WRITE,
>> 		covering at least: mmap, mprotect, pkey_mprotect, and shmat.
> 
> Do we want the "was PROT_WRITE" or we just reject mprotect(PROT_EXEC) if
> the vma is not already PROT_EXEC? The latter is closer to the current
> systemd approach. The former allows an mprotect(PROT_EXEC) if the
> mapping was PROT_READ only for example.
> 
> I'd drop the "was PROT_WRITE" for now if the aim is a drop-in
> replacement for BPF MDWE.
> 

I think we'd want existing installations with MemoryDenyWriteExecute=yes 
not start failing when the implementation is changed to in-kernel 
version. The implementation could be very simple and not even check 
existing PROT_ flags (except for BTI case) to be maximally compatible to 
BPF version. So I'd leave "was PROT_WRITE" and other checks to more 
advanced versions, enabled with a different PR_MDWX_FLAG_.

-Topi