From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 456E0C433F5 for ; Thu, 21 Apr 2022 17:37:56 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id BC44C6B0072; Thu, 21 Apr 2022 13:37:55 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B4B756B0073; Thu, 21 Apr 2022 13:37:55 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 99F1B6B0074; Thu, 21 Apr 2022 13:37:55 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (relay.a.hostedemail.com [64.99.140.24]) by kanga.kvack.org (Postfix) with ESMTP id 843AB6B0072 for ; Thu, 21 Apr 2022 13:37:55 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay13.hostedemail.com (Postfix) with ESMTP id 49DE563249 for ; Thu, 21 Apr 2022 17:37:55 +0000 (UTC) X-FDA: 79381594110.24.D64B77C Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf05.hostedemail.com (Postfix) with ESMTP id 1DE5E100027 for ; Thu, 21 Apr 2022 17:37:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1650562674; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gJtqXgs69cYrR+WSJE2g9NGmA1uvl7a9W1yVIpdtarU=; b=XNx56lRtrgpg2Lz/7jSgXhIknkb44tzhyfPk4wN81meeUJ4Z6iVT5NUDzdcNXrROiVcOOO VE4y5SvCiXgJ1sKUZBVgfotYO4VNnFpsVavNJE5Mz+MLaztfEZuvggYObv5yEUghsRPkA3 FP8cvbjuHWaNs69nFITDZp+1Mg2bOlg= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-502-0xaJi1EJO--PxeNOJJpBJg-1; Thu, 21 Apr 2022 13:37:53 -0400 X-MC-Unique: 0xaJi1EJO--PxeNOJJpBJg-1 Received: by mail-wm1-f70.google.com with SMTP id d13-20020a05600c3acd00b0038ff865c043so4784062wms.3 for ; Thu, 21 Apr 2022 10:37:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:cc:references:from:organization:subject :in-reply-to:content-transfer-encoding; bh=gJtqXgs69cYrR+WSJE2g9NGmA1uvl7a9W1yVIpdtarU=; b=bt9325/Je/85w0XfjQ4cqav6mbD/0A64idFwwWGoPTFa+F8KF/iTUs2dNo2KtC5ave DQBgjT3ISwD3JXDvSXVj5/5N5QWaD91wiRVa1GntAmOZH02r4CG0WPnSLysUpPBwBipr DKYu2B737jwH5pMRha/Onf599n8IyC9Vk86VGVNGvZ1EUCYDZXi1Sw/mVWygTG2qKFXl AkRhAcNqPs06FGMJebFlVyairtMFxWdBSYx5Ren0iB33WTamwGEM5WPgCQAUMENh4bvS 3YBTQWdQfv84Om0Z/LiOMc7ZNO8gTauiaYUfbypAGXv95ymF7+xqT8CYWfE6IrHbbtMK AEog== X-Gm-Message-State: AOAM53046Y+NTvJlvNkqYfbDNMiCZCaVypYLE59U43dH0mDnGs7bNpT0 jdXfRIuKloyEnltmv+VjJoCYl5XJzjh45AvPv60pqvbQbAEI/YIajPDrO3vCsk6K0kxFl0qad// KKPgH/ja6Oow= X-Received: by 2002:a05:600c:3b91:b0:38f:f29a:202f with SMTP id n17-20020a05600c3b9100b0038ff29a202fmr9677756wms.35.1650562671877; Thu, 21 Apr 2022 10:37:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzRR3MGVdZ12w25ZHZMtem5BkR2g58lERdRAzcALPv0sXI92H8B4EAID0P4nynJIicAXglaOw== X-Received: by 2002:a05:600c:3b91:b0:38f:f29a:202f with SMTP id n17-20020a05600c3b9100b0038ff29a202fmr9677732wms.35.1650562671575; Thu, 21 Apr 2022 10:37:51 -0700 (PDT) Received: from ?IPV6:2003:cb:c702:de00:711b:76af:b335:9b70? (p200300cbc702de00711b76afb3359b70.dip0.t-ipconnect.de. [2003:cb:c702:de00:711b:76af:b335:9b70]) by smtp.gmail.com with ESMTPSA id l14-20020adffe8e000000b00207af9cdd90sm2618386wrr.39.2022.04.21.10.37.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 21 Apr 2022 10:37:50 -0700 (PDT) Message-ID: <443d978a-7092-b5b1-22f3-ae3a997080ad@redhat.com> Date: Thu, 21 Apr 2022 19:37:49 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.6.2 To: Catalin Marinas , Andrew Morton , Christoph Hellwig , Lennart Poettering , =?UTF-8?Q?Zbigniew_J=c4=99drzejewski-Szmek?= Cc: Will Deacon , Alexander Viro , Eric Biederman , Kees Cook , Szabolcs Nagy , Mark Brown , Jeremy Linton , Topi Miettinen , linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-abi-devel@lists.sourceforge.net References: <20220413134946.2732468-1-catalin.marinas@arm.com> <20220413134946.2732468-3-catalin.marinas@arm.com> From: David Hildenbrand Organization: Red Hat Subject: Re: [PATCH RFC 2/4] mm, personality: Implement memory-deny-write-execute as a personality flag In-Reply-To: <20220413134946.2732468-3-catalin.marinas@arm.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: 1DE5E100027 X-Stat-Signature: tfdqqg3eihtrp45jtr18r13czbedcrgi Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=XNx56lRt; spf=none (imf05.hostedemail.com: domain of david@redhat.com has no SPF policy when checking 170.10.133.124) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com X-Rspam-User: X-HE-Tag: 1650562671-439897 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 13.04.22 15:49, Catalin Marinas wrote: > The aim of such policy is to prevent a user task from inadvertently > creating an executable mapping that is or was writeable (and > subsequently made read-only). > > An example of mmap() returning -EACCESS if the policy is enabled: > > mmap(0, size, PROT_READ | PROT_WRITE | PROT_EXEC, flags, 0, 0); > > Similarly, mprotect() would return -EACCESS below: > > addr = mmap(0, size, PROT_READ | PROT_EXEC, flags, 0, 0); > mprotect(addr, size, PROT_READ | PROT_WRITE | PROT_EXEC); > > With the past vma writeable permission tracking, mprotect() below would > also fail with -EACCESS: > > addr = mmap(0, size, PROT_READ | PROT_WRITE, flags, 0, 0); > mprotect(addr, size, PROT_READ | PROT_EXEC); > > While the above could be achieved by checking PROT_WRITE & PROT_EXEC on > mmap/mprotect and denying mprotect(PROT_EXEC) altogether (current > systemd MDWE approach via SECCOMP BPF filters), we want the following > scenario to succeed: > > addr = mmap(0, size, PROT_READ | PROT_EXEC, flags, 0, 0); > mprotect(addr, size, PROT_READ | PROT_EXEC | PROT_BTI); > > where PROT_BTI enables branch tracking identification on arm64. > > The choice for a DENY_WRITE_EXEC personality flag, inherited on fork() > and execve(), was made by analogy to READ_IMPLIES_EXEC. > > Note that it is sufficient to check for VM_WAS_WRITE in > map_deny_write_exec() as this flag is always set on VM_WRITE mappings. > > Signed-off-by: Catalin Marinas > Cc: Christoph Hellwig > Cc: Andrew Morton How does this interact with get_user_pages(FOLL_WRITE|FOLL_FORCE) on a VMA that is VM_MAYWRITE but not VM_WRITE? Is it handled accordingly? Note that in the (FOLL_WRITE|FOLL_FORCE) we only require VM_MAYWRITE on the vma and trigger a write fault. As the VMA is not VM_WRITE, we won't actually map the PTE writable, but set it dirty. GUP will retry, find a R/O pte that is dirty and where it knows that it broke COW and will allow the read access, although the PTE is R/O. That mechanism is required to e.g., set breakpoints in R/O MAP_PRIVATE kernel sections, but it's used elsewhere for page pinning as well. My gut feeling is that GUP(FOLL_WRITE|FOLL_FORCE) could be used right now to bypass that mechanism, I might be wrong. -- Thanks, David / dhildenb