From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60E12C25B74 for ; Fri, 24 May 2024 14:15:46 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B513C6B0083; Fri, 24 May 2024 10:15:45 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B00746B0085; Fri, 24 May 2024 10:15:45 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9CA3E6B0088; Fri, 24 May 2024 10:15:45 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 8503C6B0083 for ; Fri, 24 May 2024 10:15:45 -0400 (EDT) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id EFBDD120C22 for ; Fri, 24 May 2024 14:15:44 +0000 (UTC) X-FDA: 82153487808.21.04C3D14 Received: from wfhigh5-smtp.messagingengine.com (wfhigh5-smtp.messagingengine.com [64.147.123.156]) by imf03.hostedemail.com (Postfix) with ESMTP id 6A5002000F for ; Fri, 24 May 2024 14:15:42 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=readahead.eu header.s=fm3 header.b="v6rR/A02"; dkim=pass header.d=messagingengine.com header.s=fm1 header.b="m 79tD6S"; dmarc=none; spf=pass (imf03.hostedemail.com: domain of david@readahead.eu designates 64.147.123.156 as permitted sender) smtp.mailfrom=david@readahead.eu ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1716560143; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=SX/ETyfE9F87YnrwRyr03ccHrX8ow3V9bkqTKeM04kI=; b=LUMn/oeCaBVPhbUOdo7EN2UZyQRI+39EbUCv+3ZP1531JXAClQeoa1P6pympRNvV4tMUT1 CzlaVSnrXgw8bWfEpK70MbtGc37Kf0nEz0d83YOD5fDdu+4sTGeVvH2VyoAowaLDD87ype LtUFUdlejgw54qOR60ifamGGmE//Csc= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=readahead.eu header.s=fm3 header.b="v6rR/A02"; dkim=pass header.d=messagingengine.com header.s=fm1 header.b="m 79tD6S"; dmarc=none; spf=pass (imf03.hostedemail.com: domain of david@readahead.eu designates 64.147.123.156 as permitted sender) smtp.mailfrom=david@readahead.eu ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1716560143; a=rsa-sha256; cv=none; b=bNPR4vL1EPtn0yGkvOyKiXvE7DCRbiRMCPxo7ZoHX3/cqB3o0YWcsVTxSyRuP+VKxLQOOQ 8DlVRIZnlbf+7MTnQM6Sx/qGVv7GQ+NJxJjcgopPOu1D+fL0F7Ksc8aX1I6cd7i/76Sxie +HnRg1wflHwYQUC7peJT8jVoileTw5o= Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailfhigh.west.internal (Postfix) with ESMTP id B33BE1800122; Fri, 24 May 2024 10:15:39 -0400 (EDT) Received: from imap50 ([10.202.2.100]) by compute6.internal (MEProxy); Fri, 24 May 2024 10:15:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=readahead.eu; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1716560139; x=1716646539; bh=SX/ETyfE9F87YnrwRyr03ccHrX8ow3V9bkqTKeM04kI=; b= v6rR/A02Ruy16iWS6ZBc6fQaUbkzd7fhoSdR7XuFBW+6lRqbYkD1Q/zgMyaNW0JI HGkLx3K/2yz9MADgxKjl2Zr7SNDijV/AVL6mTMxqg1WWPz76Uk1sSz8B+OOLdEgA 5HtzcOdaER2bv21IoM0OZu8DVn1a7B8oAwOFnX7fvIZtNxtY+hXg0Bh0DxibDiYj j3eoEJctlY6BI+NGu9f4Lzimgz/96bMrK43T+sub2YOz0YTc2Iy0vAtJNdomnavb sTAJ8gcNeiLWOSRci9zoZp8wngEtUwMrIbXZHa+fVMGl2PrpzGsWTgo/HDiaPRvE AJWMLO0M+qEO5/8wjSim/g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1716560139; x= 1716646539; bh=SX/ETyfE9F87YnrwRyr03ccHrX8ow3V9bkqTKeM04kI=; b=m 79tD6Sr8WShuEz7/pN+BUHj8WoSUFBqud4bBvEao+oVGHHX+H6lksrlSNDl0AoNX K15AipgiBHVtBl7qhqAp6pYFylrMnMGHjlTgpfVciD/FTq9COhGt/9V5x8wGCzCa DzBHavzXv6cLssOpVOYJpGKGzcpiTAxzT8E0VKwi8ntrvrUC/iCz26m4lAcRFzge om7zSS3XgrAS6NxMEmjdkwyLSW+1b+WpYLmde8+4dBL+pGTqFoUgxJ5zefsOgqKi ox35v7j8wAQ4r5riW5PeUmLN0bjf8hp8z/CmY4Cp+hzi2awlRjD/O9pRpEg+TES1 vfkyix+YDWj88GNIRYO+w== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrvdeikedgjedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvfevufgtgfesthhqredtreerjeenucfhrhhomhepfdff rghvihguucfthhgvihhnshgsvghrghdfuceouggrvhhiugesrhgvrggurghhvggrugdrvg huqeenucggtffrrghtthgvrhhnpefgvefhteeivddvkefhveekfefgvdeuleeiffeihfej vdettdevvefgveeugffhleenucffohhmrghinhepghhithhhuhgsrdgtohhmpdhkvghrnh gvlhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhr ohhmpegurghvihgusehrvggruggrhhgvrggurdgvuh X-ME-Proxy: Feedback-ID: id2994666:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id DAC861700093; Fri, 24 May 2024 10:15:38 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.11.0-alpha0-480-g515a2f54a-fm-20240515.001-g515a2f54 MIME-Version: 1.0 Message-Id: <79b3aa3e-bc70-410e-9646-0b6880a4a74b@app.fastmail.com> In-Reply-To: <20240524033933.135049-2-jeffxu@google.com> References: <20240524033933.135049-1-jeffxu@google.com> <20240524033933.135049-2-jeffxu@google.com> Date: Fri, 24 May 2024 16:15:06 +0200 From: "David Rheinsberg" To: "Jeff Xu" , "Jeff Xu" Cc: "Andrew Morton" , cyphar@cyphar.com, dmitry.torokhov@gmail.com, "Daniel Verkamp" , hughd@google.com, jorgelo@chromium.org, "Kees Cook" , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, =?UTF-8?Q?Barnab=C3=A1s_P=C5=91cze?= , skhan@linuxfoundation.org, stable@vger.kernel.org Subject: Re: [PATCH v2 1/2] memfd: fix MFD_NOEXEC_SEAL to be non-sealable by default Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 6A5002000F X-Stat-Signature: r7bno711yzxoqyqexcanoxyqgsjcu96m X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1716560142-545052 X-HE-Meta: U2FsdGVkX1/MGZMG4wJ1t1sxtwETVjKsXEVUKT5zF+ge2Z0r2glwT2zlo2LACHOqwVZc8SQhWLesuTyGRmm26yW+yaSqngQ95F6wdVCej5tPrDGcRAKpxQKNABh7cL9smWD5/LTXvKAZYxZAOj4uNh0yPedMofVMvgG7/rv5yliFQ7uR2+SL75MNauirVjP1vpCyS6mznaN+a2pwhnApszEWGOrItDbJZcGzW6bhxhSnAWkGqIPzsLhioPyfkDyvGU7LKEjyWosZcFYNKlAXwdMTmP2QM47OMqP+wDVYW2cdzEkTEnQx3eIkp7hrVq/ub3wQu/HCjCJ5Jlc2udMnwAKqKD5LUcpW6ANpQF/i3Fpw0EbveB1xNeL4Tk392zGBq8um4MPWvXEG0bPzFhRg8ZBgPdtxbqSbtO3DWVviYA+vTy+q0iO0hX+HkMz7hiY4gXkBsDdk9x+wbAOU0uWBnVK6ne4ZQ644ZKODYwfye+QV2FBWTd/9EJR5dVK60ed88wuTJwfhHM/g2bUxPVX0AMXWni/eicKC4v8Wowt4o/Ap9Q6CXD/N+M9wRqR+T8NNMxT6RdHk9FArBNPZkHxHni/cLMiOGoYNW+M1inBFvUlgnqr1wMsSYsJB1p9e5Miyzcxa1Hk3AWVJUE8K21nqPsBailjyr6xJhYnb0pYd5SsdmAlMlVID8MDzZ7ol628NEbY6AeOXo7PJF5gkTo12YRMvc/KLjHLMU75cSkmZQkD6eaD6OC3AM6GXQDvDif0ka11OkXiJ+YySyKKUz8KQomBa4HHmAUqea0hzePTfLOMbcFsVtrGm3cW/+jv9yyzuYIikPJJXTgUIT2X/QLzf9Pltmcf1UpY8gx0IHbXxd4JjnR+sg+mcINch2KV5ef8f6u+WO0pKVDacaBkeWxUkV91GkY8rF4lh6VyjZoyEkElbk+GCUNakCKZPEQOZNx/bynuASAiXL1O1St+QSeN vo4Hu6Ip dFalZQ8g3DVKbwNOyTfcYNy6J++O7swZ/1fww7r/dAFUV8IyBWX3oAMlBmw9Mg+0D0k/sa96mE5JoMp8hkgtqlOFaRjvDKrhY81ASvPuRFlVRbJOV8FY38GDktx0+/zIgCrLIu9JdSWPDdjeCA//MPRE+NIlewm5exmgjMdVnk7LqKRt8n5vBNqazZ0ANI3GttNpoBGVABMNDOYLGVdBhoEUdJXYkO1ts6i6vEp92Sr2+NAZPYo0gpYt3jqs/ozAOW2dnanPcqc99QZlM8Ogez2y4/5jDmD2MRF2hvCHrnejSImoMoa4W5uvV8Ym40tuStTGLsIjCm3b1n1AafSWbKSOvKp8V8XEe5G17h7EwcKEgheDovPrpyxGjSinzTR+2NruAa+nHT2yUioXfOkKQ7Kdgaz6JQL0QxDz8wmZHfdLP8iXAK+V8y3Jz2azXU/gMduk7zeWaM/yl4A1aOqH6QS6hBp9xrIq2s1aGnwpc802ZjLd5Vn/OGJcJv4W7uVzGh7oW2vtvzCvOfQwQWKRuiwkn39KVLrADvAYE9aShNsSsDWNNPiMOmf/K5DJFwrRuXEIaHGoFHqgGJqIUmthZjjxeSQFef6Gy5G/BkpeAsjWTagaunY9DJjetyA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi On Fri, May 24, 2024, at 5:39 AM, jeffxu@chromium.org wrote: > From: Jeff Xu > > By default, memfd_create() creates a non-sealable MFD, unless the > MFD_ALLOW_SEALING flag is set. > > When the MFD_NOEXEC_SEAL flag is initially introduced, the MFD created > with that flag is sealable, even though MFD_ALLOW_SEALING is not set. > This patch changes MFD_NOEXEC_SEAL to be non-sealable by default, > unless MFD_ALLOW_SEALING is explicitly set. > > This is a non-backward compatible change. However, as MFD_NOEXEC_SEAL > is new, we expect not many applications will rely on the nature of > MFD_NOEXEC_SEAL being sealable. In most cases, the application already > sets MFD_ALLOW_SEALING if they need a sealable MFD. This does not really reflect the effort that went into this. Shouldn't t= his be something along the lines of: This is a non-backward compatible change. However, MFD_NOEXEC_SEAL was only recently introduced and a codesearch revealed no breaking users apart from dbus-broker unit-tests (which have a patch pending and explicitly support this change). > Additionally, this enhances the useability of pid namespace sysctl > vm.memfd_noexec. When vm.memfd_noexec equals 1 or 2, the kernel will > add MFD_NOEXEC_SEAL if mfd_create does not specify MFD_EXEC or > MFD_NOEXEC_SEAL, and the addition of MFD_NOEXEC_SEAL enables the MFD > to be sealable. This means, any application that does not desire this > behavior will be unable to utilize vm.memfd_noexec =3D 1 or 2 to > migrate/enforce non-executable MFD. This adjustment ensures that > applications can anticipate that the sealable characteristic will > remain unmodified by vm.memfd_noexec. > > This patch was initially developed by Barnab=C3=A1s P=C5=91cze, and Ba= rnab=C3=A1s > used Debian Code Search and GitHub to try to find potential breakages > and could only find a single one. Dbus-broker's memfd_create() wrapper > is aware of this implicit `MFD_ALLOW_SEALING` behavior, and tries to > work around it [1]. This workaround will break. Luckily, this only > affects the test suite, it does not affect > the normal operations of dbus-broker. There is a PR with a fix[2]. In > addition, David Rheinsberg also raised similar fix in [3] > > [1]:=20 > https://github.com/bus1/dbus-broker/blob/9eb0b7e5826fc76cad7b025bc46f2= 67d4a8784cb/src/util/misc.c#L114 > [2]: https://github.com/bus1/dbus-broker/pull/366 > [3]:=20 > https://lore.kernel.org/lkml/20230714114753.170814-1-david@readahead.e= u/ > > Cc: stable@vger.kernel.org > Fixes: 105ff5339f498a ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC") > Signed-off-by: Barnab=C3=A1s P=C5=91cze > Signed-off-by: Jeff Xu > Reviewed-by: David Rheinsberg Looks good! Thanks! David