From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DED91C47088 for ; Fri, 2 Dec 2022 23:24:12 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 304BF6B0071; Fri, 2 Dec 2022 18:24:12 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 2B1FD6B0072; Fri, 2 Dec 2022 18:24:12 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 152A06B0073; Fri, 2 Dec 2022 18:24:12 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 0713A6B0071 for ; Fri, 2 Dec 2022 18:24:12 -0500 (EST) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id B8C78AACC8 for ; Fri, 2 Dec 2022 23:24:11 +0000 (UTC) X-FDA: 80198946702.24.B17290F Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) by imf29.hostedemail.com (Postfix) with ESMTP id 585EA120016 for ; Fri, 2 Dec 2022 23:24:10 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=HeigGMHv; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf29.hostedemail.com: domain of dverkamp@chromium.org designates 209.85.216.43 as permitted sender) smtp.mailfrom=dverkamp@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1670023450; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=ofSHfJEl53nBxTKL7kEN4Zg0gZG24eP3ZO/twC4u+1k=; b=Ulzg4z/s3gXYJPVH7b8kaAl8wiBG0AJXjZZ1pdB9ongUFKNOYRhN2Aw4JGBpsZ4Vd/RY/9 3ZtbkjylAvVHba1suqJDDLOox8rFKPahmArT9teFi6cBrTGhDF9URdZLWLHAaXPtRbpxbE GnUTPFK5fC0X+HEmnbT9c+VDTVnv9WY= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=HeigGMHv; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf29.hostedemail.com: domain of dverkamp@chromium.org designates 209.85.216.43 as permitted sender) smtp.mailfrom=dverkamp@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1670023450; a=rsa-sha256; cv=none; b=M73xmkKsY8qrOn5Q4hyGcJPQHyYLfus08ze0Ey2kIGbLZvlFwhwGRboncRKJYMq4lkYYj6 qI2dvN8plRcEaVEMjtLeMyS6JOgbWeb2FhCg9kRDd4JyZ1CKb0U1EBBRc2Eu/1IIrCF98b RoygB6g3vZwBozyRnElVVk4iUTRciBQ= Received: by mail-pj1-f43.google.com with SMTP id w15-20020a17090a380f00b0021873113cb4so6477060pjb.0 for ; Fri, 02 Dec 2022 15:24:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ofSHfJEl53nBxTKL7kEN4Zg0gZG24eP3ZO/twC4u+1k=; b=HeigGMHv29ce9DCaTPYVM3dw6G+hA6RazCRkjT3KQZLg25j/kXIJzVk1CREUf4Tnjy ObHsN/+LfiA+cHa5FGu5yq1n8lo5ofkI8FlaEx18YFuhsuonRWe5rGWezpeJ+mAErWcz bONfAWoJMb2gN0IP5FjGges9W5cH/wdhI0L3s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ofSHfJEl53nBxTKL7kEN4Zg0gZG24eP3ZO/twC4u+1k=; b=JX5qmd5BXAugg4oqKRflq3Z7eBqfGZEsO9K7DtLS5IGlkczYTOYLQAe8FM2Ez6kf79 R8l4Ga0j5V9p+SnRiUsRLM9fs2UPh+HYIjkT+rL5Hj89zg18nvo/InZjsOBE8loEjojy p4Q6aAJOpMAoAA2gCguTHx2jNe+SYQRYsRLStViCb6pRsPyQhWhGDuZBJmdn9piKvhLR 3upGPdx9nRz/bQ4dZ4KxFD1QhgyhXz6CYzjTOmpFe2Eku9USLO9pA5CKpA8L3U/di7zI 07qXHu+OnyC6/KhROpKjDKq3pG1SywkFi2CNmwfCHPrAehvTd9LPhPdcrVcGLzdu0yE7 Lnug== X-Gm-Message-State: ANoB5pl+tK8IobO0WsScOzrBsSMEKXpqLoSvVB9+TLLNBKCZ9svRzrqE z/+V7UNHF4pXsadsOClnGqFnTWDw0iawr0WP X-Google-Smtp-Source: AA0mqf7mT62CdxwNRCpSBXAXs6bbaCjO+GVvWUEGiOqPx7sYc5NV2QivfqD58Pp4NVNhGtIoIItFBg== X-Received: by 2002:a17:903:244c:b0:189:3279:5e82 with SMTP id l12-20020a170903244c00b0018932795e82mr54252765pls.10.1670023449150; Fri, 02 Dec 2022 15:24:09 -0800 (PST) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com. [209.85.214.179]) by smtp.gmail.com with ESMTPSA id n6-20020a170902d2c600b00186e2123506sm6059976plc.300.2022.12.02.15.24.08 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 02 Dec 2022 15:24:08 -0800 (PST) Received: by mail-pl1-f179.google.com with SMTP id p24so6001425plw.1 for ; Fri, 02 Dec 2022 15:24:08 -0800 (PST) X-Received: by 2002:a17:902:e807:b0:189:117c:fcfe with SMTP id u7-20020a170902e80700b00189117cfcfemr54885077plg.124.1670023447808; Fri, 02 Dec 2022 15:24:07 -0800 (PST) MIME-Version: 1.0 References: <20221202013404.163143-1-jeffxu@google.com> <20221202013404.163143-7-jeffxu@google.com> In-Reply-To: <20221202013404.163143-7-jeffxu@google.com> From: Daniel Verkamp Date: Fri, 2 Dec 2022 15:23:41 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v3] mm/memfd: Add write seals when apply SEAL_EXEC to executable memfd To: jeffxu@chromium.org Cc: skhan@linuxfoundation.org, keescook@chromium.org, akpm@linux-foundation.org, dmitry.torokhov@gmail.com, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, mnissler@chromium.org, jannh@google.com, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Rspam-User: X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 585EA120016 X-Stat-Signature: 6agacz9bkx6pi68kg6zoejtcedrjcito X-Spamd-Result: default: False [2.66 / 9.00]; SORBS_IRL_BL(6.00)[209.85.214.179:received,209.85.216.43:from]; BAYES_HAM(-5.94)[99.87%]; SUSPICIOUS_RECIPS(1.50)[]; SUBJECT_HAS_UNDERSCORES(1.00)[]; RCVD_NO_TLS_LAST(0.10)[]; MIME_GOOD(-0.10)[text/plain]; BAD_REP_POLICIES(0.10)[]; PREVIOUSLY_DELIVERED(0.00)[linux-mm@kvack.org]; ARC_NA(0.00)[]; RCPT_COUNT_TWELVE(0.00)[14]; DMARC_POLICY_ALLOW(0.00)[chromium.org,none]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_ALLOW(0.00)[chromium.org:s=google]; MIME_TRACE(0.00)[0:+]; TAGGED_RCPT(0.00)[]; DKIM_TRACE(0.00)[chromium.org:+]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_ALLOW(0.00)[+ip4:209.85.128.0/17]; FROM_HAS_DN(0.00)[]; ARC_SIGNED(0.00)[hostedemail.com:s=arc-20220608:i=1]; RCVD_VIA_SMTP_AUTH(0.00)[] X-HE-Tag: 1670023450-860037 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000008, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Dec 1, 2022 at 5:36 PM wrote: > > From: Jeff Xu > > When apply F_SEAL_EXEC to an executable memfd, add write seals also to > prevent modification of memfd. > > Signed-off-by: Jeff Xu > --- > mm/memfd.c | 3 +++ > tools/testing/selftests/memfd/memfd_test.c | 25 ++++++++++++++++++++++ > 2 files changed, 28 insertions(+) > > diff --git a/mm/memfd.c b/mm/memfd.c > index 96dcfbfed09e..3a04c0698957 100644 > --- a/mm/memfd.c > +++ b/mm/memfd.c > @@ -222,6 +222,9 @@ static int memfd_add_seals(struct file *file, unsigned int seals) > } > } > > + if (seals & F_SEAL_EXEC && inode->i_mode & 0111) > + seals |= F_ALL_SEALS; > + > *file_seals |= seals; > error = 0; > Hi Jeff, (Following up on some discussion on the original review, sorry for any duplicate comments.) Making F_SEAL_EXEC imply all seals (including F_SEAL_SEAL) seems a bit confusing. This at least needs documentation to make it clear. Rather than silently adding other seals, perhaps we could return an error if the caller requests F_SEAL_EXEC but not the write seals, so the other seals would have to be explicitly listed in the application code. This would have the same net effect without making the F_SEAL_EXEC operation too magical. Additionally, if the goal is to enforce W^X, I don't think this completely closes the gap. There will always be a period where it is both writable and executable with this API: 1. memfd_create(MFD_EXEC). Can't use MFD_NOEXEC since that would seal chmod(+x), so the memfd is W + X here. 2. write() code to the memfd. 3. fcntl(F_ADD_SEALS, F_SEAL_EXEC) to convert the memfd to !W + X. I think one of the attack vectors involved the attacker waiting for another process to create a memfd, pausing/delaying the victim process, overwriting the memfd with their own code, and calling exec() on it, which is still possible in the window between steps 1 and 3 with this design. Thanks, -- Daniel