From: Jeff Xu <jeffxu@chromium.org>
To: David Rheinsberg <david@readahead.eu>
Cc: "Jeff Xu" <jeffxu@google.com>, "Aleksa Sarai" <cyphar@cyphar.com>,
"Barnabás Pőcze" <pobrn@protonmail.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, dmitry.torokhov@gmail.com,
"Daniel Verkamp" <dverkamp@chromium.org>,
hughd@google.com, jorgelo@chromium.org,
skhan@linuxfoundation.org, "Kees Cook" <keescook@chromium.org>
Subject: Re: [PATCH v1] memfd: `MFD_NOEXEC_SEAL` should not imply `MFD_ALLOW_SEALING`
Date: Fri, 7 Jun 2024 08:58:08 -0700 [thread overview]
Message-ID: <CABi2SkUMppyL_LRKJV6BfgGu=1GpGCEOdZ5VHCENMUtzHcRTkA@mail.gmail.com> (raw)
In-Reply-To: <1e1edbdc-f91f-4106-baa6-b765b78e6abc@app.fastmail.com>
Hi David,
On Fri, Jun 7, 2024 at 1:38 AM David Rheinsberg <david@readahead.eu> wrote:
>
> Hi
>
> On Tue, May 28, 2024, at 7:13 PM, Jeff Xu wrote:
> >> > Another solution is to change memfd to be by-default sealable,
> >> > although that will be an api change, but what side effect will it be
> >> > ?
> >> > If we are worried about the memfd being sealed by an attacker, the
> >> > malicious code could also overwrite the content since memfd is not
> >> > sealed.
> >>
> >> You cannot change the default-seals retrospectively. There are existing shmem-users that share file-descriptors and *expect* the other party to be able to override data, but do *not* expect the other party to be able to apply seals. Note that these models explicitly *want* shared, writable access to the buffer (e.g., render-client shares a buffer with the display server for scanout), so just because you can *write* to a shmem-file does not mean that sharing is unsafe (e.g., using SIGBUS+mmap can safely deal with page-faults).
> >>
> > If the other party is controlled by an attacker, the attacker can
> > write garbage to the shm-file/memfd, that is already the end of the
> > game, at that point, sealing is no longer a concern, right?
>
> No. If a graphics client shares a buffer with a graphics server, the client is free to write garbage into the buffer. This is not unsafe. The graphics server will display whatever the client writes into the buffer. This is completely safe, without sealing and with a writable buffer.
>
> > If the threat-model is preventing attacker on the other side to write
> > the garbage data, then F_SEAL_WRITE|F_SEAL_SHRINK|F_SEAL_GROW can be
> > applied, in that case, default-sealable seems preferable because of
> > less code change.
>
> Again, the threat-model is *NOT* concerned with writes.
>
> Graphics clients/servers are a good example where *ANY* data is valid and can be processed by the privileged server. Hence, *ANY* writes are allowed and safe. No need for any seals. Those setups existed way before `memfd_create` was added (including seals).
>
> However, when windows are resized, graphic buffers need to be resized as well. In those setups, the graphics server might call `ftruncate(2)`. If you suddenly make shmem-files sealable by default, a client can set `F_SEAL_SHRINK/GROW` and the privileged graphics server will get an error from `ftruncate(2)`, which it might not be able to handle, as it correctly never expected this to happen.
>
The graphic buffer is a good example for shmem-files of
not-sealable-by-default. Thanks for the details.
-Jeff
> Thanks
> David
next prev parent reply other threads:[~2024-06-07 15:58 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-13 19:15 Barnabás Pőcze
2024-05-16 6:11 ` Jeff Xu
2024-05-22 23:23 ` Andrew Morton
2024-05-23 2:25 ` Barnabás Pőcze
2024-05-23 2:40 ` Jeff Xu
2024-05-23 8:24 ` David Rheinsberg
2024-05-23 16:20 ` Jeff Xu
2024-05-23 16:55 ` Jeff Xu
2024-05-24 14:28 ` David Rheinsberg
2024-05-28 17:13 ` Jeff Xu
2024-06-07 8:38 ` David Rheinsberg
2024-06-07 15:58 ` Jeff Xu [this message]
2024-05-24 16:12 ` Aleksa Sarai
2024-05-28 17:56 ` Jeff Xu
2024-06-02 9:45 ` Aleksa Sarai
2024-05-23 2:32 ` Jeff Xu
2024-05-23 19:45 ` Andrew Morton
2024-05-23 20:44 ` Jeff Xu
2024-05-23 20:50 ` Barnabás Pőcze
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CABi2SkUMppyL_LRKJV6BfgGu=1GpGCEOdZ5VHCENMUtzHcRTkA@mail.gmail.com' \
--to=jeffxu@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=cyphar@cyphar.com \
--cc=david@readahead.eu \
--cc=dmitry.torokhov@gmail.com \
--cc=dverkamp@chromium.org \
--cc=hughd@google.com \
--cc=jeffxu@google.com \
--cc=jorgelo@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pobrn@protonmail.com \
--cc=skhan@linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox