From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 70955C4167B
	for <linux-mm@archiver.kernel.org>; Fri,  9 Dec 2022 18:15:19 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id BBF9E8E0003; Fri,  9 Dec 2022 13:15:18 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id B6FBF8E0001; Fri,  9 Dec 2022 13:15:18 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id A36B28E0003; Fri,  9 Dec 2022 13:15:18 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id 92FA78E0001
	for <linux-mm@kvack.org>; Fri,  9 Dec 2022 13:15:18 -0500 (EST)
Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay03.hostedemail.com (Postfix) with ESMTP id 6F768A0494
	for <linux-mm@kvack.org>; Fri,  9 Dec 2022 18:15:18 +0000 (UTC)
X-FDA: 80223569916.09.0BF5B24
Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52])
	by imf17.hostedemail.com (Postfix) with ESMTP id A4B6040020
	for <linux-mm@kvack.org>; Fri,  9 Dec 2022 18:15:15 +0000 (UTC)
Authentication-Results: imf17.hostedemail.com;
	dkim=pass header.d=paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=6iTO86Yg;
	spf=none (imf17.hostedemail.com: domain of paul@paul-moore.com has no SPF policy when checking 209.85.216.52) smtp.mailfrom=paul@paul-moore.com;
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1670609715;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=UGtkhaHKIrr5OpNYU4T9L+BnCs/0pP1qyXvWMaI760s=;
	b=w4rYQH4QVOWIx3l0Z/sGcdr7A6lYG/HZ2Cr6DEPdDc8N7HB3C63pz3ypGNLH7NrBqAWIWr
	cnepP8hTPLglaa1wVJoVYkkdxLx8xac6OZ7lDiim7vECJX/f9jRaLRBB/NXG9Dc+EWS6Mb
	l93oJocRCMPDsjx7zALEVhjJfn7kowk=
ARC-Authentication-Results: i=1;
	imf17.hostedemail.com;
	dkim=pass header.d=paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=6iTO86Yg;
	spf=none (imf17.hostedemail.com: domain of paul@paul-moore.com has no SPF policy when checking 209.85.216.52) smtp.mailfrom=paul@paul-moore.com;
	dmarc=none
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1670609715; a=rsa-sha256;
	cv=none;
	b=AgPXdZfy3s4ytWXgUusyQuFlePgLIaQw2nHSQ9QAJLePucfxQ7IBR/Fpn34FMK7QAMLM57
	Nf7Ou+lJWK7bMXSyVgFqUTo97Pufbrr1Hm1uOnD9FC9tmfz+ZdwBIxbkWwg4L7YgOq3GuS
	EAWQZSOp/owK3tM13qB6o0CVf+9PiqU=
Received: by mail-pj1-f52.google.com with SMTP id fy4so5305930pjb.0
        for <linux-mm@kvack.org>; Fri, 09 Dec 2022 10:15:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20210112.gappssmtp.com; s=20210112;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=UGtkhaHKIrr5OpNYU4T9L+BnCs/0pP1qyXvWMaI760s=;
        b=6iTO86Yg/c+D/tyDbB1/u7VSMypyassCrDFcKnXQLmk+pJtNANCaCBZuPVolwpgZPD
         5nhxxtWuGJ2hOBupmq8Zp03kmnFxZTPpg4ncChc9D84/DYQEhZ6L78LuSbF4rg7/5ML+
         PHzcnP+a9LvHU+6LbXtQRNYCgdeZZP4Rsn2bGT97VZ3TYa9w4c5m1P0JrOjGxKzzkyQx
         zYy0WDCkxyrXBY2SRUWDt5YZ5/rAOeHt7q/EmCpBIX4Qc8ulYIKshX6FTvXnyGFniucB
         qdAnrLLt90D1lPP44uJhr8AnfFHJDV6Hf/XTPtyy0NYDd3GXcJn9j1Z0KMbiKPaXD8y9
         y9XA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=UGtkhaHKIrr5OpNYU4T9L+BnCs/0pP1qyXvWMaI760s=;
        b=6AitLGjF3JjYzON/iELTkmoprU2+5mOleCJ1acFQlz9bf8ZwaJb+qxNd4n06G0yWg3
         gIs7h+B6TmI/zx6nRSuyrLtAMAm4qmP9uEKubKMb58Mqu6TiMsU4okyzA3G49GVicw9g
         ttyCN9RX9uEdCHEwylE+3IhNdFiP+smzKbx2SiBZEwwuJVDV3J9O+pZ0fUCn1penePgS
         l84QRP+vqX+6oHk2O+324VLWUXQ7yhQBMDCy7yKY1t9S59hz2fWKOa9yRgibP6ZbEskx
         zrSbWtT85JDHJ6vyrcvBYq4NF9I95w4Xo66RVbZ4xDCjxayIXdfzL0OLZFaJHag0zAG0
         YuZg==
X-Gm-Message-State: ANoB5pmXkI5lNiDQcB6uvdAD2fmyqriLD2Cj18PTa7fT02u/C8DaAFY9
	uJHscsDHyKZkf4NELkxvkzbAPyI0v/QciVO4G8/x
X-Google-Smtp-Source: AA0mqf4XkzUN61EgDM5th316VM+D1Q3XG+pvsxXjlS+qJMhlXby8XRLO4K+xY63ljp1PmYb4MaI6gOJ3nG0Lf1RB7sE=
X-Received: by 2002:a17:90a:2f22:b0:219:8ee5:8dc0 with SMTP id
 s31-20020a17090a2f2200b002198ee58dc0mr31097837pjd.72.1670609714373; Fri, 09
 Dec 2022 10:15:14 -0800 (PST)
MIME-Version: 1.0
References: <20221209160453.3246150-1-jeffxu@google.com>
In-Reply-To: <20221209160453.3246150-1-jeffxu@google.com>
From: Paul Moore <paul@paul-moore.com>
Date: Fri, 9 Dec 2022 13:15:03 -0500
Message-ID: <CAHC9VhQ2P0rif2hiVGMGafWXQyZqPQc-yGQDEzjEehH1gzWgSA@mail.gmail.com>
Subject: Re: [PATCH v7 0/6] mm/memfd: introduce MFD_NOEXEC_SEAL and MFD_EXEC
To: jeffxu@chromium.org
Cc: skhan@linuxfoundation.org, keescook@chromium.org, 
	akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, 
	hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, 
	linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, 
	linux-mm@kvack.org, jannh@google.com, linux-hardening@vger.kernel.org, 
	linux-security-module@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Server: rspam07
X-Rspamd-Queue-Id: A4B6040020
X-Rspam-User: 
X-Stat-Signature: 13ixkmynscb3hbuhuwxe6acyiethoo4x
X-HE-Tag: 1670609715-522024
X-HE-Meta: U2FsdGVkX18KBLR1yP1yTHol7Ec01cwt2FEfoUEHYarZC3rAD+oQGJMf9uARybWhpKN/cJDWFy6Fq4NYmrZKZVG30yQerVdywe5bxDKrFwDAecqKJz9c+fhtjlFULJioiwowtUJgtc8VQnfJ+Hqsn9GclehWxVxk6XNWT43pt9Lb7a8zPo24AAdOhehwHDwFbd5Mwj4jn6OZ850rez29OyO0pKKfmpeDxFECEMaR8PVGK+19PLGSakH+5ns8sn7+5HQN2fMuUqo+H9EBqMI1mBuXE/qWj3LGRdFCIr+INK5zdilrx01PKazTRIETe5sECBmalleT8iPMt0uDZy8HPwd89GrXIHfDidU6KxRFMQaQAqKWR7jawFmy602l/+5CMbZzkSSebMsjbgU9w7sNdD/is2dQAKjRua/XCnUs4rrJGhgsHKXdiIkvMw25kUPc0VTok3n0ZQwPZxu4zPNwdgI/4rMmexv1NlwZ8LBokuLg+Pj+2j5l0tQFyOPDDwDGIfAQiQdLVvHwZpb7q0LdcPKTjPG7d0vFqCajYIwVD65vo+6qyHCCVvi7nIUiaxplPxEjy7hpOtm8S6B5vySKZG7zwltr+y1LtmM6Qlz6AEi9zstVne6AFUWR3Nno46SIVjVhlyoIUV7W2gooPkxQdszlsecJ8fME9sEBiDSuwBqIOIHnpioppazFw18t0LP3KmqOvTsvEvLrR507IVCr/2qzpGfZOeCBApSFbqwG8Ye8kYR1oq0YXiCgJMCgaGlFMsmPViDjUfFTQ3Db9SldryZqpVgRVhpzIt2NoWGNzQ9xRcIjoThiuBIGJrsukqoIlT/2aarNID6e3O9WRCWmNVYdWyIdj3pVVI2wgGSEiwfjFJBcfl9ZTE/EoAPtOq6Xrv87tQ5GbaCvlq/ceTeKPtyW0B0HP0/Nic20m3t/jhw9kXDZUYSR6Q4J6XV4PwnAM64QI6CQfxkGmEnKG/f
 yelAFiw+
 /qrHiwX6jbWkbGwZ5r8BbHfEPErXgf9IucjmeYCYa+h0iS3icq/hbo5o0ciaFX1vvIDrHNv3fEpBzeumj0qUnpN0yS50hBxgB7ZW3/5IkY2vy6qCVUVRtbbj3fnPdSx3luqW7bb6Kd3k74t1uNMeCZvejv4lH85MpadvIb+eRGI/pB8o=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000139, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Fri, Dec 9, 2022 at 11:05 AM <jeffxu@chromium.org> wrote:
> From: Jeff Xu <jeffxu@google.com>
>
> Since Linux introduced the memfd feature, memfd have always had their
> execute bit set, and the memfd_create() syscall doesn't allow setting
> it differently.
>
> However, in a secure by default system, such as ChromeOS, (where all
> executables should come from the rootfs, which is protected by Verified
> boot), this executable nature of memfd opens a door for NoExec bypass
> and enables =E2=80=9Cconfused deputy attack=E2=80=9D.  E.g, in VRP bug [1=
]: cros_vm
> process created a memfd to share the content with an external process,
> however the memfd is overwritten and used for executing arbitrary code
> and root escalation. [2] lists more VRP in this kind.

...

> [1] https://crbug.com/1305411

Can you make this accessible so those of us on the public lists can
view this bug?  If not, please remove it from future postings and
adjust your description accordingly.

--=20
paul-moore.com