From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 285E0C4332F for ; Wed, 14 Dec 2022 23:32:58 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6FA668E0003; Wed, 14 Dec 2022 18:32:57 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6834E8E0002; Wed, 14 Dec 2022 18:32:57 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4FD908E0003; Wed, 14 Dec 2022 18:32:57 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 3AA918E0002 for ; Wed, 14 Dec 2022 18:32:57 -0500 (EST) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 0CC29140212 for ; Wed, 14 Dec 2022 23:32:57 +0000 (UTC) X-FDA: 80242514394.30.65D94AB Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com [209.85.215.178]) by imf03.hostedemail.com (Postfix) with ESMTP id 6B46220005 for ; Wed, 14 Dec 2022 23:32:55 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=PDEg3nH3; spf=pass (imf03.hostedemail.com: domain of jeffxu@google.com designates 209.85.215.178 as permitted sender) smtp.mailfrom=jeffxu@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1671060775; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=EX38wRipK6YZXjwZPd7Su4K9Er1H54jvjyAx9rqRw1Q=; b=hs3DsKymSpofcQTAA302IvdFJ6beBhfydzRqtsL1pM9BSOz+xuQGwIU8EJMxCz4H9UzPd1 PnmrrozB/C6kOBU6ZSsbcVq4+YXmgktXV3Ukf+WJLqIYflC7yfk6uppSmJJ1CQBqHPfUUK 3YAoTavqJ8JqCAAYBlS/IOvhhHmzN/w= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=PDEg3nH3; spf=pass (imf03.hostedemail.com: domain of jeffxu@google.com designates 209.85.215.178 as permitted sender) smtp.mailfrom=jeffxu@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1671060775; a=rsa-sha256; cv=none; b=oMCnjP6wMtjMrbTBOX3aAM/P3lLSQFpgjoi3VyZG0fO+MphzqQa5t7ixCEPBQQXRbn7YJ8 O8B84cNI8py9thB4r3HxKdTPElH6jab0cfU793VGqk8lJDjHJh12l33ui/O0wbVT7zd7UK Tble4TyUYANaQ+utK6capEVbqVW5L8w= Received: by mail-pg1-f178.google.com with SMTP id 36so3034131pgp.10 for ; Wed, 14 Dec 2022 15:32:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=EX38wRipK6YZXjwZPd7Su4K9Er1H54jvjyAx9rqRw1Q=; b=PDEg3nH3xgHnheIK+JiFoLehsOV0gTUq21j4kLrRR1ZLvl25FbD7m8LX1fSIYwz/87 PIxzI5e9Pfn8V6aq1oOKcTbffZGDbFjXTXJhyLPaPkgFnINJjvhacuxaIOC1x6UwmVsZ d3iVOkBRfgId+oB/p//Pexfh3cuN+6pDvx6QMWBzGeykcVt02UbhvWYbj5G/9VF1Mrgi SOuvClJPMP6WbasvMUuLP1kVi84M3frkmNzV0VYdxvfWNm8RJXyMUXR2L9ZznH7S//1F vMvSYMesxZ8hHbbrwxzlnOR/mS/6Ywx+ti6WoVXe+D/TlHqjypG2vGA+5YOFEjXALgM4 JWEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EX38wRipK6YZXjwZPd7Su4K9Er1H54jvjyAx9rqRw1Q=; b=apCPxrtv4aHFfZt54b1CX3Pzaiey9YOEbkqS2WjPiEUZtkkDX8tCcROqBkEKwg2YwE 89kWJt/xbg/hhbyIgydcX9BCbyImDgpCmOht258PEJ4MugaQAsbSkE63N154iyBOxbvd nm9j3AL05Ao3JH6jGrlQdYJtq3VZbzEsi3874j6Pu3ckBwkem0LutaZVaSvDl+638tB2 BiubGJjBtin4A+3c5RuzqzacZVWTyPLdTl51RuX2SAJdp7fAnV7PI3gKn3kk5Hhhckfw OuoIoZWYBc3H7GUNlm2NhhFFfOmT5OYDOxlGqFCvQULREJ2Ife5C76bgRiFJbQl1sN0x 6ORQ== X-Gm-Message-State: ANoB5pnz8YiI1dVlqUeEkuae8iWeGL9ep2e7ijnTXZo2oa+N1lz0eIFd z8S+Y3lLSxFmRADlEWoaoG4iNy5ieIZHSxgRKlLVdw== X-Google-Smtp-Source: AA0mqf6FrLS1D7V7SRNCy3k8CyVO9nDpptYhTX527VVCoLeeGz/DIxUaHIqaRhNRIJVDOOmwzpQTEeBAzUWYmJerZnw= X-Received: by 2002:a63:f04d:0:b0:470:5d17:a62e with SMTP id s13-20020a63f04d000000b004705d17a62emr68719053pgj.620.1671060773915; Wed, 14 Dec 2022 15:32:53 -0800 (PST) MIME-Version: 1.0 References: <20221209160453.3246150-1-jeffxu@google.com> <202212141053.7F5D1F6@keescook> In-Reply-To: <202212141053.7F5D1F6@keescook> From: Jeff Xu Date: Wed, 14 Dec 2022 15:32:16 -0800 Message-ID: Subject: Re: [PATCH v7 0/6] mm/memfd: introduce MFD_NOEXEC_SEAL and MFD_EXEC To: Kees Cook Cc: jeffxu@chromium.org, skhan@linuxfoundation.org, akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jorgelo@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, jannh@google.com, linux-hardening@vger.kernel.org, linux-security-module@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 6B46220005 X-Stat-Signature: nqwd838n39z1t6iy6tbkkmyqoqgjjoij X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1671060775-691910 X-HE-Meta: U2FsdGVkX1+oEiqG5mYc1ggmonJx/QxrAe9wfcFjxmYYFGfgtBKW83Ac7Ddd8MTP05ZLmzBGhni4UX6LTt2mlKhQNmdnMuIiv0X9B/R77WGALqVSMd0JwM/hEof6AUtCWGpztqEtHdC1axifY/Evet0Eb2v//KBxiVNmfktpqFjPTCAcPT7EipT8C9PDx1oB3a5vXMJnXeRahXpBPSEnqjMXquyIpiUE3oH4z+fUnpi2gp4xSnZb2Rr1KznrdvFM6um5T7ovwL56vem+wIv5B2EDw7SgYUk63zagUCeaKY31Cf4ocj0pl0IcSiTE1LIzFmkHZO1BVHxkI18NHNNjO5uEFurL+TcK/j+MrEzhCrIkphaz4hKXaq5tWMG9jeeI+/aGC6rQG1XXuy6EC7dLG42FQI4xe8Jvc/Rpiu/CQPD7jPpKKaBnVFzdWKvUc4xM+2yTA7kPQsxgeNswsQWsIYq209649iC/KIsrHvoU956t/+nU5zLfBvZLUDEF8nsDqzmOyNE/lpmoz4gTLoSzcOPPVosMtgg5wVRIvaOLyyCdImbLLao46mP88zPHE4g72rqnOOYbCamw2uTu8fEl9MhtnwRZoY9Y7cWKlYQDmJNnSfT7Gk/gLwlrHyA5dEQj6elwCoUoAbR5f3/4ak8rgbnBb//ihIbnUGbzNS+LtmynI/EmzyQOZG6UStgfmv/bclQ2i72u/KEs9NMVXLh/kRAJA40MFwiVoUw78Em2d8h68MrhumNnhnq2Z17VTUNSSIG3AMYdxm/d3fgQruTZN8c39AoT1ZjkaDYvh4BYBIaxhDgzonwV1Z73f6zYMB+XETobr3VoZ1vbEImGx8n+KGIY32UQygxCAVXoP6+gitSzpI71itq8+1YY90bxu/favU3p64c/3W9CA3v0xzIgexlMFd42IvpOisBO+AHQ7PN/qwqddvV65lhHwWJn9wUNPDdH5+zQLnLDdHvSO5d Bd0UYtYh eiC/cs+TKFfPMW27l/bvbAKnioUIA+E1Rwkd9KiwQpnRgLvG1IByK4vhuvebuSjptgNxnozgXVB1bSc89fUyoBFGewHMMo2rPT08ahFXPhB0jFevGDFpxLqERLv90ka1hzo2Q X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Dec 14, 2022 at 10:54 AM Kees Cook wrote: > > On Fri, Dec 09, 2022 at 04:04:47PM +0000, jeffxu@chromium.org wrote: > > From: Jeff Xu > > > > Since Linux introduced the memfd feature, memfd have always had their > > execute bit set, and the memfd_create() syscall doesn't allow setting > > it differently. > > > > However, in a secure by default system, such as ChromeOS, (where all > > executables should come from the rootfs, which is protected by Verified > > boot), this executable nature of memfd opens a door for NoExec bypass > > and enables =E2=80=9Cconfused deputy attack=E2=80=9D. E.g, in VRP bug = [1]: cros_vm > > process created a memfd to share the content with an external process, > > however the memfd is overwritten and used for executing arbitrary code > > and root escalation. [2] lists more VRP in this kind. > > > > On the other hand, executable memfd has its legit use, runc uses memfd= =E2=80=99s > > seal and executable feature to copy the contents of the binary then > > execute them, for such system, we need a solution to differentiate runc= 's > > use of executable memfds and an attacker's [3]. > > > > To address those above, this set of patches add following: > > 1> Let memfd_create() set X bit at creation time. > > 2> Let memfd to be sealed for modifying X bit. > > 3> A new pid namespace sysctl: vm.memfd_noexec to control the behavior = of > > X bit.For example, if a container has vm.memfd_noexec=3D2, then > > memfd_create() without MFD_NOEXEC_SEAL will be rejected. > > 4> A new security hook in memfd_create(). This make it possible to a ne= w > > LSM, which rejects or allows executable memfd based on its security pol= icy. > > I think patch 1-5 look good to land. The LSM hook seems separable, and > could continue on its own. Thoughts? > Agreed. > (Which tree should memfd change go through?) > I'm not sure, is there a recommendation ? Thanks. Jeff > -Kees > > -- > Kees Cook