From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B9120C4332F for ; Fri, 2 Dec 2022 23:24:16 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4615B6B0072; Fri, 2 Dec 2022 18:24:16 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 4111F6B0073; Fri, 2 Dec 2022 18:24:16 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2B27B6B0074; Fri, 2 Dec 2022 18:24:16 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 18ACD6B0072 for ; Fri, 2 Dec 2022 18:24:16 -0500 (EST) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id D580CAACC8 for ; Fri, 2 Dec 2022 23:24:15 +0000 (UTC) X-FDA: 80198946870.29.D170C8E Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by imf28.hostedemail.com (Postfix) with ESMTP id 82A2CC0008 for ; Fri, 2 Dec 2022 23:24:15 +0000 (UTC) Authentication-Results: imf28.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=f9N08HoP; spf=pass (imf28.hostedemail.com: domain of jeffxu@google.com designates 209.85.216.52 as permitted sender) smtp.mailfrom=jeffxu@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1670023455; a=rsa-sha256; cv=none; b=cpG3klqnIMN5Rit1aw6QHTCUFCpiSlkBqzid25xNMWibTELVkhDVDt07INS6GETsn4aKqz fut5dYAjBbLV0nOfRv6Wkq+5bP3SUd/59vu3ylDnMVZFWd2ltfkhhuGp6wyOeSMhThFXHX FDe8Bdh2caCAMRZxMlFrNWAzRSEWVl0= ARC-Authentication-Results: i=1; imf28.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=f9N08HoP; spf=pass (imf28.hostedemail.com: domain of jeffxu@google.com designates 209.85.216.52 as permitted sender) smtp.mailfrom=jeffxu@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1670023455; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=on58jY6T434zQgu2CSXS/icw6nLEfVeftPkBpeTWD00=; b=r7tR5MVXzP6aq9ePeP9e9Rvpp/7NrjzGAJ47c2StkPs9mnxoR+yE30zBB4SMzGfFBxexxU yoHyvlBbmSGIke6Qc6H0mfmb7iAKXOEBvUtZTVHxBaYZ5Ebn+weyOp/WjRSo8g/8JlQsy5 2PMC5KMA0UgEyIfxQL9esr4t6bV1KnQ= Received: by mail-pj1-f52.google.com with SMTP id e7-20020a17090a77c700b00216928a3917so9662670pjs.4 for ; Fri, 02 Dec 2022 15:24:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=on58jY6T434zQgu2CSXS/icw6nLEfVeftPkBpeTWD00=; b=f9N08HoP3vjXrlBMoa1BWvaTSWYndYLcM4wvp+sp+YXl3LIIVsOpQuF46rZaSwVNfq nHVkSzNk6vjd6vvV4fmVD3rpGz5vZAwUikyB5tUcEHoW+afHzh1WXuoPSu784boKvqNM FdiMdq9PdHK4j0Q/imjoWxQ2FaNvTxNHqr7LrJfZ9lwi3EMqsJfwCF3hnBUWxxpwRTn0 0jvlP5iIb4KaObAhu8XtR2n5TKJLYoG7RLWkUrDoas8k4jsWcAWlntQBnMiRZqlEYoTP H442pPWf0jqdJyXM05cDctKukg6U+w+JyvNaWMDjfVn+YuFO5hK7+MJnmg0T32oxYnDL oH6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=on58jY6T434zQgu2CSXS/icw6nLEfVeftPkBpeTWD00=; b=CfuB7AWBVrl1YFarjaFmtGI7WevKFlckO+QAq5INIfoyNfSE8MBDmLudcbRlsuH7Dn LkxNcqeXMagTlwxf7TiMb8GSmy1Hv/iutqPR0e/4x/s0YbnWvPwl24+X6c7shdMENY+6 i/BsuVOVwOv776TgVYd/2xKlaAVI1+eiwcAS+bNNmmHLSsmAuRLH8TJugUxKZDAIH2Y4 RJFXhPeSQGKszbXdepInurZMcDSwHJL9cNzkSSu4c0C1XAybsMCGfR8p2RtrO4PccDV/ qd41CnUCtav4vU66RfQsO1cqmgwADDTjS9OZ/kciGexOl/UBpbQWWt5WTV74uczPSkkq bp2Q== X-Gm-Message-State: ANoB5pk8OaQG9XMZZsTtEMN2Pz9UE2DRj0+NGvbH9L80fho4kf+rKF5O a4x6bsa7qsL85pKoG81e9FTOzGczLbW1ULjvSenLgg== X-Google-Smtp-Source: AA0mqf5E8zMLU2q3bZ7mZyyna7VvQKkHk3cfGKZrg32/dY3cWByKKJPBLwGkdKGt4CtkQAcmr9HvbrVMpAETT+qUAP8= X-Received: by 2002:a17:902:ec04:b0:189:894c:6b58 with SMTP id l4-20020a170902ec0400b00189894c6b58mr28915373pld.172.1670023454228; Fri, 02 Dec 2022 15:24:14 -0800 (PST) MIME-Version: 1.0 References: <20221202013404.163143-1-jeffxu@google.com> <20221202013404.163143-6-jeffxu@google.com> <202212021457.EC46B27677@keescook> In-Reply-To: <202212021457.EC46B27677@keescook> From: Jeff Xu Date: Fri, 2 Dec 2022 15:23:37 -0800 Message-ID: Subject: Re: [PATCH v3] mm/memfd: security hook for memfd_create To: Kees Cook Cc: jeffxu@chromium.org, skhan@linuxfoundation.org, akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jorgelo@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, mnissler@chromium.org, jannh@google.com, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Rspam-User: X-Spamd-Result: default: False [-0.40 / 9.00]; BAYES_HAM(-6.00)[100.00%]; SORBS_IRL_BL(3.00)[209.85.216.52:from]; SUSPICIOUS_RECIPS(1.50)[]; SUBJECT_HAS_UNDERSCORES(1.00)[]; RCVD_NO_TLS_LAST(0.10)[]; MIME_GOOD(-0.10)[text/plain]; BAD_REP_POLICIES(0.10)[]; PREVIOUSLY_DELIVERED(0.00)[linux-mm@kvack.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_ALLOW(0.00)[google.com:s=20210112]; RCVD_COUNT_TWO(0.00)[2]; TAGGED_RCPT(0.00)[]; RCPT_COUNT_TWELVE(0.00)[14]; DKIM_TRACE(0.00)[google.com:+]; ARC_SIGNED(0.00)[hostedemail.com:s=arc-20220608:i=1]; DMARC_POLICY_ALLOW(0.00)[google.com,reject]; R_SPF_ALLOW(0.00)[+ip4:209.85.128.0/17]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[] X-Rspamd-Queue-Id: 82A2CC0008 X-Rspamd-Server: rspam01 X-Stat-Signature: ozqg6nyw8z6im5yojetc1eg4cf4ypdjj X-HE-Tag: 1670023455-433777 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Dec 2, 2022 at 2:58 PM Kees Cook wrote: > > On Fri, Dec 02, 2022 at 01:34:03AM +0000, jeffxu@chromium.org wrote: > > From: Jeff Xu > > > > The new security_memfd_create allows lsm to check flags of > > memfd_create. > > > > The security by default system (such as chromeos) can use this > > to implement system wide lsm to allow only non-executable memfd > > being created. > > > > Signed-off-by: Jeff Xu > > --- > > include/linux/lsm_hook_defs.h | 1 + > > include/linux/lsm_hooks.h | 4 ++++ > > include/linux/security.h | 6 ++++++ > > mm/memfd.c | 5 +++++ > > 4 files changed, 16 insertions(+) > > > > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h > > index ec119da1d89b..fd40840927c8 100644 > > --- a/include/linux/lsm_hook_defs.h > > +++ b/include/linux/lsm_hook_defs.h > > @@ -164,6 +164,7 @@ LSM_HOOK(int, 0, file_alloc_security, struct file *file) > > LSM_HOOK(void, LSM_RET_VOID, file_free_security, struct file *file) > > LSM_HOOK(int, 0, file_ioctl, struct file *file, unsigned int cmd, > > unsigned long arg) > > +LSM_HOOK(int, 0, memfd_create, char *name, unsigned int flags) > > LSM_HOOK(int, 0, mmap_addr, unsigned long addr) > > LSM_HOOK(int, 0, mmap_file, struct file *file, unsigned long reqprot, > > unsigned long prot, unsigned long flags) > > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > > index 4ec80b96c22e..5a18a6552278 100644 > > --- a/include/linux/lsm_hooks.h > > +++ b/include/linux/lsm_hooks.h > > @@ -543,6 +543,10 @@ > > * simple integer value. When @arg represents a user space pointer, it > > * should never be used by the security module. > > * Return 0 if permission is granted. > > + * @memfd_create: > > + * @name is the name of memfd file. > > + * @flags is the flags used in memfd_create. > > + * Return 0 if permission is granted. > > * @mmap_addr : > > * Check permissions for a mmap operation at @addr. > > * @addr contains virtual address that will be used for the operation. > > diff --git a/include/linux/security.h b/include/linux/security.h > > index ca1b7109c0db..5b87a780822a 100644 > > --- a/include/linux/security.h > > +++ b/include/linux/security.h > > @@ -384,6 +384,7 @@ int security_file_permission(struct file *file, int mask); > > int security_file_alloc(struct file *file); > > void security_file_free(struct file *file); > > int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg); > > +int security_memfd_create(char *name, unsigned int flags); > > int security_mmap_file(struct file *file, unsigned long prot, > > unsigned long flags); > > int security_mmap_addr(unsigned long addr); > > @@ -963,6 +964,11 @@ static inline int security_file_ioctl(struct file *file, unsigned int cmd, > > return 0; > > } > > > > +static inline int security_memfd_create(char *name, unsigned int flags) > > +{ > > + return 0; > > +} > > I think this is missing the security/security.c changes for the > non-inline version? > Yes. I will add that in V4. > -Kees > > > + > > static inline int security_mmap_file(struct file *file, unsigned long prot, > > unsigned long flags) > > { > > diff --git a/mm/memfd.c b/mm/memfd.c > > index 69e897dea6d5..96dcfbfed09e 100644 > > --- a/mm/memfd.c > > +++ b/mm/memfd.c > > @@ -346,6 +346,11 @@ SYSCALL_DEFINE2(memfd_create, > > goto err_name; > > } > > > > + /* security hook for memfd_create */ > > + error = security_memfd_create(name, flags); > > + if (error) > > + return error; > > + > > if (flags & MFD_HUGETLB) { > > file = hugetlb_file_setup(name, 0, VM_NORESERVE, > > HUGETLB_ANONHUGE_INODE, > > -- > > 2.39.0.rc0.267.gcb52ba06e7-goog > > > > -- > Kees Cook