From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B8978C25B04
	for <linux-mm@archiver.kernel.org>; Thu, 15 Dec 2022 16:56:07 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 270A28E0003; Thu, 15 Dec 2022 11:56:07 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 221798E0002; Thu, 15 Dec 2022 11:56:07 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 0E99D8E0003; Thu, 15 Dec 2022 11:56:07 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id F1B908E0002
	for <linux-mm@kvack.org>; Thu, 15 Dec 2022 11:56:06 -0500 (EST)
Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id B8357C0535
	for <linux-mm@kvack.org>; Thu, 15 Dec 2022 16:56:06 +0000 (UTC)
X-FDA: 80245143132.24.CDAA83C
Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43])
	by imf20.hostedemail.com (Postfix) with ESMTP id E83771C001C
	for <linux-mm@kvack.org>; Thu, 15 Dec 2022 16:56:04 +0000 (UTC)
Authentication-Results: imf20.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=BwAd8aLP;
	spf=pass (imf20.hostedemail.com: domain of jeffxu@google.com designates 209.85.216.43 as permitted sender) smtp.mailfrom=jeffxu@google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1671123365;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=DOs+4sldiwGC1XG54dp5mVgT4uLPOQwpbZy8XgG5P7U=;
	b=3N9ltRjC0v6FXH3dUTHioZ9ZBNLCFwzXBhxRJWyz3SxNGGoTbK28FolvXxSimI9ePBRWBZ
	v3RXGaWgjoTHPspVKckX+pDj41j1c/mXkCKaRR2+yzcYs1PwWGlSR4zbmd8o/X0R36Cl7j
	E65PY7GEQru9cnzcZV1ezLRbYuGKHHQ=
ARC-Authentication-Results: i=1;
	imf20.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=BwAd8aLP;
	spf=pass (imf20.hostedemail.com: domain of jeffxu@google.com designates 209.85.216.43 as permitted sender) smtp.mailfrom=jeffxu@google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1671123365; a=rsa-sha256;
	cv=none;
	b=ZIWIfMYn2bRTBnCoa/idqZoNP93rDIG1gNTdk3HGgoKnaL5GIR5nlEGb+V6O4bxZ5RhFyB
	1oZ+77wQx8IyvMuRFM0Fgl5fZ68YRZHc8XoNdafkGs9icm9oGTGZCM5aq9QHRec/sd8Ji2
	gihdIuNOpoVsoJD5kVx5HORXDhvNIhQ=
Received: by mail-pj1-f43.google.com with SMTP id t11-20020a17090a024b00b0021932afece4so3313433pje.5
        for <linux-mm@kvack.org>; Thu, 15 Dec 2022 08:56:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=DOs+4sldiwGC1XG54dp5mVgT4uLPOQwpbZy8XgG5P7U=;
        b=BwAd8aLPF5gd7FIHoISnAe0Zyh/n9acpz7ASV5bArM8hi+12M+FokUGMCFBYex8YYT
         nxAxlAOtheavS0XJFp986uZEh6iP0Ge1ESokWEFBokuizRQABamacozxfHoHFFmuc1ig
         og9sJEbM9bDah05cislLrAkqozwsfBmeI2c0IATzpQQH3Shewyh+bhXQoOzGvx/VhhF4
         q0IchDuQ9ETeLCwyhWh4KMyKbH1/EIDfepr0bi0OHiqJSTjhJ7A3Nxt8kXYoynQWbMgP
         NFZaNJrEnOv3E7GDTrJU47AoUmR++UPFYGrV0RFmWai23NVv2rwcyUqZetoHP0TjnvhP
         tb3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=DOs+4sldiwGC1XG54dp5mVgT4uLPOQwpbZy8XgG5P7U=;
        b=n/Xs18/bECEZ9WbhU8PzibyXNufkIku4xIdz6TDX6Ef4yG4nPIfaXuHxl7NS0nXF6Y
         cIT7rmdgVEPHplyTAwMqZXcBEMVveev/fWyZ7ED1fMbyg7D1ldOV8iKQXSiGqDxA9TGV
         X72euqc9BzCz2Jlef5sgX54nBiYC2HKFB/mTEKkUTe11QXQ1ZCEpWJi1PT20hspyBKGD
         x+R3PXJT9a1meBhmy8fc16n3Nsqx7REpcPSashXnyH8kf2yDwRJkyzW0vaOQaUvyDjMy
         ry3VeMAoJrEj4xoBUxtAO0xGnkq51tnAdgQIJL//oosNCOxjKszgybFufAaAxwnlp0PV
         F/FA==
X-Gm-Message-State: AFqh2krA1LINkLuAjMs9NWQ+yxcNac3J4gp5Z5zkAUh5UGr2ABpVmBsp
	gODVqWhoSwRwaO+4i1DXvfj8dQ1PAswNMGZK6Hz/Nw==
X-Google-Smtp-Source: AMrXdXtENt/mhPma/+EbgzmxkFLEmcOUooUWEz4dux8uEyqEYR9PwvfNgIzmFBek41FGvcb4TrN/AF2YjFTKl7rw3wI=
X-Received: by 2002:a17:90a:4612:b0:219:a43b:1006 with SMTP id
 w18-20020a17090a461200b00219a43b1006mr786360pjg.195.1671123363557; Thu, 15
 Dec 2022 08:56:03 -0800 (PST)
MIME-Version: 1.0
References: <20221209160453.3246150-1-jeffxu@google.com> <202212141053.7F5D1F6@keescook>
 <CALmYWFss4hGOgJaeah8p7q86xmE7AOwOazxggGCuY=A+ZUVWhQ@mail.gmail.com> <202212141607.D2D986C076@keescook>
In-Reply-To: <202212141607.D2D986C076@keescook>
From: Jeff Xu <jeffxu@google.com>
Date: Thu, 15 Dec 2022 08:55:26 -0800
Message-ID: <CALmYWFvJv_4yLxnv=8Bpx0mE_WLi0yGVxR-ybN8VAatEwmM+iQ@mail.gmail.com>
Subject: Re: [PATCH v7 0/6] mm/memfd: introduce MFD_NOEXEC_SEAL and MFD_EXEC
To: Kees Cook <keescook@chromium.org>
Cc: akpm@linux-foundation.org, jeffxu@chromium.org, skhan@linuxfoundation.org, 
	dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, 
	jorgelo@chromium.org, linux-kernel@vger.kernel.org, 
	linux-kselftest@vger.kernel.org, linux-mm@kvack.org, jannh@google.com, 
	linux-hardening@vger.kernel.org, linux-security-module@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Server: rspam07
X-Rspamd-Queue-Id: E83771C001C
X-Rspam-User: 
X-Stat-Signature: qb371y8ianh6hz5zrg4auuwhgnug3qg1
X-HE-Tag: 1671123364-505373
X-HE-Meta: U2FsdGVkX1+8vovBh+44xcoX2MepXpwqsHAhVsrmr5siTxI5JuYRjyPyEYT4Rk33y3I7bHHEgbWkgj1ytxrxno7lNvL5Cx+B0NLbVFxUsZNA7u+44juF0H/QFZGzV21iKJRUvrpThUia+om5EQUB8wSskOGdJsqZcysJwPgsXO6Qiz0+R/KBwlXywhjiA4CQ+p9dyvX4oS77daQysRdqTmCbF32a2DNxPiw3wL8gx+5KnDQyvtUPo9Avo9MPNEhauIN4/7PhTIx05xunuB/l3DjdQtUuSUyJ3IDyd6g2anHBZc+v/C3qmt0u68DywhMVrojp8xLm4xcWE6mi99ntOevRXAipzvJl4Zgh39NFFfuT987PD80M22rhXVKYiLZoccW60DblWSGMDEJ5iR9rHCASRj8KwnZAxQ0CHgKedz86g1cDVcjSUyRE+kJCxCNpu0f8zg38yVzISCA2xIZI8Pg1qu0SmXiYBtNwrPGNzmOzVyVNMw2eQjH03oRgLDtBKI1qTuXjg12Df9SYnXYaRiB5Qvu5KxXGdZ9YxQcUEaq0FUeALntsMJTRcuNambr4qdZviqAzjMULY8cU1fQdtcUj6lLdM0wbH9xhdVsN7fRlSF+zYUBcCr6uPTM4ewujQbjErMjxxSkH/1qmtxvqCqNamMsqCEl6/p610JpuWriMpy9Atw3Ydg15GC59fEBm0E1NsKXRcg1IU7YJ1ybSZJ2ep7sqC/gkIBFyyZOZtPEVIEW7LJ/0kpz8fBe2Wryjjpn/PT1fY+4UGmuTCUCCLDdw98ud3n5EUr+3FyZOvymq5LdmSDs6BvEi+XBZZmxnWHOPwHviITSYVWqsCZBY5NfkXEN2oCmKDsgdOzQu+0K4Qt1hDSTVSyuT7UR8feLfT+6kQ7owyL8m9C1Ghk/iIwYA8/0WjdPkcX+/8r/UnFrmBpej1eenDD1DRQYljYuKj5v8T9A8G4Rq2qQthAn
 7OkCAqTx
 t8jc4ZRfwS3lsk8tsqpQtbg21ge2zSAv6NxCplQ38fYNHz5Cqj0y3Xe/ssRaR/eSWjr3dvfTp4xkRj/l9Koud6Qck41N7DuMOj65+R0evqEeNXVK4ZqzhkSKeOAqhnRaXSKyd
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, Dec 14, 2022 at 4:08 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Wed, Dec 14, 2022 at 03:32:16PM -0800, Jeff Xu wrote:
> > On Wed, Dec 14, 2022 at 10:54 AM Kees Cook <keescook@chromium.org> wrot=
e:
> > >
> > > On Fri, Dec 09, 2022 at 04:04:47PM +0000, jeffxu@chromium.org wrote:
> > > > From: Jeff Xu <jeffxu@google.com>
> > > >
> > > > Since Linux introduced the memfd feature, memfd have always had the=
ir
> > > > execute bit set, and the memfd_create() syscall doesn't allow setti=
ng
> > > > it differently.
> > > >
> > > > However, in a secure by default system, such as ChromeOS, (where al=
l
> > > > executables should come from the rootfs, which is protected by Veri=
fied
> > > > boot), this executable nature of memfd opens a door for NoExec bypa=
ss
> > > > and enables =E2=80=9Cconfused deputy attack=E2=80=9D.  E.g, in VRP =
bug [1]: cros_vm
> > > > process created a memfd to share the content with an external proce=
ss,
> > > > however the memfd is overwritten and used for executing arbitrary c=
ode
> > > > and root escalation. [2] lists more VRP in this kind.
> > > >
> > > > On the other hand, executable memfd has its legit use, runc uses me=
mfd=E2=80=99s
> > > > seal and executable feature to copy the contents of the binary then
> > > > execute them, for such system, we need a solution to differentiate =
runc's
> > > > use of  executable memfds and an attacker's [3].
> > > >
> > > > To address those above, this set of patches add following:
> > > > 1> Let memfd_create() set X bit at creation time.
> > > > 2> Let memfd to be sealed for modifying X bit.
> > > > 3> A new pid namespace sysctl: vm.memfd_noexec to control the behav=
ior of
> > > >    X bit.For example, if a container has vm.memfd_noexec=3D2, then
> > > >    memfd_create() without MFD_NOEXEC_SEAL will be rejected.
> > > > 4> A new security hook in memfd_create(). This make it possible to =
a new
> > > > LSM, which rejects or allows executable memfd based on its security=
 policy.
> > >
> > > I think patch 1-5 look good to land. The LSM hook seems separable, an=
d
> > > could continue on its own. Thoughts?
> > >
> > Agreed.
> >
> > > (Which tree should memfd change go through?)
> > >
> > I'm not sure, is there a recommendation ?
>
> It looks like it's traditionally through akpm's tree. Andrew, will you
> carry patches 1-5?
>
Hi Andrew, if you are taking this, V8 is the latest that contains patch 1-5=
.

Thanks
Jeff

> Thanks!
>
> --
> Kees Cook