From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E2C7C27C78 for ; Tue, 11 Jun 2024 23:04:42 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 08AF86B010C; Tue, 11 Jun 2024 19:04:42 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 015226B010D; Tue, 11 Jun 2024 19:04:41 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DA8696B010E; Tue, 11 Jun 2024 19:04:41 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id BBD406B010C for ; Tue, 11 Jun 2024 19:04:41 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 557AE40830 for ; Tue, 11 Jun 2024 23:04:41 +0000 (UTC) X-FDA: 82220139162.20.1837533 Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45]) by imf01.hostedemail.com (Postfix) with ESMTP id 735F24001D for ; Tue, 11 Jun 2024 23:04:38 +0000 (UTC) Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=sVoUSdrO; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf01.hostedemail.com: domain of jeffxu@google.com designates 209.85.208.45 as permitted sender) smtp.mailfrom=jeffxu@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1718147078; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=LtbvaoMsCJ9k1mz6SgmK+4gae6eOunhj2wDuCSNJ/mk=; b=K+xGdMTZXbTUeuZ6n7f3YxC69NJFfCz9NN+an8ayKo8rVMaVLiCbnsDH3yBOj8gQmThlbr hWgOL7xmh3BUVch+FkEm101v6xZZCfVDn7BZOCFEK9USeHh+kRXREsTO1rMjSqxg+VZLLP SRwsfEdCOVCiNj0xXH9pS2ncDS1fsjk= ARC-Authentication-Results: i=1; imf01.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=sVoUSdrO; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf01.hostedemail.com: domain of jeffxu@google.com designates 209.85.208.45 as permitted sender) smtp.mailfrom=jeffxu@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1718147078; a=rsa-sha256; cv=none; b=PrRocFVKxmZc0gCplhCQnFToVE/qgxJpxWYwrkQHlW6Ju11VcV/V4aJHgTOEjklWXWlffL LM7+JoprYr563RcQgI1r4ZoTwJJqj2oe5elB9vMKdrDYDao6Aqx8F1azYeoVruSxyYlTkw LIN8eRoYfrG4i7EocEXnksqSQoknQAc= Received: by mail-ed1-f45.google.com with SMTP id 4fb4d7f45d1cf-57c6cb1a76fso2520a12.1 for ; Tue, 11 Jun 2024 16:04:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1718147077; x=1718751877; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=LtbvaoMsCJ9k1mz6SgmK+4gae6eOunhj2wDuCSNJ/mk=; b=sVoUSdrO7lJm96RsXSWFwiginKlSUQagXjHp1FKOUISDwnvAO+q3g1IgAzi3QhVwOo xGBel161xx6JBZICmyW3MolI917sLD1Mzac+snVKA4iblNFb57Pxv4T+QTgzBRC5Tt9W YoFVfjfi3p9fP4v+sooOvNaLUbe1lQ+GjPFY3YRQljxecrd1SPwY25U7SzbZIA5Xh0iW 4oE/ZoD8gFzAK8AJWtrUSYhAAmoSulDVJ1q3PHe0GFoJzAjArPBYG2TK7oY/UIhNLuzL Lyu+3/yUiS9uA419+G0kM+NkSwrmGOVKfg2padcDRdmbZthAZXMjNfII091yJpUMbVFf rFKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718147077; x=1718751877; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LtbvaoMsCJ9k1mz6SgmK+4gae6eOunhj2wDuCSNJ/mk=; b=HgDWAMxE69nSth1LfXw84RuUJSdFiMKia/lXz4T3CMDiEdDkhn4T2Uc0HkHxAbfVod 9BZA0/K6nxCY2xB9WKf615b5gozbblklKaJC4u1+dpMB04KuSOCat3Uevd6Tml8fRxjj c2xLgfIaLWG71DkxSpE2CgViUAmK6WOMfzgOIGUekTlftLGcoi6cdo19JR5DArAMeO9+ WRv/zLXEr3wcLbKQf1Po4z/kuvlLXzPgBXCjuZ856JPvLuOCVmtUyxswaRLoov+onWpS GJpodnMn//wSDG0AduyNhKyQnH8mtgZLMgsw60i9AErN2E8AqfVCbhB0oRs8Ht4n3Pn3 rmdQ== X-Forwarded-Encrypted: i=1; AJvYcCVyLUVzmq1Iyi4eRyD6kpWquLDGA1wUyY0xGwhW7+OfTIKbgPtm9pj0Xh4jZMnH0TCENtxiQZEobuTCfENaI+2sjBo= X-Gm-Message-State: AOJu0Yx9bO7MOLvcbyffInPbNMsWdChkDrH2EtgBkH8rPG6G/LFFs6Np Nd3ix5kYbG3T4zR4RiSEtwEwajE8macYIwFx1zeTP9E7i1aWNYOnoimHRs9paTeqNgYev6sn2uW JMU6SNeWSsMmap5fnrhHgKs6OnhRAcg0knO/D X-Google-Smtp-Source: AGHT+IGIJEs3b4nVQ+XCokKeptQYXIP66wVTDYCQxFkmqQBnlc+C3z0gcSGRO9hqtyBT+VZVapa4wwHBMpUt3Pry/L8= X-Received: by 2002:a05:6402:38a:b0:57c:ab3f:d200 with SMTP id 4fb4d7f45d1cf-57cab3fd29amr7343a12.0.1718147075504; Tue, 11 Jun 2024 16:04:35 -0700 (PDT) MIME-Version: 1.0 References: <20240611034903.3456796-1-jeffxu@chromium.org> <20240611034903.3456796-2-jeffxu@chromium.org> <595b6353-6da6-432b-96b4-42c4e3ec1146@infradead.org> In-Reply-To: <595b6353-6da6-432b-96b4-42c4e3ec1146@infradead.org> From: Jeff Xu Date: Tue, 11 Jun 2024 16:03:56 -0700 Message-ID: Subject: Re: [PATCH v2 1/1] mm/memfd: add documentation for MFD_NOEXEC_SEAL MFD_EXEC To: Randy Dunlap Cc: jeffxu@chromium.org, akpm@linux-foundation.org, cyphar@cyphar.com, david@readahead.eu, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jorgelo@chromium.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pobrn@protonmail.com, skhan@linuxfoundation.org, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 735F24001D X-Stat-Signature: pq9i4j3i7e7tpun3z8oop1m3makwbprz X-Rspam-User: X-HE-Tag: 1718147078-194032 X-HE-Meta: U2FsdGVkX18fzM84nRibY0MT2LKEKW8kQuBwdXv8f9G+M0xFwrxAekEJcM0DEY1gr3i50dPfKULWSHcTrArOwiBTGzUCnuC/L/Tndl2/HHfHfAh4OE7FAhiQGu2FDbUesggG+XBtrKtfFo4tnZBZGrFAoXL37EjTo9Uv02hU3PeqDFNJMhWfyw05u9snuCKAsucWTv77rQ3JSagLGIg67cziiWeVIt4F7Yc4nhL7XrIaZ46dthuS8/J0D0/n1zOkv1mcCQ2MgPFmZyVu9bJzFc+fnP3asuzV6CJ4TiBoPyg+tLYsJ9shcKfntHzNdYh7G7ehwxHKT7POsN2/q3aUZicDG2+cDyY2g7lBt36M6J5e764hpIC1/vg42eMl38gv3MP8YVhgibm2IhmRPo+Ad2y0XsmvLu9X0xAnaapjC4yyoaS9Ke3MdlGeA6WU5e5q1n7tG0O/5845MqgCURLGe3ttGpYs+hVCjhpQzaX/nk0EWB5o/YK5bkRl/p8DyXEN5kTgQ00pD3MMf6KkHsmcWBaIjGYuL6PyRv5obFr8ue7SInSvrdNpvd+3pwUIG2XQ4MS/LsFsNgGB67T759QWpFEXH+a0gE14Gv5oU4xZH0fbJ4ms/lGzA6+3av/FAdftXbEu/bBl87n3MEXtGyn5w+nKiyhT7+3Y9phI/93HOSlg2n1z1crDwOkun4d12taYS0B+5ewsVeabDY25Tpl9HKhhauUffjmtJiPHnQ3YIIu8PeONsibTBbfEFKJQCXsidX96iYJIlkiEIpU0uKWwrTj7HBUabP3rqEvL2W+1P26GNudCpgk6pPWlLCmkcvaO0b0HJGT+cHM1OkYVyjXaK8d2gEg5o3PMV6XckStPgg+td6jJp28W8owQa03Q41hHSt5S0rPhOPmoyE+kSUO3j31Fxmir5MEU0T1nTMS95h8AwkMUfE2P26lKkILqxn9pZS+BriLMcUaQdRBILvb bAsieYGv t+htCZvQQ8BtnsjGPwbbDBBAeyGjqN//b+4N/CmBeVDC7k0UzaCu8fEOOCFng5fd/+qRt85v7q/4ZdzIGqlHoXw8TneT/aOdv38ixZpj4M8BdZj+c6JD/JYgu4avpp06/V3oHrCw42As4HRKSDjoMSHFcmUZVSCL+0Ul70alWyKPFKyZDq3n2s6ATSUt4ciLJmM8LZBnucv31s2U6lIMGx1eHa1grZVun8rgy088Ff+VefJWXBt0yeBxi6R8r9fF3SaLvH7wLdEvye5kphqnodH//k8sb4DbUL0+DCDzUfVWHz8alSdm88cw0aDii8G36HtM9pctJye7upizTH6A2N8TRFraU+BB4Dl9eXtvFg2T4esF6H28F9A/Pr1ymZfgigQIMwurvZKB5Q+2PfwIytKDhuW56j8pGDRYWF6ck0+ntdk8SoPcwgriHtRonbstfiYWQkpVv8n379KSbcqqBt961oBpa7BStNkr/ypJJ3jk537s4fB/luSO5Dw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Jun 11, 2024 at 3:41=E2=80=AFPM Randy Dunlap wrote: > > > > On 6/10/24 8:49 PM, jeffxu@chromium.org wrote: > > From: Jeff Xu > > > > Add documentation for memfd_create flags: MFD_NOEXEC_SEAL > > and MFD_EXEC > > > > Cc: stable@vger.kernel.org > > Signed-off-by: Jeff Xu > > > > --- > > Documentation/userspace-api/index.rst | 1 + > > Documentation/userspace-api/mfd_noexec.rst | 86 ++++++++++++++++++++++ > > 2 files changed, 87 insertions(+) > > create mode 100644 Documentation/userspace-api/mfd_noexec.rst > > > > diff --git a/Documentation/userspace-api/index.rst b/Documentation/user= space-api/index.rst > > index 5926115ec0ed..8a251d71fa6e 100644 > > --- a/Documentation/userspace-api/index.rst > > +++ b/Documentation/userspace-api/index.rst > > @@ -32,6 +32,7 @@ Security-related interfaces > > seccomp_filter > > landlock > > lsm > > + mfd_noexec > > spec_ctrl > > tee > > > > diff --git a/Documentation/userspace-api/mfd_noexec.rst b/Documentation= /userspace-api/mfd_noexec.rst > > new file mode 100644 > > index 000000000000..ec6e3560fbff > > --- /dev/null > > +++ b/Documentation/userspace-api/mfd_noexec.rst > > @@ -0,0 +1,86 @@ > > +.. SPDX-License-Identifier: GPL-2.0 > > + > > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > +Introduction of non executable mfd > > Missed: > non-executable > > > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > +:Author: > > + Daniel Verkamp > > + Jeff Xu > > + > > +:Contributor: > > + Aleksa Sarai > > + > > +Since Linux introduced the memfd feature, memfds have always had their > > +execute bit set, and the memfd_create() syscall doesn't allow setting > > +it differently. > > + > > +However, in a secure-by-default system, such as ChromeOS, (where all > > +executables should come from the rootfs, which is protected by verifie= d > > +boot), this executable nature of memfd opens a door for NoExec bypass > > +and enables =E2=80=9Cconfused deputy attack=E2=80=9D. E.g, in VRP bug= [1]: cros_vm > > +process created a memfd to share the content with an external process, > > +however the memfd is overwritten and used for executing arbitrary code > > +and root escalation. [2] lists more VRP of this kind. > > + > > +On the other hand, executable memfd has its legit use: runc uses memfd= =E2=80=99s > > +seal and executable feature to copy the contents of the binary then > > +execute them. For such a system, we need a solution to differentiate r= unc's > > +use of executable memfds and an attacker's [3]. > > + > > +To address those above: > > + - Let memfd_create() set X bit at creation time. > > + - Let memfd be sealed for modifying X bit when NX is set. > > + - Add a new pid namespace sysctl: vm.memfd_noexec to help application= s to > > help application= s in > > > + migrating and enforcing non-executable MFD. > > + > > +User API > > +=3D=3D=3D=3D=3D=3D=3D=3D > > The rest looks good. Thanks. > Thanks for your review! > -- > ~Randy