Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2276316imu; Sat, 10 Nov 2018 11:12:08 -0800 (PST) X-Google-Smtp-Source: AJdET5fxwtyzI+DVuECIbVoqvoaNNYhPCwaToqGZvVg0iubyIw5cSx9IF9N44paMrZIBK8It1JZi X-Received: by 2002:a63:2a4a:: with SMTP id q71mr11850515pgq.374.1541877128837; Sat, 10 Nov 2018 11:12:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541877128; cv=none; d=google.com; s=arc-20160816; b=r+85U1l5rIKdTevXiI5zziL7kVMGBQy93xRClk9j0VS+V5YAO7CL3wZEeTg4DGrymV inMhS2y8HjcW5e2gVo9i7+5t3KgSmqhjIxTYC7JuoS6wzR/u8dlRSWIzXdgutiL9OlAT DqbDCUig+TuwFEOfw/RFlo5h+pmQD2k1eMG3ZWaN6h4eTSZzt/a+CYw/DUG3Hht6+W7P 4MvxQS4pyBvCa0XEQKwxkLBr9riuIXr2jYpvIzWSlvaCqYQYE6Svg9dF6dYm+K0xbbmD ogYrBqYw+7igItMQ6IkEKTPcM60y9UUzu/qD+g5RK2CMus0txnemYuEJgw6U0wS+U7U3 iIYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dkim-signature; bh=Yeq/3KCeKHkOXPSQyNrlc76coOe7+QgcJXRCBcp7UYE=; b=xeHdjYS1/XV4C//wwacBXS+91X6fdRSgCNRWxp5r/bCY8CBGPXRWIGqaJfNaWQxwy8 UGL5F/2UNYFCkhVTvROWUrpkXpeCO0Yd/UYLl3adYIgiznFT9o0gXxCfx1xVaFOaxikt zrgVbLuCB6gEmwTCrmkbSrA+l6ETVEBkmOhodAtIxjnNBwxSBHeu+zfBJwL/KD+b6gdI Z3a3XGz3TLzVpSQO334j2RcuLrLBNbfPlc4WhO9A9HySkh5wlhAC+ti0GtA05VlhHWCu GJe5Ee65CJf/cYAn7I5vVXsigcoaqxNK0KR6YX2kfPpRppK3gO7DUhvkOcb8bgtAKQSg Gtmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=CuSWvEjx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p23si10133616pgk.312.2018.11.10.11.11.51; Sat, 10 Nov 2018 11:12:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=CuSWvEjx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726822AbeKKE5a (ORCPT + 99 others); Sat, 10 Nov 2018 23:57:30 -0500 Received: from mail-vk1-f194.google.com ([209.85.221.194]:40038 "EHLO mail-vk1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726495AbeKKE5a (ORCPT ); Sat, 10 Nov 2018 23:57:30 -0500 Received: by mail-vk1-f194.google.com with SMTP id v70so1154813vkv.7 for ; Sat, 10 Nov 2018 11:11:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Yeq/3KCeKHkOXPSQyNrlc76coOe7+QgcJXRCBcp7UYE=; b=CuSWvEjxJ1scY9oh9SSU40Iyn/7q9o1mWLEYcde2+a75OcpvkRy6U5FXvYvQpZur7d 6+Kctxkbvv5fn2Q1wsViuqWvQdGMImmC+GXsI4+m6jEdppB9BpifNaRAp2iKrcCmL5U8 cKLyVNhnBkAs15nCNa2Su1OkXoYcdU3/uoP4156D94TKaa+HoMpdOUBHT1FSXPumSSt3 wPK0AfHG5njD+XWeGXjnnVAI0dnNpC/Jf2aO+iJdm6CbN9LTYPgMm4hJITbQZLESey+P 6jHkAyQrq53wW92RmfNf2JlB8ybXmn80uumpNzM5Ss7aqBSZ2mqTbsa7BgrlwYtCl95k Gt2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Yeq/3KCeKHkOXPSQyNrlc76coOe7+QgcJXRCBcp7UYE=; b=n9zVd8pvlGX48KF2cEJ6zRRc/MBuNEQD5bL5EDh15nPsmzjgYj5uXgLXRxHATKfsHG atXCiFX1DTJ9aOIpA/jOwUwRUIOp2+zW/ckgTxo2OZ7vlLkwwxPtf3+KIb7Jkhn10lG2 pfSwXPaW/1fLfWwR21YztLxp/lLI/JXJJ2nBwIFX/sKlaBeBxMIYAO8cpoB8OTAxLhFB MQZvEUfFfv1deCiyuo+eyD0LbOCPXfNY+uMFMlvTOqPCwxVOJ5RN2Z/GiIoGIJG7jAXb 3K0IslecF8RnpY72U+/JSrBEmFDhE7ua3JjFEX71t+DD7icIh2D9OAv35D2wqyTLF1zG j7gw== X-Gm-Message-State: AGRZ1gJwRv3RpKt0FQY77pTQvklegvsKSFiCiE7Ue5VU6LLis6lBq7Ue /83eQOlc6GXMha1XV32cgKTTlEQ/Td8ZmGYFx2IphA== X-Received: by 2002:a1f:a04b:: with SMTP id j72mr5760277vke.51.1541877088083; Sat, 10 Nov 2018 11:11:28 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a67:f48d:0:0:0:0:0 with HTTP; Sat, 10 Nov 2018 11:11:27 -0800 (PST) In-Reply-To: References: <20181108041537.39694-1-joel@joelfernandes.org> <20181110032005.GA22238@google.com> <69CE06CC-E47C-4992-848A-66EB23EE6C74@amacapital.net> <20181110182405.GB242356@google.com> From: Daniel Colascione Date: Sat, 10 Nov 2018 11:11:27 -0800 Message-ID: Subject: Re: [PATCH v3 resend 1/2] mm: Add an F_SEAL_FUTURE_WRITE seal to memfd To: Joel Fernandes Cc: Andy Lutomirski , Jann Horn , kernel list , John Reck , John Stultz , Todd Kjos , Greg Kroah-Hartman , Christoph Hellwig , Al Viro , Andrew Morton , Bruce Fields , Jeff Layton , Khalid Aziz , Lei.Yang@windriver.com, linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org, Linux-MM , marcandre.lureau@redhat.com, Mike Kravetz , Minchan Kim , Shuah Khan , Valdis Kletnieks , Hugh Dickins , Linux API Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Nov 10, 2018 at 10:45 AM, Daniel Colascione wro= te: > On Sat, Nov 10, 2018 at 10:24 AM, Joel Fernandes = wrote: >> Thanks Andy for your thoughts, my comments below: [snip] >> I don't see it as warty, different seals will work differently. It works >> quite well for our usecase, and since Linux is all about solving real >> problems in the real work, it would be useful to have it. >> >>> - causes a probably-observable effect in the file mode in F_GETFL. >> >> Wouldn't that be the right thing to observe anyway? >> >>> - causes reopen to fail. >> >> So this concern isn't true anymore if we make reopen fail only for WRITE >> opens as Daniel suggested. I will make this change so that the security = fix >> is a clean one. >> >>> - does *not* affect other struct files that may already exist on the sa= me inode. >> >> TBH if you really want to block all writes to the file, then you want >> F_SEAL_WRITE, not this seal. The usecase we have is the fd is sent over = IPC >> to another process and we want to prevent any new writes in the receiver >> side. There is no way this other receiving process can have an existing = fd >> unless it was already sent one without the seal applied. The proposed s= eal >> could be renamed to F_SEAL_FD_WRITE if that is preferred. >> >>> - mysteriously malfunctions if you try to set it again on another struc= t >>> file that already exists >>> >> >> I didn't follow this, could you explain more? >> >>> - probably is insecure when used on hugetlbfs. >> >> The usecase is not expected to prevent all writes, indeed the usecase >> requires existing mmaps to continue to be able to write into the memory = map. >> So would you call that a security issue too? The use of the seal wants t= o >> allow existing mmap regions to be continue to be written into (I mention= ed >> more details in the cover letter). >> >>> I see two reasonable solutions: >>> >>> 1. Don=E2=80=99t fiddle with the struct file at all. Instead make the i= node flag >>> work by itself. >> >> Currently, the various VFS paths check only the struct file's f_mode to = deny >> writes of already opened files. This would mean more checking in all tho= se >> paths (and modification of all those paths). >> >> Anyway going with that idea, we could >> 1. call deny_write_access(file) from the memfd's seal path which decreme= nts >> the inode::i_writecount. >> 2. call get_write_access(inode) in the various VFS paths in addition to >> checking for FMODE_*WRITE and deny the write (incase i_writecount is neg= ative) >> >> That will prevent both reopens, and writes from succeeding. However I wo= rry a >> bit about 2 not being too familiar with VFS internals, about what the >> consequences of doing that may be. > > IMHO, modifying both the inode and the struct file separately is fine, > since they mean different things. In regular filesystems, it's fine to > have a read-write open file description for a file whose inode grants > write permission to nobody. Speaking of which: is fchmod enough to > prevent this attack? Well, yes and no. fchmod does prevent reopening the file RW, but anyone with permissions (owner, CAP_FOWNER) can just fchmod it back. A seal is supposed to be irrevocable, so fchmod-as-inode-seal probably isn't sufficient by itself. While it might be good enough for Android (in the sense that it'll prevent RW-reopens from other security contexts to which we send an open memfd file), it's still conceptually ugly, IMHO. Let's go with the original approach of just tweaking the inode so that open-for-write is permanently blocked.