Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2409769imu; Sat, 10 Nov 2018 14:19:11 -0800 (PST) X-Google-Smtp-Source: AJdET5eI0jXM7pw1En04ZWg0N81u+23fFezUmDFRNZzvVkJ6yCr6SulKrRPgOE5y6Ii9uBRkp6tB X-Received: by 2002:a63:4d0e:: with SMTP id a14mr9456058pgb.408.1541888351509; Sat, 10 Nov 2018 14:19:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541888351; cv=none; d=google.com; s=arc-20160816; b=sZJMilyDzVejFX9/I8rze66wUKcva/fA9bZlzeUHRVu0F3EgU40xZXUEsHagUHEj48 81wBtNKhwN/zu+RY6uJqvuIQPC1aj3ZqIIyTT7fFCh+1SX08ugjQ8OYddxxWRFWcxcMZ ffGdG2mt4Wdue9u9MZdNx53xYGwRnr0B9pskBIXiIBj6wBElvb0gXNPRJzu7BTVCMuEP 9Y8NFVDsGQ0JSTEUUU3BZWzielQ95kBwAGsXy4k06Cc0wSRWJVLd9rKeyt3F/ULVuTeT GzkS+UJaaThZP/pF43Frb+INaP4Z73aYuqc5aBQZN85aukyR713+swBljuGaDRBBYZHF XQ8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=9GzphvJPW1JnyRu55nDmjpSF6NSlVR6hVgi4w1oviHM=; b=cT36qsWe0y7IpWJAFORo/BiByBujYx5v0jdFvh/uBaujzRobstU5b/fbhsQAiG4nDg 1TkxcFXhdRs6g/k/6m4UiAoQxDw3xvgg5CCqcuYIacpEdjH5ujpjvb6E5Jgv9vJ2HvHU tHxJFMfZx54430wm1Xz6VYS7yWTAnQ6sfy5WNLE9n2BbYXds9VJHG+YCpZNIiHUhhzk1 e/KZfOzckTjCfnxBKXTz0ZskeQ+PAkj4M+1pgliK2pRwPgdaN28EyIB1/DEZTEqv4KB2 cw7WGYSR4+DpuJxn51BeQlpwvew9HrdCYjlb1FO1zv+OebBFTDp+sE9cd97SyHUatg5x DHeA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=fokeO0Kj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v67-v6si9326764pfv.181.2018.11.10.14.18.51; Sat, 10 Nov 2018 14:19:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=fokeO0Kj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726360AbeKKIFA (ORCPT + 99 others); Sun, 11 Nov 2018 03:05:00 -0500 Received: from mail-pl1-f195.google.com ([209.85.214.195]:42942 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725778AbeKKIFA (ORCPT ); Sun, 11 Nov 2018 03:05:00 -0500 Received: by mail-pl1-f195.google.com with SMTP id t6-v6so2505015plo.9 for ; Sat, 10 Nov 2018 14:18:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=9GzphvJPW1JnyRu55nDmjpSF6NSlVR6hVgi4w1oviHM=; b=fokeO0Kj29aVHHpiIfavY+cV2LsK7cP9WfSpGlTkZD1Xt8G8NToz5/3yQdxi8X6Q8C OWXHGnvpvtJEPFOj/tr218JlwIEtgwS43FG/WCGrj/Ni6c/KMtbbwlkqACVgkDu6X1pq /0LirkqYbbaybLyRCgMoI11d4gBkKfMcwDUBvp1XE288UcupEizrf6arRweqlS5W+9Uk AanPHfV+Gr5VhLUxFQxdMfHuHW2SiOL5S+g4/tkOeeIZ2ndmfDiMWqGnUDpmZszCW8aU vYDTRv5m+RGiFM5f4kfshwpeqE3PG22Gonu9tFa3qKOe0VgdbLgz2dU02OvxkPqBz0Pt svLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=9GzphvJPW1JnyRu55nDmjpSF6NSlVR6hVgi4w1oviHM=; b=I4mO50ANyv1Ci9fwZOk0TlUlmhCrqMw/3XHCuovBJSOE+t7k2dvPEDCT/Q1FLsiYa9 GmteKF5Mz/QTOYyQWEjsPk/jUBOE01SFCgLpOjLzhKWkLmITBv0nnLD8nA75b79KDZh8 qoxqXs1d4sPIwabA3UqT8kq1tQ02g6D1lotODVplV4ieLUbkUFOr+poij4BvHzmdhT9V mOXXPOMwieAwlKkWt0ZPkvHrx/sfg5YymnEvjNafdTXvx8RvwF8gp5Z+JEsNOiRrngi5 zmRDweEPuuDYwsOE2yxsPHB7SRqhJquBfcnE3VCvCeMCxmkqozNAf2U5ziXqZOZSR5SK dwqg== X-Gm-Message-State: AGRZ1gLGgsJyEQDUuvUce05o6wymyE+4Ldm5ttab6jK1B96YoM6RZ/Zb bjVHjnUOny0ZtvLB2AP8cXEl9w== X-Received: by 2002:a17:902:3181:: with SMTP id x1-v6mr14158174plb.240.1541888308122; Sat, 10 Nov 2018 14:18:28 -0800 (PST) Received: from ?IPv6:2600:1010:b014:dd5:5d31:b51f:b663:9c04? ([2600:1010:b014:dd5:5d31:b51f:b663:9c04]) by smtp.gmail.com with ESMTPSA id 7-v6sm9701667pgk.31.2018.11.10.14.18.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 10 Nov 2018 14:18:26 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: [PATCH v3 resend 1/2] mm: Add an F_SEAL_FUTURE_WRITE seal to memfd From: Andy Lutomirski X-Mailer: iPhone Mail (16A404) In-Reply-To: <20181110220933.GB96924@google.com> Date: Sat, 10 Nov 2018 14:18:23 -0800 Cc: Daniel Colascione , Jann Horn , kernel list , John Reck , John Stultz , Todd Kjos , Greg Kroah-Hartman , Christoph Hellwig , Al Viro , Andrew Morton , Bruce Fields , Jeff Layton , Khalid Aziz , Lei.Yang@windriver.com, linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org, Linux-MM , marcandre.lureau@redhat.com, Mike Kravetz , Minchan Kim , Shuah Khan , Valdis Kletnieks , Hugh Dickins , Linux API Content-Transfer-Encoding: quoted-printable Message-Id: <907D942E-E321-4BD7-BED7-ACD1D96A3643@amacapital.net> References: <20181108041537.39694-1-joel@joelfernandes.org> <20181110032005.GA22238@google.com> <69CE06CC-E47C-4992-848A-66EB23EE6C74@amacapital.net> <20181110182405.GB242356@google.com> <20181110220933.GB96924@google.com> To: Joel Fernandes Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Nov 10, 2018, at 2:09 PM, Joel Fernandes wrote= : >=20 >> On Sat, Nov 10, 2018 at 11:11:27AM -0800, Daniel Colascione wrote: >>> On Sat, Nov 10, 2018 at 10:45 AM, Daniel Colascione w= rote: >>>> On Sat, Nov 10, 2018 at 10:24 AM, Joel Fernandes wrote: >>>> Thanks Andy for your thoughts, my comments below: >> [snip] >>>> I don't see it as warty, different seals will work differently. It work= s >>>> quite well for our usecase, and since Linux is all about solving real >>>> problems in the real work, it would be useful to have it. >>>>=20 >>>>> - causes a probably-observable effect in the file mode in F_GETFL. >>>>=20 >>>> Wouldn't that be the right thing to observe anyway? >>>>=20 >>>>> - causes reopen to fail. >>>>=20 >>>> So this concern isn't true anymore if we make reopen fail only for WRIT= E >>>> opens as Daniel suggested. I will make this change so that the security= fix >>>> is a clean one. >>>>=20 >>>>> - does *not* affect other struct files that may already exist on the s= ame inode. >>>>=20 >>>> TBH if you really want to block all writes to the file, then you want >>>> F_SEAL_WRITE, not this seal. The usecase we have is the fd is sent over= IPC >>>> to another process and we want to prevent any new writes in the receive= r >>>> side. There is no way this other receiving process can have an existing= fd >>>> unless it was already sent one without the seal applied. The proposed s= eal >>>> could be renamed to F_SEAL_FD_WRITE if that is preferred. >>>>=20 >>>>> - mysteriously malfunctions if you try to set it again on another stru= ct >>>>> file that already exists >>>>>=20 >>>>=20 >>>> I didn't follow this, could you explain more? >>>>=20 >>>>> - probably is insecure when used on hugetlbfs. >>>>=20 >>>> The usecase is not expected to prevent all writes, indeed the usecase >>>> requires existing mmaps to continue to be able to write into the memory= map. >>>> So would you call that a security issue too? The use of the seal wants t= o >>>> allow existing mmap regions to be continue to be written into (I mentio= ned >>>> more details in the cover letter). >>>>=20 >>>>> I see two reasonable solutions: >>>>>=20 >>>>> 1. Don=E2=80=99t fiddle with the struct file at all. Instead make the i= node flag >>>>> work by itself. >>>>=20 >>>> Currently, the various VFS paths check only the struct file's f_mode to= deny >>>> writes of already opened files. This would mean more checking in all th= ose >>>> paths (and modification of all those paths). >>>>=20 >>>> Anyway going with that idea, we could >>>> 1. call deny_write_access(file) from the memfd's seal path which decrem= ents >>>> the inode::i_writecount. >>>> 2. call get_write_access(inode) in the various VFS paths in addition to= >>>> checking for FMODE_*WRITE and deny the write (incase i_writecount is ne= gative) >>>>=20 >>>> That will prevent both reopens, and writes from succeeding. However I w= orry a >>>> bit about 2 not being too familiar with VFS internals, about what the >>>> consequences of doing that may be. >>>=20 >>> IMHO, modifying both the inode and the struct file separately is fine, >>> since they mean different things. In regular filesystems, it's fine to >>> have a read-write open file description for a file whose inode grants >>> write permission to nobody. Speaking of which: is fchmod enough to >>> prevent this attack? >>=20 >> Well, yes and no. fchmod does prevent reopening the file RW, but >> anyone with permissions (owner, CAP_FOWNER) can just fchmod it back. A >> seal is supposed to be irrevocable, so fchmod-as-inode-seal probably >> isn't sufficient by itself. While it might be good enough for Android >> (in the sense that it'll prevent RW-reopens from other security >> contexts to which we send an open memfd file), it's still conceptually >> ugly, IMHO. Let's go with the original approach of just tweaking the >> inode so that open-for-write is permanently blocked. >=20 > Agreed with the idea of modifying both file and inode flags. I was thinkin= g > modifying i_mode may do the trick but as you pointed it probably could be > reverted by chmod or some other attribute setting calls. >=20 > OTOH, I don't think deny_write_access(file) can be reverted from any > user-facing path so we could do that from the seal to prevent the future > opens in write mode. I'll double check and test that out tomorrow. >=20 >=20 This seems considerably more complicated and more fragile than needed. Just a= dd a new F_SEAL_WRITE_FUTURE. Grep for F_SEAL_WRITE and make the _FUTURE va= riant work exactly like it with two exceptions: - shmem_mmap and maybe its hugetlbfs equivalent should check for it and act a= ccordingly. - add_seals won=E2=80=99t need the wait_for_pins and mapping_deny_write logi= c. That really should be all that=E2=80=99s needed.=