Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp499153pxt; Thu, 12 Aug 2021 03:29:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxp4BRFV3S9lULYJZz3bOzE+aR3UrabgvSvZ+xSwPIIj69L2UrKAyugkF9GL2Vfqzf/cYO1 X-Received: by 2002:a05:6402:10d9:: with SMTP id p25mr4470133edu.51.1628764169313; Thu, 12 Aug 2021 03:29:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628764169; cv=none; d=google.com; s=arc-20160816; b=Px/iPuHwiX/RbqJUO3N+mVB0C5TrzosMhcLDJcuC935WvARbIOdo/8M3hhiJvpaBUi Iy2kmcX14QQokIHICvYjcpV2VT53qVx9a6XNfiqWdhI1gdLgNIvx4CLfaeCrJhLbCtmx v/HJR1ZgaVDkyhpq+Xx4qJyskdnrHJ4EzFnSayYz+GVSXTEW8HA/94bXupj+3qAx8WJu 28C6i4c0uNAU1EfqHwkX0BPpFWkqHBtlxUti+Fb5JDJRV4N6JHM4HFyVl6iF3hfP0qKi SUxig2Dy/2Jems9uq/kSfi8EcbgiKFmVulkIAAoPIFu6/rcAS34qEjEmNUrx87JG5q6x DaBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:organization :from:references:cc:to:subject:dkim-signature; bh=J8fNLHegk5RzvmFVmibZ710pAngI+WF9X5zWgbKhZ8g=; b=Duuffjzy9RMQr6o17MKB+Pde3z1vfja9s408v4A+STcV+EBy/6VMTT9g5S/MVbz0OZ tmV8J6DvbtcpGt2Dseo5OUxaBxQvA+eeVZHQXoK81lsmeVePN3sNb1FnIVTyVGWrFGCX k7O7/WQNq6h55jG7fU3PdOfIrpyvbq4FcFu7ZuZLKPts9gPcLQQHEt93tWkNuTfEA93I 0trCnCQO6STybBBfe2X+mtodLKO/Y5Jg6yc3zZRGvFcNFcen7G7PHh/vrXDxusThZ2V5 FcIo/JzuEPM2IFyR3/5XK8KN6Oo+0UAo0JoZP0NyL4ecniw/5Dvy3FXmTGWYfifiPwxc UQKg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=TJwEb5GG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c21si71682edr.52.2021.08.12.03.29.05; Thu, 12 Aug 2021 03:29:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=TJwEb5GG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236557AbhHLKOT (ORCPT + 99 others); Thu, 12 Aug 2021 06:14:19 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:21153 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236426AbhHLKOP (ORCPT ); Thu, 12 Aug 2021 06:14:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1628763229; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=J8fNLHegk5RzvmFVmibZ710pAngI+WF9X5zWgbKhZ8g=; b=TJwEb5GGr6u2YYcI3F2FXTd1YoDeBbXngd0o7bYp379yNm5huhyHAJEnmEZ+IN3Cz/uek4 lwoVrf3TML2aOccac8WuSm0TEnurIoVeIicq5agtFd+xwXc6JJKO7miayB6D7hdUHGKQ/v UpDDQNLx5RfLWi9JahJDe1x2YEm+OLA= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-85-rTaXK69gOWqZN3sVKMoaqg-1; Thu, 12 Aug 2021 06:13:48 -0400 X-MC-Unique: rTaXK69gOWqZN3sVKMoaqg-1 Received: by mail-wm1-f72.google.com with SMTP id l19-20020a05600c4f13b029025b036c91c6so1683275wmq.2 for ; Thu, 12 Aug 2021 03:13:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=J8fNLHegk5RzvmFVmibZ710pAngI+WF9X5zWgbKhZ8g=; b=c3zaF5NZU4IM89w1OtWhCmct/m+K67zycBc3O/p+RlguOF36cPlYzabPSe6dDaMSsA F4NHf3h0tbtJ9r5WWLAf+2G0KTrf/1TLZ4g/SNTJfoI0nk5dZJ3kGuQtUhWv7T7ylgmJ y97uAA64EgqXM6J51rQVUxNXnX4rYBRQd5FhTy36b4HSqF87Skw0dj/z4M72ML6KCNq8 oigZOU4ZxDXxekcujpIp0p6nTaYnjIJaHmUiIWRoU6xhIYCsKDtPJ8v7Lw7N1pHJhyT+ MjfLaugdbuPTY5N2T/dEaunIcJxUm2ElYzptZyxquIrr+di7Hy9dZ8FFfNjgU3kBY0ag KYgQ== X-Gm-Message-State: AOAM531dotIFKFgFCnE5NLgeAy2LOYnwVS4XUMirHFhkXstYmEDhNtX9 uWbEf5mi/a4r/9UKQmkoag54I7IEA6JKPyAcOUssMnZ3GI9dKsbSiXsX+LcjhxJPqN3Q85c6P3M jJYZuFfVvMZ+qi4QfkRDsE2mp X-Received: by 2002:a05:600c:4f85:: with SMTP id n5mr3185717wmq.146.1628763227424; Thu, 12 Aug 2021 03:13:47 -0700 (PDT) X-Received: by 2002:a05:600c:4f85:: with SMTP id n5mr3185661wmq.146.1628763227156; Thu, 12 Aug 2021 03:13:47 -0700 (PDT) Received: from [192.168.3.132] (p4ff23d8b.dip0.t-ipconnect.de. [79.242.61.139]) by smtp.gmail.com with ESMTPSA id d15sm2768384wri.96.2021.08.12.03.13.44 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 12 Aug 2021 03:13:46 -0700 (PDT) Subject: Re: [PATCH v1 3/7] kernel/fork: always deny write access to current MM exe_file To: Christian Brauner Cc: linux-kernel@vger.kernel.org, Linus Torvalds , Andrew Morton , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , Alexander Viro , Alexey Dobriyan , Steven Rostedt , Peter Zijlstra , Arnaldo Carvalho de Melo , Mark Rutland , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Petr Mladek , Sergey Senozhatsky , Andy Shevchenko , Rasmus Villemoes , Kees Cook , "Eric W. Biederman" , Greg Ungerer , Geert Uytterhoeven , Mike Rapoport , Vlastimil Babka , Vincenzo Frascino , Chinwen Chang , Michel Lespinasse , Catalin Marinas , "Matthew Wilcox (Oracle)" , Huang Ying , Jann Horn , Feng Tang , Kevin Brodsky , Michael Ellerman , Shawn Anastasio , Steven Price , Nicholas Piggin , Jens Axboe , Gabriel Krisman Bertazi , Peter Xu , Suren Baghdasaryan , Shakeel Butt , Marco Elver , Daniel Jordan , Nicolas Viennot , Thomas Cedeno , Collin Fijalkovich , Michal Hocko , Miklos Szeredi , Chengguang Xu , =?UTF-8?Q?Christian_K=c3=b6nig?= , linux-unionfs@vger.kernel.org, linux-api@vger.kernel.org, x86@kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, Andrei Vagin References: <20210812084348.6521-1-david@redhat.com> <20210812084348.6521-4-david@redhat.com> <20210812100544.uhsfp75b4jcrv3qx@wittgenstein> From: David Hildenbrand Organization: Red Hat Message-ID: <1b6d27cf-2238-0c1c-c563-b38728fbabc2@redhat.com> Date: Thu, 12 Aug 2021 12:13:44 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: <20210812100544.uhsfp75b4jcrv3qx@wittgenstein> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12.08.21 12:05, Christian Brauner wrote: > [+Cc Andrei] > > On Thu, Aug 12, 2021 at 10:43:44AM +0200, David Hildenbrand wrote: >> We want to remove VM_DENYWRITE only currently only used when mapping the >> executable during exec. During exec, we already deny_write_access() the >> executable, however, after exec completes the VMAs mapped >> with VM_DENYWRITE effectively keeps write access denied via >> deny_write_access(). >> >> Let's deny write access when setting the MM exe_file. With this change, we >> can remove VM_DENYWRITE for mapping executables. >> >> This represents a minor user space visible change: >> sys_prctl(PR_SET_MM_EXE_FILE) can now fail if the file is already >> opened writable. Also, after sys_prctl(PR_SET_MM_EXE_FILE), the file > > Just for completeness, this also affects PR_SET_MM_MAP when exe_fd is > set. Correct. > >> cannot be opened writable. Note that we can already fail with -EACCES if >> the file doesn't have execute permissions. >> >> Signed-off-by: David Hildenbrand >> --- > > The biggest user I know and that I'm involved in is CRIU which heavily > uses PR_SET_MM_MAP (with a fallback to PR_SET_MM_EXE_FILE on older > kernels) during restore. Afair, criu opens the exe fd as an O_PATH > during dump and thus will use the same flag during restore when > opening it. So that should be fine. Yes. > > However, if I understand the consequences of this change correctly, a > problem could be restoring workloads that hold a writable fd open to > their exe file at dump time which would mean that during restore that fd > would be reopened writable causing CRIU to fail when setting the exe > file for the task to be restored. If it's their exe file, then the existing VM_DENYWRITE handling would have forbidden these workloads to open the fd of their exe file writable, right? At least before doing any PR_SET_MM_MAP/PR_SET_MM_EXE_FILE. But that should rule out quite a lot of cases we might be worried about, right? > > Which honestly, no idea how many such workloads exist. (I know at least > of runC and LXC need to sometimes reopen to rexec themselves (weird bug > to protect against attacking the exe file) and thus re-open > /proc/self/exe but read-only.) > >> kernel/fork.c | 39 ++++++++++++++++++++++++++++++++++----- >> 1 file changed, 34 insertions(+), 5 deletions(-) >> >> diff --git a/kernel/fork.c b/kernel/fork.c >> index 6bd2e52bcdfb..5d904878f19b 100644 >> --- a/kernel/fork.c >> +++ b/kernel/fork.c >> @@ -476,6 +476,7 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm, >> { >> struct vm_area_struct *mpnt, *tmp, *prev, **pprev; >> struct rb_node **rb_link, *rb_parent; >> + struct file *exe_file; >> int retval; >> unsigned long charge; >> LIST_HEAD(uf); >> @@ -493,7 +494,10 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm, >> mmap_write_lock_nested(mm, SINGLE_DEPTH_NESTING); >> >> /* No ordering required: file already has been exposed. */ >> - RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm)); >> + exe_file = get_mm_exe_file(oldmm); >> + RCU_INIT_POINTER(mm->exe_file, exe_file); >> + if (exe_file) >> + deny_write_access(exe_file); >> >> mm->total_vm = oldmm->total_vm; >> mm->data_vm = oldmm->data_vm; >> @@ -638,8 +642,13 @@ static inline void mm_free_pgd(struct mm_struct *mm) >> #else >> static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) >> { >> + struct file *exe_file; >> + >> mmap_write_lock(oldmm); >> - RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm)); >> + exe_file = get_mm_exe_file(oldmm); >> + RCU_INIT_POINTER(mm->exe_file, exe_file); >> + if (exe_file) >> + deny_write_access(exe_file); >> mmap_write_unlock(oldmm); >> return 0; >> } >> @@ -1163,11 +1172,19 @@ void set_mm_exe_file(struct mm_struct *mm, struct file *new_exe_file) >> */ >> old_exe_file = rcu_dereference_raw(mm->exe_file); >> >> - if (new_exe_file) >> + if (new_exe_file) { >> get_file(new_exe_file); >> + /* >> + * exec code is required to deny_write_access() successfully, >> + * so this cannot fail >> + */ >> + deny_write_access(new_exe_file); >> + } >> rcu_assign_pointer(mm->exe_file, new_exe_file); >> - if (old_exe_file) >> + if (old_exe_file) { >> + allow_write_access(old_exe_file); >> fput(old_exe_file); >> + } >> } >> >> int atomic_set_mm_exe_file(struct mm_struct *mm, struct file *new_exe_file) >> @@ -1194,10 +1211,22 @@ int atomic_set_mm_exe_file(struct mm_struct *mm, struct file *new_exe_file) >> } >> >> /* set the new file, lockless */ >> + ret = deny_write_access(new_exe_file); >> + if (ret) >> + return -EACCES; >> get_file(new_exe_file); >> + >> old_exe_file = xchg(&mm->exe_file, new_exe_file); >> - if (old_exe_file) >> + if (old_exe_file) { >> + /* >> + * Don't race with dup_mmap() getting the file and disallowing >> + * write access while someone might open the file writable. >> + */ >> + mmap_read_lock(mm); >> + allow_write_access(old_exe_file); >> fput(old_exe_file); >> + mmap_read_unlock(mm); >> + } >> return 0; >> } >> >> -- >> 2.31.1 >> > -- Thanks, David / dhildenb