Received: by 2002:a05:6358:e9c4:b0:b2:91dc:71ab with SMTP id hc4csp2196345rwb; Fri, 5 Aug 2022 15:28:31 -0700 (PDT) X-Google-Smtp-Source: AA6agR55J5fMym9WoOMD06Zj9dDYj3fJmBjHlGwBlP2+9u6/6e0izHv1AU4k3UCH9Q219nGm2+nt X-Received: by 2002:a17:907:3fa8:b0:730:a2d0:3a56 with SMTP id hr40-20020a1709073fa800b00730a2d03a56mr6660989ejc.460.1659738511462; Fri, 05 Aug 2022 15:28:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659738511; cv=none; d=google.com; s=arc-20160816; b=LDednLSuMEZm02nMPFyu8tGSPUvEA7l5INGQIq66E7tjCI8BYtcRdTwKb35mNOf0Pf i3NXRCdH5BkMILEqMQfyYz6qGSQ8FUgbXCSAyiM9xkYAKks2FT8P+ynTF1yphP2KiHUf AON1tX4tdwxRtn+YDIB9cl5SokDvZkpUsPkGPbPQ0TpTqP5877Ma4dOo2JTnbwSHyLfg eIJmUpPD8g7FyUkpp84DByidhpqipNjRq9WSqHkWeyAchdel4HG+jgLCwf72spg7YTpz UXAmOXcKiXhNGruw3z19k9adfjmu31SxPpHPRJF9Laj5NR5rz6hbmOAlenpXfG/mH8yg 4qig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :dkim-signature; bh=vA6JwiPIQ35idH1LwuHfAoXwWih02NenmEQERtaUlQk=; b=0ynvQ0XhQj0nTw13uKDhl5Q5zCxhdnF/ROq+q2dGyvpkT/usyK5yhqf5+n2ItKXkKh OXLoM34glDqZDmP2RD7TMcT07Ngx17m/qFtm+oJmmpC9ICNai1I4x2AawUzpnmI6fYMN xFEvBEuhHPsPwgY2yjoDlKggMab0ViphkGgcquEHwV3XZMneQOqpC0WW12KxraRP1UpV FsIdjcWWFEZBBisc6LHiROp57yEf1iKnvLnQ3I4kqVJZCSGSgHGct1jdoqxwADN9g1HV HovnrwK8MY3WI9SLotrVKl+ym2IlMJ0B66NJoHv0heCUgu0oNy1Q/O0amNKJs9Tb6rg6 OovA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=jhXFbm4G; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h2-20020a50ed82000000b0043d1c157652si720751edr.510.2022.08.05.15.28.05; Fri, 05 Aug 2022 15:28:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=jhXFbm4G; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241620AbiHEWVd (ORCPT + 99 others); Fri, 5 Aug 2022 18:21:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35910 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241229AbiHEWVb (ORCPT ); Fri, 5 Aug 2022 18:21:31 -0400 Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com [IPv6:2607:f8b0:4864:20::114a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E0DE51ADAE for ; Fri, 5 Aug 2022 15:21:30 -0700 (PDT) Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-3282fe8f48fso31473507b3.17 for ; Fri, 05 Aug 2022 15:21:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=vA6JwiPIQ35idH1LwuHfAoXwWih02NenmEQERtaUlQk=; b=jhXFbm4GcOo7tzG+m2t/JAjwLoRiHbKfayX9CRJ+Z1nBjUfj/kt8Ulq1F0LhapnHWU vQlRbYT/RRAr/19sZxiy7+Gw5YKLAuSi4obedsMyt5ePFm2VbgAXa76LqWzI0gy3+k7G auoB2i1RLoWlA1oVdLXZeqvneSg9IDJwiQbvRGCr9hOj2w857WdGRB+BjlL6R4waJY4P UezKtbOhs+xqa+UUczDURSiB9HsJ+jdEiKKrN79HQVMKHizSOYPwBCpveob6fId8+EHN bXZmZjRBWoxEGFljMetZFd/jY81w8X/1pO15hW5wCu1fcpJu1QQ4WMOAumNIK4XDuGno KpcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=vA6JwiPIQ35idH1LwuHfAoXwWih02NenmEQERtaUlQk=; b=SlLmKAWee0xAEziheHHPJ4m0zOly5uV3k2cqCEpYEBs9xG9jkvkOYDIMEGrcZIMRd6 m8+q8zDhBuoWCYTd2q2p6LCzly3N0nu/RGhX+jg5dR1JKRBQnjjxcaAXW5gv5H2QCSzk EFwkWZFFbTsrWg3994h0aiwZ318zD5nEYKvSi6dnIU6GNdhBDZfWCXnECEZZgeJwsPQR XQ53bd4FaEGEHhTYw/y9qQRpzbTKwTW1hJN7yrAXVPFsl8njThNTg16DREAzJrFgfC5W ODTtCnNq6qxcrC7Rtx4Yccx0vSpZqgDMLSYSJ1T3FD1p/UIh1F3THtBpIhRYFrZVJqvX Dv2g== X-Gm-Message-State: ACgBeo2G0F51HMOjHhwdb/f4hdfQYvvdyovuwnGj6iKOD0bMtThS7o5N aJKx5moTYpv49NPxXFfl4wuB3sf3mC0= X-Received: from jeffxud.c.googlers.com ([fda3:e722:ac3:cc00:20:ed76:c0a8:e37]) (user=jeffxu job=sendgmr) by 2002:a05:6902:13c7:b0:671:7cb2:9a82 with SMTP id y7-20020a05690213c700b006717cb29a82mr7285411ybu.334.1659738090124; Fri, 05 Aug 2022 15:21:30 -0700 (PDT) Date: Fri, 5 Aug 2022 22:21:21 +0000 Message-Id: <20220805222126.142525-1-jeffxu@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.37.1.559.g78731f0fdb-goog Subject: [PATCH v2 0/5] mm/memfd: MFD_NOEXEC for memfd_create From: To: skhan@linuxfoundation.org Cc: akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, mnissler@chromium.org, jannh@google.com, Jeff Xu Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jeff Xu Hi, This v2 series MFD_NOEXEC, this series includes: 1> address comments in V1 2> add sysctl (vm.mfd_noexec) to change the default file permissions of memfd_create to be non-executable. Below are cover-level for v1: The default file permissions on a memfd include execute bits, which means that such a memfd can be filled with a executable and passed to the exec() family of functions. This is undesirable on systems where all code is verified and all filesystems are intended to be mounted noexec, since an attacker may be able to use a memfd to load unverified code and execute it. Additionally, execution via memfd is a common way to avoid scrutiny for malicious code, since it allows execution of a program without a file ever appearing on disk. This attack vector is not totally mitigated with this new flag, since the default memfd file permissions must remain executable to avoid breaking existing legitimate uses, but it should be possible to use other security mechanisms to prevent memfd_create calls without MFD_NOEXEC on systems where it is known that executable memfds are not necessary. This patch series adds a new MFD_NOEXEC flag for memfd_create(), which allows creation of non-executable memfds, and as part of the implementation of this new flag, it also adds a new F_SEAL_EXEC seal, which will prevent modification of any of the execute bits of a sealed memfd. I am not sure if this is the best way to implement the desired behavior (for example, the F_SEAL_EXEC seal is really more of an implementation detail and feels a bit clunky to expose), so suggestions are welcome for alternate approaches. v1: https://lwn.net/Articles/890096/ Daniel Verkamp (4): mm/memfd: add F_SEAL_EXEC mm/memfd: add MFD_NOEXEC flag to memfd_create selftests/memfd: add tests for F_SEAL_EXEC selftests/memfd: add tests for MFD_NOEXEC Jeff Xu (1): sysctl: add support for mfd_noexec include/linux/mm.h | 4 + include/uapi/linux/fcntl.h | 1 + include/uapi/linux/memfd.h | 1 + kernel/sysctl.c | 9 ++ mm/memfd.c | 39 ++++- mm/shmem.c | 6 + tools/testing/selftests/memfd/memfd_test.c | 163 ++++++++++++++++++++- 7 files changed, 221 insertions(+), 2 deletions(-) base-commit: 9e2f40233670c70c25e0681cb66d50d1e2742829 -- 2.37.1.559.g78731f0fdb-goog