Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp7124434rwb; Tue, 15 Nov 2022 08:01:10 -0800 (PST) X-Google-Smtp-Source: AA0mqf54m4xY5UnZYObK8rXFPDZUeZJMTbAFdiJhg467aTme/DjmzBM3IVo7faEmefkDGTx4gvkn X-Received: by 2002:a05:6402:1241:b0:461:e3e1:bc3b with SMTP id l1-20020a056402124100b00461e3e1bc3bmr15742987edw.145.1668528070314; Tue, 15 Nov 2022 08:01:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668528070; cv=none; d=google.com; s=arc-20160816; b=Jq6DZfl2G3XUHb8LsrIpMA0jasNISALru6Xl+Ri4EXCeTqAIL72UT3JZ9D4VkqBRnM +YqtNBrspLgS2zhQiJ5n0ihYuDyvRusT+qW5uvv1NOxry/ZR9Mv3jum2l1cXice4lKOI JNiT87WP0XyPhc5b0AhrjvwFXB4q5T4bueil2WGn6eYa3kDTtlfjb1kFXEa7RHD3G2kj +AIW8o38CyuTaDDCyw78rRot6PVt+iMWIx8vHecMHEHNklOuZjbPpXd4o/CPntoyCe3s ZyGB5z7NIKUqWVd/iNDkVdtUvlTmdpaQLHyjbY6V8ZJxh1kxb5dmpYtMnlhRCCFXFMtw fzZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=Tgopn8jksI6fF5SLzGkqPYuAPHjHaeD8b0wnpO+PN0E=; b=Y8uF0s9hbBzuG5IycoXS0bsI2fHbaYRR58T8r79wJe1bWXeEvuUqF1SZ10IXmgXjCO SCzoN029Gpu7zRZpik+Va+Widx3sYvU96lePvwxLgI0ZUq6ZIcmp5LTrm3TqC8iiW0Yk 6iacPjjJQBb0OrFCXyUS8aL1t42+XXGeIZ5orlPiaCY8OLr3KpXDK9VYe52JxuVAb9WE VjMlYu9duSyFTJqHowmdXi+wi2NJ2xLSEWL57jY58Wmi+WOX4+v6a2QbXJmseu20EV1B DOvC6qqKxbUspqPHou06lURJnW0rf029s371JWTvfaJEX3B7/pui3JQvJgTBrFZaiETU 9O/Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sd31-20020a1709076e1f00b007ae1052554esi11487739ejc.898.2022.11.15.08.00.39; Tue, 15 Nov 2022 08:01:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238259AbiKOPgB (ORCPT + 90 others); Tue, 15 Nov 2022 10:36:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36896 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231473AbiKOPf7 (ORCPT ); Tue, 15 Nov 2022 10:35:59 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6D222E033 for ; Tue, 15 Nov 2022 07:35:58 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0A4AD61884 for ; Tue, 15 Nov 2022 15:35:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CDC18C433D6; Tue, 15 Nov 2022 15:35:53 +0000 (UTC) Date: Tue, 15 Nov 2022 15:35:49 +0000 From: Catalin Marinas To: Topi Miettinen Cc: Joey Gouly , Kees Cook , Andrew Morton , Lennart Poettering , Zbigniew =?utf-8?Q?J=C4=99drzejewski-Szmek?= , Alexander Viro , Szabolcs Nagy , Mark Brown , Jeremy Linton , linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-abi-devel@lists.sourceforge.net, nd@arm.com, shuah@kernel.org Subject: Re: [PATCH v1 1/2] mm: Implement memory-deny-write-execute as a prctl Message-ID: References: <20221026150457.36957-1-joey.gouly@arm.com> <20221026150457.36957-2-joey.gouly@arm.com> <202210281053.904BE2F@keescook> <20221110112714.GA1201@e124191.cambridge.arm.com> <45419a7d-04dd-2749-2534-6ba3bbd5d060@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <45419a7d-04dd-2749-2534-6ba3bbd5d060@gmail.com> X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Nov 12, 2022 at 08:11:24AM +0200, Topi Miettinen wrote: > On 10.11.2022 14.03, Catalin Marinas wrote: > > On Thu, Nov 10, 2022 at 11:27:14AM +0000, Joey Gouly wrote: > > > On Fri, Oct 28, 2022 at 11:51:00AM -0700, Kees Cook wrote: > > > > On Wed, Oct 26, 2022 at 04:04:56PM +0100, Joey Gouly wrote: > > > > > diff --git a/mm/mmap.c b/mm/mmap.c > > > > > index 099468aee4d8..42eaf6683216 100644 > > > > > --- a/mm/mmap.c > > > > > +++ b/mm/mmap.c > > > > > @@ -1409,6 +1409,9 @@ unsigned long do_mmap(struct file *file, unsigned long addr, > > > > > vm_flags |= VM_NORESERVE; > > > > > } > > > > > + if (map_deny_write_exec(NULL, vm_flags)) > > > > > + return -EACCES; > > > > > + > > > > > > > > This seems like the wrong place to do the check -- that the vma argument > > > > is a hard-coded "NULL" is evidence that something is wrong. Shouldn't > > > > it live in mmap_region()? What happens with MAP_FIXED, when there is > > > > an underlying vma? i.e. an MAP_FIXED will, I think, bypass the intended > > > > check. For example, we had "c" above: > > > > > > > > c) mmap(PROT_READ); > > > > mprotect(PROT_READ|PROT_EXEC); // fails > > > > > > > > But this would allow another case: > > > > > > > > e) addr = mmap(..., PROT_READ, ...); > > > > mmap(addr, ..., PROT_READ | PROT_EXEC, MAP_FIXED, ...); // passes > > > > > > I can move the check into mmap_region() but it won't fix the MAP_FIXED > > > example that you showed here. > > > > > > mmap_region() calls do_mas_munmap(..) which will unmap overlapping regions. > > > However the `vma` for the 'old' region is not kept around, and a new vma will > > > be allocated later on "vma = vm_area_alloc(mm);", and the vm_flags are just set > > > to what is passed into mmap_region(), so map_deny_write_exec(vma, vm_flags) > > > will just be as good as passing NULL. > > > > > > It's possible to save the vm_flags from the region that is unmapped, but Catalin > > > suggested it might be better if that is part of a later extension, what do you > > > think? > > > > I thought initially we should keep the behaviour close to what systemd > > achieves via SECCOMP while only relaxing an mprotect(PROT_EXEC) if the > > vma is already executable (i.e. check actual permission change not just > > the PROT_* flags). > > > > We could pass the old vm_flags for that region (and maybe drop the vma > > pointer entirely, just check old and new vm_flags). But this feels like > > tightening slightly systemd's MDWE approach. If user-space doesn't get > > confused by this, I'm fine to go with it. Otherwise we can add a new > > flag later for this behaviour > > > > I guess that's more of a question for Topi on whether point tightening > > point (e) is feasible/desirable. > > I think we want 1:1 compatibility with seccomp() for the basic version, so > MAP_FIXED shouldn't change the verdict. Later we can introduce more versions > (perhaps even less strict, too) when it's requested by configuration, like > MemoryDenyWriteExecute=[relaxed | strict]. Are you ok with allowing mprotect(PROT_EXEC|PROT_BTI) if the mapping is already PROT_EXEC? Or you'd rather reject that as well? -- Catalin