Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp2804518rwb; Fri, 2 Dec 2022 15:37:37 -0800 (PST) X-Google-Smtp-Source: AA0mqf6VwXBlRzKbAjyu6PPNhYWCaMh0TtiXk5y/Zh+8/oF8S5P54Uwgx88/mvqzRgd0Ck8RcnrT X-Received: by 2002:a17:907:a093:b0:7bc:876b:4c6d with SMTP id hu19-20020a170907a09300b007bc876b4c6dmr32477029ejc.338.1670024257269; Fri, 02 Dec 2022 15:37:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670024257; cv=none; d=google.com; s=arc-20160816; b=GfU70Z829VOA0SVKKuLuv+L/5A8R4Af4IZ8iUy8NqrVlqDwbtQ06BHFWOQ+ApUUBVS W/K8to/NrcodYcOUnRvzJk9iwGp00wpACpB9UWK7wKhGjCS9SaGUpd52OgaFj8BLSj5s QssD3AXLDF4rmojVgiDci8TbbDCneUMvHEeJTCVezVZZKAeMD4BlErSg1rrokSYXaQcU dRoc7C2u4iqeFZ88ljp0+Fxs487HJ+j4T0zkQMidd9lCu/AkfPwFzmAxR53M8Mp0Y0bD 3enz8bPM73gLXB3+/h5uuCn3FMvwKd+s4u5hHx/zGwg6dpJ/G0mz6E+Hg4zfuj7Y2/vP ne2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=eM+1LrtRbt+WpmzgDW1tRWTW/wjEth8C2wafomacTvs=; b=J7fDMDGqQC+yTN4Jm1oWgTvG70Y0of0e2AAGYyPgXJ1lxrzddWSEMSMJubt2kLBxsN ls00YTQNST3ORixO+3akPXxMoIVc+/vumRWqpSfLNUyzx0Y0NM0UtVonZWP85atUoPWe v9+5ZN3AXWeKc52J7O/uEqE9tQz5WtMtMMaMDKNqo7n60Mu4iywyr70yFjsskInuVUtK HA/mPClpUUkm7CbDiEJzZFWmcbF7euKXHNIlfe3KLqg9cQ2Ja2igjcsg0L6N8522tRxK jj14tdEu/0zEPqSVf2CRaXSHE7eKCtUdSiZh4gSPC7dPb/dc6Knjz2xGwAZKgADYHQf7 T9Ew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ogP+1s5y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s19-20020a170906455300b0073d71124609si441677ejq.182.2022.12.02.15.37.18; Fri, 02 Dec 2022 15:37:37 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ogP+1s5y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229657AbiLBW5F (ORCPT + 82 others); Fri, 2 Dec 2022 17:57:05 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54620 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234730AbiLBW4x (ORCPT ); Fri, 2 Dec 2022 17:56:53 -0500 Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AA060FA47B for ; Fri, 2 Dec 2022 14:56:48 -0800 (PST) Received: by mail-pl1-x62a.google.com with SMTP id s7so5942100plk.5 for ; Fri, 02 Dec 2022 14:56:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=eM+1LrtRbt+WpmzgDW1tRWTW/wjEth8C2wafomacTvs=; b=ogP+1s5yBS/yo5zsl83DEgCq0QTin3smKXZPlpdGhFQYM7X9GXiXpmHxCaPn+8Iyto rVYZ0shPOdyXZtjKsleADC800vglfXJ2FdoBdfQypvGheLWVdgH1tj79Ly5BqIKfP3AG Go0fXM/y/y5YfukzXJVGaxM+N/gtlTVhVeTf8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=eM+1LrtRbt+WpmzgDW1tRWTW/wjEth8C2wafomacTvs=; b=rxTzjJHsoiV30VNTQ7xEqEGvKjnx25t69o0jH2l47wLXAv//KiZaqitF8+gYGtVaUU ZSyRPLt4uG/GLN3d/FnI6/3s4tt4XDFMANU6jyzKyaAzD5Tz6B5me6DHIGqXJOMU456e N7/eGr4+ml6n/1d8YqxHlIFvUsR/4xnYn2Z2RK8KvjUF2NHt5PQgA0bR6+kb49Mel1bM yXLMWufi0zWipURGJnov+TIO8eYnr6vMAfuRv2M2SZdkJauhEHdPuXL1WygoPcVuG6AL wdnrgfVeuQ7wI8r/G9E/HjPmpgRNWqUJ1KyQRWT/v2wvXaI7DuBcNCzv1whHEMwf4T6q jiHg== X-Gm-Message-State: ANoB5pkp/cliG0Ll9hdm/sxwsoufjJJxdO8O2RwEdzYrUGSVuBvEumDs HKIL92vkrNbriOlaXG36gexK7w== X-Received: by 2002:a17:90a:460b:b0:218:8a84:aeca with SMTP id w11-20020a17090a460b00b002188a84aecamr71088506pjg.63.1670021808113; Fri, 02 Dec 2022 14:56:48 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 123-20020a620581000000b005747b59fc54sm5761561pff.172.2022.12.02.14.56.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Dec 2022 14:56:47 -0800 (PST) Date: Fri, 2 Dec 2022 14:56:46 -0800 From: Kees Cook To: jeffxu@chromium.org Cc: skhan@linuxfoundation.org, akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, mnissler@chromium.org, jannh@google.com, linux-hardening@vger.kernel.org Subject: Re: [PATCH v3] mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC Message-ID: <202212021446.9D544DDF@keescook> References: <20221202013404.163143-1-jeffxu@google.com> <20221202013404.163143-3-jeffxu@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221202013404.163143-3-jeffxu@google.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 02, 2022 at 01:34:00AM +0000, jeffxu@chromium.org wrote: > From: Jeff Xu > > The new MFD_NOEXEC_SEAL and MFD_EXEC flags allows application to > set executable bit at creation time (memfd_create). > > When MFD_NOEXEC_SEAL is set, memfd is created without executable bit > (mode:0666), and sealed with F_SEAL_EXEC, so it can't be chmod to > be executable (mode: 0777) after creation. > > when MFD_EXEC flag is set, memfd is created with executable bit > (mode:0777), this is the same as the old behavior of memfd_create. > > The new pid namespaced sysctl vm.memfd_noexec has 3 values: > 0: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL acts like > MFD_EXEC was set. > 1: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL acts like > MFD_NOEXEC_SEAL was set. > 2:memfd_create() without MFD_NOEXEC_SEAL will be rejected. ^ nit: missing space > > The sysctl allows finer control of memfd_create for old-software > that doesn't set the executable bit, for example, a container with > vm.memfd_noexec=1 means the old-software will create non-executable > memfd by default. > > Co-developed-by: Daniel Verkamp > Signed-off-by: Daniel Verkamp > Signed-off-by: Jeff Xu > --- > include/linux/pid_namespace.h | 19 ++++++++++++++ > include/uapi/linux/memfd.h | 4 +++ > kernel/pid_namespace.c | 47 +++++++++++++++++++++++++++++++++++ > mm/memfd.c | 44 ++++++++++++++++++++++++++++++-- > 4 files changed, 112 insertions(+), 2 deletions(-) > > diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h > index 07481bb87d4e..a4789a7b34a9 100644 > --- a/include/linux/pid_namespace.h > +++ b/include/linux/pid_namespace.h > @@ -16,6 +16,21 @@ > > struct fs_pin; > > +#if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) > +/* > + * sysctl for vm.memfd_noexec > + * 0: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL > + * acts like MFD_EXEC was set. > + * 1: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL > + * acts like MFD_NOEXEC_SEAL was set. > + * 2: memfd_create() without MFD_NOEXEC_SEAL will be > + * rejected. > + */ > +#define MEMFD_NOEXEC_SCOPE_EXEC 0 > +#define MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL 1 > +#define MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED 2 > +#endif > + > struct pid_namespace { > struct idr idr; > struct rcu_head rcu; > @@ -31,6 +46,10 @@ struct pid_namespace { > struct ucounts *ucounts; > int reboot; /* group exit code if this pidns was rebooted */ > struct ns_common ns; > +#if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) > + /* sysctl for vm.memfd_noexec */ > + int memfd_noexec_scope; > +#endif > } __randomize_layout; > > extern struct pid_namespace init_pid_ns; > diff --git a/include/uapi/linux/memfd.h b/include/uapi/linux/memfd.h > index 7a8a26751c23..273a4e15dfcf 100644 > --- a/include/uapi/linux/memfd.h > +++ b/include/uapi/linux/memfd.h > @@ -8,6 +8,10 @@ > #define MFD_CLOEXEC 0x0001U > #define MFD_ALLOW_SEALING 0x0002U > #define MFD_HUGETLB 0x0004U > +/* not executable and sealed to prevent changing to executable. */ > +#define MFD_NOEXEC_SEAL 0x0008U > +/* executable */ > +#define MFD_EXEC 0x0010U > > /* > * Huge page size encoding when MFD_HUGETLB is specified, and a huge page > diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c > index f4f8cb0435b4..71dd9b0a0f62 100644 > --- a/kernel/pid_namespace.c > +++ b/kernel/pid_namespace.c > @@ -110,6 +110,10 @@ static struct pid_namespace *create_pid_namespace(struct user_namespace *user_ns > ns->ucounts = ucounts; > ns->pid_allocated = PIDNS_ADDING; > > +#if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) > + ns->memfd_noexec_scope = MEMFD_NOEXEC_SCOPE_EXEC; > +#endif I think this should be inherited from the parent pid namespace instead? > + > return ns; > > out_free_idr: > @@ -255,6 +259,45 @@ void zap_pid_ns_processes(struct pid_namespace *pid_ns) > return; > } > > +#if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) > +int pid_mfd_noexec_dointvec_minmax(struct ctl_table *table, int write, > + void *buffer, size_t *lenp, loff_t *ppos) > +{ > + struct pid_namespace *ns = task_active_pid_ns(current); > + struct ctl_table table_copy; > + > + if (write && !capable(CAP_SYS_ADMIN)) > + return -EPERM; > + > + table_copy = *table; > + if (ns != &init_pid_ns) > + table_copy.data = &ns->memfd_noexec_scope; > + > + /* > + * set minimum to current value, the effect is only bigger > + * value is accepted. > + */ > + if (*(int *)table_copy.data > *(int *)table_copy.extra1) > + table_copy.extra1 = table_copy.data; Yeah, I like this kind of enforcement. > + > + return proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos); > +} > + > +static struct ctl_table pid_ns_ctl_table_vm[] = { > + { > + .procname = "memfd_noexec", > + .data = &init_pid_ns.memfd_noexec_scope, > + .maxlen = sizeof(init_pid_ns.memfd_noexec_scope), > + .mode = 0644, > + .proc_handler = pid_mfd_noexec_dointvec_minmax, > + .extra1 = SYSCTL_ZERO, > + .extra2 = SYSCTL_TWO, > + }, > + { } > +}; > +static struct ctl_path vm_path[] = { { .procname = "vm", }, { } }; > +#endif > + > #ifdef CONFIG_CHECKPOINT_RESTORE > static int pid_ns_ctl_handler(struct ctl_table *table, int write, > void *buffer, size_t *lenp, loff_t *ppos) > @@ -455,6 +498,10 @@ static __init int pid_namespaces_init(void) > #ifdef CONFIG_CHECKPOINT_RESTORE > register_sysctl_paths(kern_path, pid_ns_ctl_table); > #endif > + > +#if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) > + register_sysctl_paths(vm_path, pid_ns_ctl_table_vm); > +#endif > return 0; > } > > diff --git a/mm/memfd.c b/mm/memfd.c > index 4ebeab94aa74..69e897dea6d5 100644 > --- a/mm/memfd.c > +++ b/mm/memfd.c > @@ -18,6 +18,7 @@ > #include > #include > #include > +#include > #include > > /* > @@ -263,12 +264,13 @@ long memfd_fcntl(struct file *file, unsigned int cmd, unsigned long arg) > #define MFD_NAME_PREFIX_LEN (sizeof(MFD_NAME_PREFIX) - 1) > #define MFD_NAME_MAX_LEN (NAME_MAX - MFD_NAME_PREFIX_LEN) > > -#define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_HUGETLB) > +#define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_HUGETLB | MFD_NOEXEC_SEAL | MFD_EXEC) > > SYSCALL_DEFINE2(memfd_create, > const char __user *, uname, > unsigned int, flags) > { > + struct pid_namespace *ns; > unsigned int *file_seals; > struct file *file; > int fd, error; > @@ -285,6 +287,36 @@ SYSCALL_DEFINE2(memfd_create, > return -EINVAL; > } > > + /* Invalid if both EXEC and NOEXEC_SEAL are set.*/ > + if ((flags & MFD_EXEC) && (flags & MFD_NOEXEC_SEAL)) > + return -EINVAL; > + > + if (!(flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) { > +#ifdef CONFIG_SYSCTL > + int sysctl = MEMFD_NOEXEC_SCOPE_EXEC; > + > + ns = task_active_pid_ns(current); > + if (ns) > + sysctl = ns->memfd_noexec_scope; > + > + if (sysctl == MEMFD_NOEXEC_SCOPE_EXEC) { > + flags |= MFD_EXEC; > + } else if (sysctl == MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL) { > + flags |= MFD_NOEXEC_SEAL; > + } else { > + pr_warn_ratelimited( > + "memfd_create(): MFD_NOEXEC_SEAL is enforced, pid=%d\n", > + task_pid_nr(current)); > + return -EINVAL; > + } Not a huge deal, but the above could be a switch statement to improve readability. > +#else > + flags |= MFD_EXEC; > +#endif > + pr_warn_ratelimited( > + "memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=%d\n", > + task_pid_nr(current)); Perhaps include process name as well -- makes admin lives easier. :) pr_warn_ratelimited( "memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL: %s[%d]\n", current->comm, task_pid_nr(current)); > + } > + > /* length includes terminating zero */ > len = strnlen_user(uname, MFD_NAME_MAX_LEN + 1); > if (len <= 0) > @@ -328,7 +360,15 @@ SYSCALL_DEFINE2(memfd_create, > file->f_mode |= FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE; > file->f_flags |= O_LARGEFILE; > > - if (flags & MFD_ALLOW_SEALING) { > + if (flags & MFD_NOEXEC_SEAL) { > + struct inode *inode = file_inode(file); > + > + inode->i_mode &= ~0111; > + file_seals = memfd_file_seals_ptr(file); > + *file_seals &= ~F_SEAL_SEAL; > + *file_seals |= F_SEAL_EXEC; > + } else if (flags & MFD_ALLOW_SEALING) { > + /* MFD_EXEC and MFD_ALLOW_SEALING are set */ > file_seals = memfd_file_seals_ptr(file); > *file_seals &= ~F_SEAL_SEAL; > } > -- > 2.39.0.rc0.267.gcb52ba06e7-goog > Otherwise, looks good to me. Reviewed-by: Kees Cook -- Kees Cook