Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp3163762rwb; Fri, 9 Dec 2022 10:43:43 -0800 (PST) X-Google-Smtp-Source: AA0mqf7KZc97y6riRr0DzOoQiG4X4ub431TZs3dZNzwZRftfWqyL1wdvL+LpMiYs95qETI1DynMF X-Received: by 2002:a05:6402:3710:b0:467:8968:c3cb with SMTP id ek16-20020a056402371000b004678968c3cbmr5780012edb.4.1670611423009; Fri, 09 Dec 2022 10:43:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670611422; cv=none; d=google.com; s=arc-20160816; b=hLGw/1bGIPQgYRCnrguhX1EnsvAJQYamPszqw0tOIr1zJohdW+etzuHbkDkQ4pie9A nyyPWvqXhWgAy8rzyMdkFIzvJoIaRWt4LsEso+ruguNKzxs1BqMLLsEUdGjxEyav9BFe GzVaiibIZsjxUcInVsgAPsp5Ht5U467TmfFcVr9n+eb1TLdIIPDrzHy/f1km2Np7DT/g A3Ngx9aJuGVw+H6m19LOQ62x9puzl/EU1Fhxagf+PrSxMK2n+ljRpVHqQxZrnQls5gz2 H4+xCH0kNnnrRuLEhavfHHeVi7X5nkcByj6ocFf79aDb8EmqJopZGkVp8EZsDNmVEvUO UHVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=UGtkhaHKIrr5OpNYU4T9L+BnCs/0pP1qyXvWMaI760s=; b=fkfxPb4pM1M6WFX5HiQjgjtFWYwKjDUiXdUPNZWCQkEgoOH5PsaaC9MurZ6g1wj3DT usoM7oXRXBAaeYc6cFndAkwoLk885Ut5If+9+2kTqN7i7E1OEA1vmrVhrdKylJQ9YjQV uEEnK28A/LqxUZWWp8QHFRpIxRajBR97wf1GNAO1kTUmskALkP74kdOVjsAu6L7dfKtp n+tdcEFy+iMy3KvZzD9ZILNU8VkSwNEKzaxqqiqtQnsHXw/Rgd4TQgM4zcxGe5qI548g 2/tcSZwg04ICMkB6W/Fn6BoPkmRHQKCb9I4UzaLCujMImKQcrbepDVFf3Khsx5AjEqfN kILg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=6iTO86Yg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qf34-20020a1709077f2200b007c137e92487si456098ejc.10.2022.12.09.10.43.25; Fri, 09 Dec 2022 10:43:42 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=6iTO86Yg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229604AbiLISPS (ORCPT + 74 others); Fri, 9 Dec 2022 13:15:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43798 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229460AbiLISPP (ORCPT ); Fri, 9 Dec 2022 13:15:15 -0500 Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F1B71A4338 for ; Fri, 9 Dec 2022 10:15:14 -0800 (PST) Received: by mail-pj1-x102f.google.com with SMTP id 3-20020a17090a098300b00219041dcbe9so5775478pjo.3 for ; Fri, 09 Dec 2022 10:15:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=UGtkhaHKIrr5OpNYU4T9L+BnCs/0pP1qyXvWMaI760s=; b=6iTO86Yg/c+D/tyDbB1/u7VSMypyassCrDFcKnXQLmk+pJtNANCaCBZuPVolwpgZPD 5nhxxtWuGJ2hOBupmq8Zp03kmnFxZTPpg4ncChc9D84/DYQEhZ6L78LuSbF4rg7/5ML+ PHzcnP+a9LvHU+6LbXtQRNYCgdeZZP4Rsn2bGT97VZ3TYa9w4c5m1P0JrOjGxKzzkyQx zYy0WDCkxyrXBY2SRUWDt5YZ5/rAOeHt7q/EmCpBIX4Qc8ulYIKshX6FTvXnyGFniucB qdAnrLLt90D1lPP44uJhr8AnfFHJDV6Hf/XTPtyy0NYDd3GXcJn9j1Z0KMbiKPaXD8y9 y9XA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UGtkhaHKIrr5OpNYU4T9L+BnCs/0pP1qyXvWMaI760s=; b=qqLwPlTIJrPaq+L6xqkQLCCiGKpMuSi7J7eHCICJcblBn50GyGouaGxjG+gpbp+BDx yt6/tZu3CnkmnmM3lUiqbo+WVHh8V103+DxqKI9TvEXdjbuvy3BMklhrhlNX/J27Fg/c b2A62JdnEkukHgyV0bb9608g1BXcNNsPKl9mQBD2f2vxXlSfIhN63unLeLy10akL6Iu+ 4iUKjoToXAgBWxRki+ZukeS9SJ6OThBOjEFEZ9kiOOSWeABmWfJup+wRCjbpzmv0/KgP iZ+ueHU8UiSOkPxl8WU8SxBa3ETbXxBs7M07KuiprMiy6kWjd0KSRWWzgAk2lbd38GjP GMvw== X-Gm-Message-State: ANoB5pm30kDshebyk1nsTzrjfbhJ2FAIyvJ0RdBnXuP4chteWMVdR2zO HKFmeQCIQBvc/3LmBoZD/yeTTkj0rNbcKxfFm69z X-Received: by 2002:a17:90a:2f22:b0:219:8ee5:8dc0 with SMTP id s31-20020a17090a2f2200b002198ee58dc0mr31097837pjd.72.1670609714373; Fri, 09 Dec 2022 10:15:14 -0800 (PST) MIME-Version: 1.0 References: <20221209160453.3246150-1-jeffxu@google.com> In-Reply-To: <20221209160453.3246150-1-jeffxu@google.com> From: Paul Moore Date: Fri, 9 Dec 2022 13:15:03 -0500 Message-ID: Subject: Re: [PATCH v7 0/6] mm/memfd: introduce MFD_NOEXEC_SEAL and MFD_EXEC To: jeffxu@chromium.org Cc: skhan@linuxfoundation.org, keescook@chromium.org, akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, jannh@google.com, linux-hardening@vger.kernel.org, linux-security-module@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 9, 2022 at 11:05 AM wrote: > From: Jeff Xu > > Since Linux introduced the memfd feature, memfd have always had their > execute bit set, and the memfd_create() syscall doesn't allow setting > it differently. > > However, in a secure by default system, such as ChromeOS, (where all > executables should come from the rootfs, which is protected by Verified > boot), this executable nature of memfd opens a door for NoExec bypass > and enables =E2=80=9Cconfused deputy attack=E2=80=9D. E.g, in VRP bug [1= ]: cros_vm > process created a memfd to share the content with an external process, > however the memfd is overwritten and used for executing arbitrary code > and root escalation. [2] lists more VRP in this kind. ... > [1] https://crbug.com/1305411 Can you make this accessible so those of us on the public lists can view this bug? If not, please remove it from future postings and adjust your description accordingly. --=20 paul-moore.com