Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp1518122rwb; Wed, 14 Dec 2022 11:09:50 -0800 (PST) X-Google-Smtp-Source: AA0mqf68BlnOz48UjPVyYF9c3ktYETr6eKtY37hljhabOa9ws1h+Y2niRMojjjmFGNrIQzHQUvFT X-Received: by 2002:a17:906:a20e:b0:7be:ed78:b7de with SMTP id r14-20020a170906a20e00b007beed78b7demr22272512ejy.47.1671044989888; Wed, 14 Dec 2022 11:09:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671044989; cv=none; d=google.com; s=arc-20160816; b=hWfHAZQxvvHjohwdfP/HTKSvskBHuBf+EAHAmL5uYmNn5zRRhpMMeDhzT4WREz7iXw rMRJm7hYeHgYoyDuf+mdgh/D4MK0RQlr/ZrhwAsNjuvbuy9ddvFseCZ9lhEt0l2deM1B pNvHMtDN6y+qI5CEa7VSBhlUeN9id0/Z3GpT2RS3Im74U7phBHT8jRhdMqrbSoLK79q5 a270IQwlf6wmazil/84AljQLqXcT30zs0clE0rQt+jO5jSC/dt9CPnUzXn/bjiiRioDS SZgMHW/ETv7W7GlTvcOHHdSN2gr5Q2hfXDmsqtENi30pmniMsC3nr+0+eW+ClzCLWkpf jhqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=o2e1a6vpAxQHzaMqe1Zz1YgsBuyNkLZSUPq8vet5Q+E=; b=MBz24uwe99pVDj/VP0VmdSG+imp4ReFy3IpcZ0uwbs+11x7WP8C8Nck+D71gETtByC wG6tZ9N2VnNbwn7NQ6H3a6md2Gp2D5NUb4NpHPNn4XEmUJI7Z5geAmhJ0xbCbADvMi4G eC7MGt5IJg4euEGSi8cPQSDut1Wh2Scbey2A8suXzseZwJ8sH9hLYiVhz4aGtplZCnYb 9veZyK1c7tqjRzgauAeIu9Jfj+QhkdZntDLoLuezjMWU6QCitw/vycxOGDMHz3vB1Z2c 7gRUDxfiE/yBx9givyurbJvcuqPJ5PZcYSABO9+ihyBSKgap4ocJKVBQbcQoP07HPgcD v01Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ljRXDQoz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sc20-20020a1709078a1400b007c4fa177201si845163ejc.180.2022.12.14.11.09.31; Wed, 14 Dec 2022 11:09:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ljRXDQoz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237887AbiLNSyr (ORCPT + 69 others); Wed, 14 Dec 2022 13:54:47 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59688 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238880AbiLNSyn (ORCPT ); Wed, 14 Dec 2022 13:54:43 -0500 Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 952872A735 for ; Wed, 14 Dec 2022 10:54:42 -0800 (PST) Received: by mail-pl1-x630.google.com with SMTP id d15so4311484pls.6 for ; Wed, 14 Dec 2022 10:54:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=o2e1a6vpAxQHzaMqe1Zz1YgsBuyNkLZSUPq8vet5Q+E=; b=ljRXDQoz8d06UpaHKC+SuGt8xrjQEfQSizAAs+M7Oa0UFCOyc+ZVFVtSu/m47RyC0P WJux7UP4wXmjSPCsUwuDwIDa9H/CfAsZyqgqoA57G2Fm50pMq3dHqVuXQUKJBj9giDuO 9zDWG2mb8TECeq3VFaiiXxcz6/WlWRjsZr/D8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=o2e1a6vpAxQHzaMqe1Zz1YgsBuyNkLZSUPq8vet5Q+E=; b=4/mmNHkRqUdnF+IyckKE6BhRhlWGsiWsnuf4fCXU0CzVejrZlbfzX7gehQ+bHtlxJZ zjbvZ6Y5rsaUkKZJ5xVji9jVxUOMFNgzgu1lk1nLPTx/PsRijVjkRpwtN92EaeA+u2uW OoRmMTRzOP2BtBIKY5YfXI7dIlSLOWXn9CU1/AZvO288xMNUUzd8zZgtj77KxYBy4LpC 2etOHfqlYGVXpqqYHl98g67LA9FGqUUisVwpA8tf5z430t5cc/D+gCS0ct3pbF8B2wgg GVYQTNlwS9HwEi7E6uZE+HrhYQKoqthBX7/8CNtyVDel+mTMcOvSGwaAhuLYqKlxwFNO zzNw== X-Gm-Message-State: ANoB5pk63vTA1fobcXkWbMmyNbdT926rElASCv8K2yonvX1rsjfDGV0C Q7WPKeznLLL5PtFzjaA0ty/vhw== X-Received: by 2002:a17:90a:6506:b0:214:222:6ed3 with SMTP id i6-20020a17090a650600b0021402226ed3mr27015223pjj.43.1671044082079; Wed, 14 Dec 2022 10:54:42 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id k7-20020a17090a9d8700b00218f9bd50c7sm1710962pjp.50.2022.12.14.10.54.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Dec 2022 10:54:41 -0800 (PST) Date: Wed, 14 Dec 2022 10:54:40 -0800 From: Kees Cook To: jeffxu@chromium.org Cc: skhan@linuxfoundation.org, akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, jannh@google.com, linux-hardening@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH v7 0/6] mm/memfd: introduce MFD_NOEXEC_SEAL and MFD_EXEC Message-ID: <202212141053.7F5D1F6@keescook> References: <20221209160453.3246150-1-jeffxu@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20221209160453.3246150-1-jeffxu@google.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 09, 2022 at 04:04:47PM +0000, jeffxu@chromium.org wrote: > From: Jeff Xu > > Since Linux introduced the memfd feature, memfd have always had their > execute bit set, and the memfd_create() syscall doesn't allow setting > it differently. > > However, in a secure by default system, such as ChromeOS, (where all > executables should come from the rootfs, which is protected by Verified > boot), this executable nature of memfd opens a door for NoExec bypass > and enables “confused deputy attack”. E.g, in VRP bug [1]: cros_vm > process created a memfd to share the content with an external process, > however the memfd is overwritten and used for executing arbitrary code > and root escalation. [2] lists more VRP in this kind. > > On the other hand, executable memfd has its legit use, runc uses memfd’s > seal and executable feature to copy the contents of the binary then > execute them, for such system, we need a solution to differentiate runc's > use of executable memfds and an attacker's [3]. > > To address those above, this set of patches add following: > 1> Let memfd_create() set X bit at creation time. > 2> Let memfd to be sealed for modifying X bit. > 3> A new pid namespace sysctl: vm.memfd_noexec to control the behavior of > X bit.For example, if a container has vm.memfd_noexec=2, then > memfd_create() without MFD_NOEXEC_SEAL will be rejected. > 4> A new security hook in memfd_create(). This make it possible to a new > LSM, which rejects or allows executable memfd based on its security policy. I think patch 1-5 look good to land. The LSM hook seems separable, and could continue on its own. Thoughts? (Which tree should memfd change go through?) -Kees -- Kees Cook