Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp1152837rwr; Fri, 5 May 2023 09:49:12 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4xUYCA5WJ8pmZ6jaY7YI7YkSuEGAHtVH+iqlRg6/UP/js80o9vMYHxrVW/LYkyqFRKg1jZ X-Received: by 2002:a17:902:8c87:b0:1a9:8d57:6d6c with SMTP id t7-20020a1709028c8700b001a98d576d6cmr1627454plo.24.1683305351713; Fri, 05 May 2023 09:49:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683305351; cv=none; d=google.com; s=arc-20160816; b=RN9tWe6IShfWJhC8DkqaASc0Ode32eNOqFqfamsOHHspidNRzo8ADOXDu39J2tMxIi J8PNgw+zs6eCLJWm44svZDb8EhVlz78TeoTne3EzJkjmh/8VI7g4gJaccIdwprvFlTde JrfkokKZ3mMXMDag9jAGYaJazS8iqfRVmsj15vbC5lr+HDTkLjd2oLZEjCFuLTM5/UP4 UjJj0cqVxH+MfZRLxC76cmlNgkY4DyhhC4dxSGbgJdu+robkyh8WZ56FFHLpDNqKe3nu kCJW9icnsOH/AVaklUE2tjBrEZWmetCog0Rg6PH5PziYXvw1OdhIuJ3XaxqrjeYzcuTu hymA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=7v06Z2KE6UgDkNy7vxoQMtDkj1FvtkQwtTi1j/U3CnQ=; b=ZWF9G4YCfKYXfeSnHViWx9VNxd0kKon+cy+V0SUuGmDR22akwO6hzsr0ZbHX3Cpvmr 26EPRzKKq+BVZG7f/TfOaEVNTjL9OK/V0ChZ7en/k5gZzwA0sh+sP0iUpr2vYvl08YFU 9JcrPQ8CQEsrPLssXCrwM80GqjzvNQmlFY5i74zBh1j2mNQ99Hfz0Z9WucrcFiyzoIof mgdI6bCtoeELnLI4vumhEZjV4VA1XjELMN8fuu42MCzaj+RY1BMxni8CrNjMf/w4abH9 kslxOrfaxbEBrduAmnnPP+rvieFU5r0wZQqp0GZPqhNxl6kMLOCLWOxiu9hg3k/QF7RD gcuw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=C71QWIQ+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n2-20020a170902e54200b001a6fce1d951si1587661plf.377.2023.05.05.09.48.56; Fri, 05 May 2023 09:49:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=C71QWIQ+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230508AbjEEQmX (ORCPT + 99 others); Fri, 5 May 2023 12:42:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35876 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229577AbjEEQmV (ORCPT ); Fri, 5 May 2023 12:42:21 -0400 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC81913284 for ; Fri, 5 May 2023 09:42:20 -0700 (PDT) Received: by mail-pl1-x62e.google.com with SMTP id d9443c01a7336-1aaef97652fso13666105ad.0 for ; Fri, 05 May 2023 09:42:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1683304940; x=1685896940; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=7v06Z2KE6UgDkNy7vxoQMtDkj1FvtkQwtTi1j/U3CnQ=; b=C71QWIQ+VPVvQHucoVXDHQr+P8OfEaR5pAyJFWp+VdrT2k8ZNsmsUmprIu97eTCS7S T+YpuIApCG05mDXG95KuevANMZcbkicvhJmKzHChh/mSVduaNIabHsaZkv/ZN00g9zRD lwI2oa0h4LI4CM5kCUcI5OpcCMiQIMbbcWz+s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683304940; x=1685896940; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7v06Z2KE6UgDkNy7vxoQMtDkj1FvtkQwtTi1j/U3CnQ=; b=eFq+R6Ibhim7FEiQ169N8pkfOfvUSEH14t93vRtXHg9BKTdJsgCEq40jV6zUkPMmsz uWyjOnI58PSA+CkMXp0Ps5GmG860UPvDDILntvNkQAU8ePi4uNDh5R8fFZYmDVMyKc5j FEHvLOesAIQDBIAZip85l8XuigzY5+PJ5I88MbOP2vtoPYsE+oQHgpocpJrInvUxOg8i Qt0boXrJ6K0HJVZnvwZ7qqRP5S6dqMSRLz63jIH/zxX6BGoDsribrPmi5pk1jQfpR2cv 742NjIpNzM+R21wbdpS5S/pMF6ECg7e/T1NYkultui9ha2/7O7ZSSZeoeRrXjLkD8Vlr zeIg== X-Gm-Message-State: AC+VfDxPO91i6pgsSg1EV2wJLOQ58m29tiU+5kaunSyyfnzywtzqPbUF zAr83zc4mHOPOblun1ZNuREQheqKbeJ3JyW9Of/OrT10av0s2XyO X-Received: by 2002:a17:902:e852:b0:1a6:c595:d7c3 with SMTP id t18-20020a170902e85200b001a6c595d7c3mr2434089plg.22.1683304940092; Fri, 05 May 2023 09:42:20 -0700 (PDT) MIME-Version: 1.0 References: <20230504170942.822147-1-revest@chromium.org> In-Reply-To: From: Florent Revest Date: Fri, 5 May 2023 18:42:08 +0200 Message-ID: Subject: Re: [PATCH 0/4] MDWE without inheritance To: Peter Xu Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, akpm@linux-foundation.org, catalin.marinas@arm.com, anshuman.khandual@arm.com, joey.gouly@arm.com, mhocko@suse.com, keescook@chromium.org, david@redhat.com, izbyshev@ispras.ru, nd@arm.com, broonie@kernel.org, szabolcs.nagy@arm.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 4, 2023 at 10:06=E2=80=AFPM Peter Xu wrote: > > On Thu, May 04, 2023 at 07:09:38PM +0200, Florent Revest wrote: > > Joey recently introduced a Memory-Deny-Write-Executable (MDWE) prctl wh= ich tags > > current with a flag that prevents pages that were previously not execut= able from > > becoming executable. > > This tag always gets inherited by children tasks. (it's in MMF_INIT_MAS= K) > > > > At Google, we've been using a somewhat similar downstream patch for a f= ew years > > now. To make the adoption of this feature easier, we've had it support = a mode in > > which the W^X flag does not propagate to children. For example, this is= handy if > > a C process which wants W^X protection suspects it could start children > > processes that would use a JIT. > > > > I'd like to align our features with the upstream prctl. This series pro= poses a > > new NO_INHERIT flag to the MDWE prctl to make this kind of adoption eas= ier. It > > sets a different flag in current that is not in MMF_INIT_MASK and which= does not > > propagate. > > I don't think I have enough context, so sorry if I'm going to ask a naive > question.. Not at all! :) You're absolutely right, it's important to address these poi= nts. > I can understand how current MDWE helps on not allowing any modifi-able > content from becoming executable. How could NO_INHERIT help if it won't > inherit and not in MMF_INIT_MASK? The way I see it, enabling MDWE is just a small step towards hardening a binary anyway. It can possibly make exploitation a bit harder in the case where the attacker has _just_: a write primitive they can use to write a shellcode somewhere and a primitive to make that page executable later. It's a fairly narrow protection already and I think it only really helps as part of a broader "defense in depth" strategy. > IIUC it means the restriction will only apply to the current process. Th= en > I assume the process can escape from this rule simply by a fork(). If so= , > what's the point to protect at all? If we assume enough control from the attacker, then MDWE is already useless since it can be bypassed by writing to a file and then mmapping that file with PROT_EXEC. I think that's a good example of how "perfect can be the enemy of good" in security hardening. MDWE isn't a silver-bullet but it's a cheap trick and it makes a small dent in reducing the attack surface so it seems worth having anyway ? But indeed, to address your question, if you choose to use this NO_INHERIT flag: you're no longer protected if the attacker can fork() as part of their exploitation. I think it's been a useful trade-off for our internal users since, on the other hand, it also makes adoption a lot easier: our C++ services developers can trivially opt into a potpourri of hardening features without having to think too much about how they work under-the-hood. The default behavior has been to use a NO_INHERIT strategy so users don't get bad surprises the day when they try to spawn a JITted subcommand. In the meantime, their C++ service still gets a little bit of extra protection. > And, what's the difference of this comparing to disabling MDWE after bein= g > enabled (which seems to be forbidden for now, but it seems fork() can pla= y > a similar role of disabling it)? That would be functionally somewhat similar, yes. I think it mostly comes down to ease of adoption. I imagine that users who would opt into NO_INHERIT are those who are interested in MDWE for the binary they are writing but aren't 100% confident in what subprocesses they will run and so they don't have to think about disabling it after every fork.