Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1693048rwd; Thu, 18 May 2023 16:10:00 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4REX6I9e37FVlcHPLZD2fdhHiok5GTqqkJkL943dxDrqebz1sibF6TZmep/CWg5L0UXCnE X-Received: by 2002:a05:6a20:9d91:b0:105:66d3:8538 with SMTP id mu17-20020a056a209d9100b0010566d38538mr56730pzb.8.1684451399794; Thu, 18 May 2023 16:09:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684451399; cv=none; d=google.com; s=arc-20160816; b=fqTBMDUDYKHDMkBhy5JJqJV4e/NRPbx6M8ylwBckXNHz2/vatlxtWoLiGc+laDFux5 ISgwPzWtA2ygRjo+3SLKB8DBU5fL/FK6qSq6KUahSOs0MqZKP7u3WbSIZiD0c0z67p+6 E34x/rDmQ8BYF3g/J8GnojohFCJvBXIWsYxuhO3pLiRTx5txPzrmRpWAyE+QE3r711p6 1FUKBqZChgyhzZBODiOaUmhihqNhzCQWt75tEGFiDVhw5qATNwf7uC8GjcXeVD6IvTjQ ImNDl+R7Fxy6CymKfw/BKtHwW/lNgVoQao/g19PkPmb4mMffAqGWUr6pdNDGRT8G2poF Dglg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=jWnUteL7v7/EAzuWn1drf3iWgiZd3P6BMPM7r3CRrU4=; b=b1bv7uIrYwe/FnV/lvq6Yy2zTgWxUAnTqws/OzHi0ZC8B5xjAUNnqDLju7iHmbeNPV Buu50sHAdEvs8z7Y6rJu+JTHKztxVi08xsBvPbk/LPXbcp2v9QGDfZk/S/GRwQTiUlkR bLzKY1E0Xhc2gvDqnS9Tprqit93lRHJ0r9udJgFafyul+GojJBRyw0GSodwObspSl5zE xZmMu4dmdSQ44aHOXHkSsYK7dUq9A7XC8/BQsLqqQJiE1+tg7FdOpp4rpjkt854rIl4W eDij3OhEQJ9nRlY0/Y3qbnfh8BLcZ5jFe20Se1Cy/bUpCZiYSWYp/gBVE/6sdgi7bLlF MUKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=p1QNWoXO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o3-20020a637303000000b0050bd8dd1b5asi2486916pgc.43.2023.05.18.16.09.45; Thu, 18 May 2023 16:09:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=p1QNWoXO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230422AbjERWwT (ORCPT + 99 others); Thu, 18 May 2023 18:52:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54934 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230141AbjERWwS (ORCPT ); Thu, 18 May 2023 18:52:18 -0400 Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A1955E69 for ; Thu, 18 May 2023 15:52:16 -0700 (PDT) Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-50dba8a52dcso3024a12.0 for ; Thu, 18 May 2023 15:52:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1684450335; x=1687042335; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=jWnUteL7v7/EAzuWn1drf3iWgiZd3P6BMPM7r3CRrU4=; b=p1QNWoXOV1xgKiAp3Uawa5ywP62PFwgqLlo1IX/Z7lbukYiaO8h726vLk1ksYI/7qK SMove0r+bWiZcvsiSYWZVvJStA74wecehJFZuXtuZYpVjAd5Xlsi2RjcYi7IHBrmOv7i yzKLfoDu7FGmybhsjsdzoQ8+9IPnyeexOugE2vYPc8H+CF77m1kr5AMWA0qoQIpVvUeK sftIpAXu/jlLnagqS/IEHrCGZFL3YaUrmtF/yOHMwzEYlCPnOXXqpTnBBR/ORpDE38EB 3+IEJL2Q7VHbtlApuj2xkqYqRwVdFB0cMzSDD/LVhIzYEr1abR+8elMLu/GsxPG1m3us Utsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684450335; x=1687042335; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jWnUteL7v7/EAzuWn1drf3iWgiZd3P6BMPM7r3CRrU4=; b=eeBgGMEU5jsS8+yc7Be5benmZrfgh6wJtEjooW3xGDch2BbjcjSJHBRrsbszytDVs7 aBB71+0FB2ZZxyTd6yfKyNGv2h0hA50LtnnZe3jZg37a3xFo7M73VdRuLE+PI4LMCBYA Nx/vHIOgUZr3IVHnVbGtTFY9uuVXhcsh8vXwXooLx5KLTmfvlS17u0V/5KDUbawvXQIJ 4SKFnmQ4hp52Beroi1pM0FyYmcyza5w9yKK87o9z3Jna9EAkmK9QgGarvjeCC7Jl/yKC Ce8bR7TPvhF9aDgRcVoU1zqo83nlKS0l4wsTwiTkVmPsxivuYJVEozXqZTzC7l6Hueoi piGg== X-Gm-Message-State: AC+VfDzzZk+knNUq6tKzpt6juNnkDuDF+6SSM2zErYm/+1WSmil3cWAq agN7MNnJX/RU5ITtMh40t/16T30wwxBEO3r5CSxyBw== X-Received: by 2002:a50:aac5:0:b0:502:2af:7b1d with SMTP id r5-20020a50aac5000000b0050202af7b1dmr18114edc.3.1684450334862; Thu, 18 May 2023 15:52:14 -0700 (PDT) MIME-Version: 1.0 References: <20230515130553.2311248-1-jeffxu@chromium.org> <20230515130553.2311248-3-jeffxu@chromium.org> <6dbbc3da-78c9-8101-d52a-0be47da9d67e@intel.com> In-Reply-To: <6dbbc3da-78c9-8101-d52a-0be47da9d67e@intel.com> From: Jeff Xu Date: Thu, 18 May 2023 15:51:38 -0700 Message-ID: Subject: Re: [PATCH 2/6] PKEY: Add arch_check_pkey_enforce_api() To: Dave Hansen Cc: jeffxu@chromium.org, luto@kernel.org, jorgelo@chromium.org, keescook@chromium.org, groeck@chromium.org, jannh@google.com, sroettger@google.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 18, 2023 at 2:43=E2=80=AFPM Dave Hansen = wrote: > > On 5/15/23 06:05, jeffxu@chromium.org wrote: > > +static inline int __arch_check_vma_pkey_for_write(struct vm_area_struc= t *vma) > > +{ > > + int pkey =3D vma_pkey(vma); > > + > > + if (mm_pkey_enforce_api(vma->vm_mm, pkey)) { > > + if (!__pkru_allows_write(read_pkru(), pkey)) > > + return -EACCES; > > + } > > + > > + return 0; > > +} > > Please think very carefully about what I'm about to say: > > What connects vma->vm_mm to read_pkru() here? > > Now think about what happens when we have kthread_use_mm() or a ptrace() > doing get_task_mm() and working on another process's mm or VMA. > > Look at arch_vma_access_permitted() and notice how it avoids read_pkru() > for 'foreign' aka. 'remote' accesses: > > > static inline bool arch_vma_access_permitted(struct vm_area_struct *vma= , > > bool write, bool execute, bool foreign) > > { > ... > > if (foreign || vma_is_foreign(vma)) > > return true; > > return // check read_pkru() > > } > > In other words, it lets all remote accesses right through. That's > because there is *NOTHING* that fundamentally and tightly connects the > PKRU value in this context to the VMA or the context that initiated this > operation. > > If your security model depends on PKRU protection, this 'remote' > disconnection is problematic. The PKRU enforcement inside the kernel is > best-effort. That usually doesn't map into the security space very well. > > Do you have a solid handle on all call paths that will reach > __arch_check_vma_pkey_for_write() and can you ensure they are all > non-remote? Is this about the attack scenario where the attacker uses ptrace() into the chrome process ? if so it is not in our threat model, and that is more related to sandboxing on the host. Or is this about io_uring? Yes, io_uring kernel thread breaks our expectations of PKRU & user space threads, however I thought the break is not just for this - any syscall involved in memory operation will break after into io_uring ? Other than those, yes, I try to ensure the check is only used at the beginning of syscall entry in all cases, which should be non-remote I hope. Thanks -Jeff