Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp20194704rwd; Wed, 28 Jun 2023 21:59:16 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7NPuJQxdVlYPp1Xml6TOfYQN7f/MSWMwQlmcjLyy9mQVXyDFhCY+g6YZYCE/2pel6939uP X-Received: by 2002:a05:6a00:1a13:b0:679:fc52:1eae with SMTP id g19-20020a056a001a1300b00679fc521eaemr11203271pfv.19.1688014756088; Wed, 28 Jun 2023 21:59:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688014756; cv=none; d=google.com; s=arc-20160816; b=VDgkqOaHVfeTxbWhYYSu1Hnl+x544SByXkDYVMXPYIBR/EuqgvSTxqu+nkz0iklwhk QfLg9C3nWqNQ6I6OuYVeE6CG2XrCpSUWMzTwdOv7ZMvSsUXzlRX22V8RMOjq9Q3woxV5 DhUu+fJABU90m7KZjAlF1PsjSOjIDMNN9s2At57ObtR0CSedsgKAHLVeDqQr9yjKvjS4 TGvYFkM7p9OhlTRQU3xbB0sghK38LJpyqkyHUP2U3XhLu41ltk4vOp6Y1HfuG7tWvMJ7 DngXmMhnz+0YZ1YfPJokui/lOrzjTK2fJI3buYdUsyDW4jCyxQdwiNLlt95GCPzWapc4 3VhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=eJW2r3ntggsBVvy1ila5sjLU4Aw8geyuKy3kMy86JU8=; fh=R5W+HMq8VPO4Iinkd0AtVVmsT6tjpP59Y18rEZsjgkA=; b=XTmfQgnJnokNX0VtX8AEJ3N0Z30lt8z0eGKTwQNRXweKBEysPz7BoLpJhtKzJugFVP 3zs1TzWed1gAtt4dIATWUZGWeifKtzu6/P0xpNGs6Hku5LDaE8Ub7yr9X5JCcsWkUW8y 30BjMz2V2NxrK3zIHmnppDN/saPAkikJ6+x31dslQAtUuQdH6wzB2JAOYZXhvijpaAij c4eiVbhnlZm3ouxXgHDGY9MaGQTMBkcI4gyDNosRoPJaLEyHH/F1kLmn2TVQpai/8O74 o408z6PKG5MDg6uJIzs8BfOOlkW8FR1ujsxd/N2fB0ebyQP9J96zci37pn0YpRg/QlXQ xfsQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Oirx2ssq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t22-20020a056a00139600b0064f7150b45bsi9969495pfg.352.2023.06.28.21.58.57; Wed, 28 Jun 2023 21:59:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Oirx2ssq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231557AbjF2Edm (ORCPT + 99 others); Thu, 29 Jun 2023 00:33:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50166 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230476AbjF2Edj (ORCPT ); Thu, 29 Jun 2023 00:33:39 -0400 Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com [IPv6:2607:f8b0:4864:20::22a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3DDFC210B for ; Wed, 28 Jun 2023 21:33:38 -0700 (PDT) Received: by mail-oi1-x22a.google.com with SMTP id 5614622812f47-39ed35dfa91so197479b6e.3 for ; Wed, 28 Jun 2023 21:33:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1688013217; x=1690605217; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=eJW2r3ntggsBVvy1ila5sjLU4Aw8geyuKy3kMy86JU8=; b=Oirx2ssq91MRt0ie2O1eepU4Csg8OJ2yDunQfSdCo0mSH0OqwXaLkb+02b3nMlfuIF tyyOfQDBnTHmVypFsesVF3grpD7EFFj+dNe5tQn31FwPEmXyfxkvGgUCfpZH4qDxt/ey E9KTWDd4AdMv5GWgLYQC+wGlLbEbbLDkFpGK8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688013217; x=1690605217; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eJW2r3ntggsBVvy1ila5sjLU4Aw8geyuKy3kMy86JU8=; b=XzTVJajLSuzo1YGbWpaP+dmT7mAJxNsL3WR/C9LU3fwlrwVSjwHyWxNn+aXNhwfKWZ Z03QIpfHSRae+fuvb9lBY3a1y+XvS0L2E7wB1yjel1TXOkHBC99pQbbzZ+yZloweZ8wX jj1D1/Fh0GtCXcKj1f8U6IlFriYjZLALtKqKQHQX2n7homPkaRTPsoMj9gS65xOqlygj Io734dyM2I4BJTjHUGgn+CyyrmXPdDiyS5NeoPYMgRbEN+jTfGoqJxSEXKBSy7P+Jgkv KnAPqk+j03lKoDHt/8hhqQTdc0fWtgjXzPM89K3RB8RtZYxN/q7C+MjzWIuPIqdb1FhB FSmA== X-Gm-Message-State: AC+VfDy8iYy6gjVG1Q47iF/IWn8zuUPWZMK3X1ybiVC940S6B2dNSSmF aNFsXPNMF+QtpggCq4enqPQ/j61NUKjd73bZlED8tw== X-Received: by 2002:a05:6808:314:b0:3a0:61b4:1bed with SMTP id i20-20020a056808031400b003a061b41bedmr16676381oie.35.1688013217553; Wed, 28 Jun 2023 21:33:37 -0700 (PDT) MIME-Version: 1.0 References: <20221215001205.51969-1-jeffxu@google.com> <20221215001205.51969-4-jeffxu@google.com> In-Reply-To: From: Jeff Xu Date: Wed, 28 Jun 2023 21:33:27 -0700 Message-ID: Subject: Re: [PATCH v8 3/5] mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC To: Dominique Martinet Cc: skhan@linuxfoundation.org, keescook@chromium.org, akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, jannh@google.com, linux-hardening@vger.kernel.org, linux-security-module@vger.kernel.org, kernel test robot Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello! On Wed, Jun 28, 2023 at 12:31=E2=80=AFPM Dominique Martinet wrote: > > Dominique Martinet wrote on Wed, Jun 28, 2023 at 08:42:41PM +0900: > > If flags already has either MFD_EXEC or MFD_NOEXEC_SEAL, you don't chec= k > > the sysctl at all. > > [...repro snipped..] > > > > What am I missing? > > (Perhaps the intent is just to force people to use the flag so it is > easier to check for memfd_create in seccomp or other LSM? > But I don't see why such a check couldn't consider the absence of a flag > as well, so I don't see the point.) > Yes. There is consideration to motivate app devs to migrate their code to use the new EXEC/NOEXEC_SEAL flag for memfd_create, if that answers your question. > > > BTW I find the current behaviour rather hard to use: setting this to 2 > > should still set NOEXEC by default in my opinion, just refuse anything > > that explicitly requested EXEC. > > And I just noticed it's not possible to lower the value despite having > CAP_SYS_ADMIN: what the heck?! I have never seen such a sysctl and it > just forced me to reboot because I willy-nilly tested in the init pid > namespace, and quite a few applications that don't require exec broke > exactly as I described below. > > If the user has CAP_SYS_ADMIN there are more container escape methods > than I can count, this is basically free pass to root on main namespace > anyway, you're not protecting anything. Please let people set the sysctl > to what they want. > Yama has a similar setting, for example, 3 (YAMA_SCOPE_NO_ATTACH) will not allow downgrading at runtime. Since this is a security feature, not allowing downgrading at run time is part of the security consideration. I hope you understand. > -- > Dominique Martinet | Asmadeus Thanks! -Jeff