Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp6232979rwp; Mon, 17 Jul 2023 18:07:11 -0700 (PDT) X-Google-Smtp-Source: APBJJlGn6KL2+IptYiaG999BDIO6yaKaGex10qGgebID+qAnyGRCmEYrsI7/tQDor/PKDJcVn95g X-Received: by 2002:a05:6a20:2450:b0:134:fd58:ce41 with SMTP id t16-20020a056a20245000b00134fd58ce41mr1145840pzc.12.1689642430904; Mon, 17 Jul 2023 18:07:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689642430; cv=none; d=google.com; s=arc-20160816; b=xhq/62xU2Bbu+2VSZ3geFIS1GqMnma3BBTpU5+1eWnE1Gpm67hF2vUkb75+PHqgl0B ELeuIoqFVSC6ilu4H8qk3Jba9a2WTKa/iUMhHpE//vNLeBr1qgrCiN8YtiK4gMFVewbm aUlx0F53vUsUWLmfsG9S1X4aTHSPjIp5FsfrQwIaUqU/A6tVeMIhTCH6biSzbGDs7gsq 3yR7v70rQ4Q/45MkzwzQuBZLcv/txUw+r4cKh1AikIdcIq1eAlFDxXwLDgoRlvqxBAXB WoiGUKWq5/00Jz+kWNN25Ix4DILmrOSEzbcBzCGd6JzcEFSr+jAxQLNKGdtYfpp5KwJ9 E7lA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=7/VGkzHeIng6LZLdOiE8OpcvdoSFO1a2yPPXY5DYMhI=; fh=9iHPsLYz3tWsxLM5yhJp5XJIQs+tg5cNer/xNrGYsDE=; b=AZeg05KKOpY4WAfvzUriWebhpV9Vl0UXKGr6xa0OSFw5MeinnzDS15ym3r08PPsg64 TWMCSRwvTDlEwFxwHhSk8WVDVpxc9sVBhyrfPtCOyIDYyetMacjHIuSZDVlmbBL9se6+ SiedNkT4p7dvzwJ4no7qk2H4gCtfJxzaliWPAUtKFAmBlQ4Z3ELBl/a6ObuGsLRJRLTS s+e+PS6YXzRmTSyXlEE/kexKF0LfXSHglwcH/Ual2FUuiAlKiEl9FjQuM4Zc++3gsq/L MMgOjPIpC2p48bCQzy6TYoM0b1xoZo0pY/1hM36okXdEcJG09hDOWNvpQYgvNqRKnddn EPSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ECb0Wdft; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q17-20020a170902dad100b001b85a47d2b7si749519plx.422.2023.07.17.18.06.58; Mon, 17 Jul 2023 18:07:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ECb0Wdft; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230428AbjGRArc (ORCPT + 99 others); Mon, 17 Jul 2023 20:47:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46866 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229583AbjGRArb (ORCPT ); Mon, 17 Jul 2023 20:47:31 -0400 Received: from mail-oo1-xc2e.google.com (mail-oo1-xc2e.google.com [IPv6:2607:f8b0:4864:20::c2e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4AC2C10E3 for ; Mon, 17 Jul 2023 17:47:28 -0700 (PDT) Received: by mail-oo1-xc2e.google.com with SMTP id 006d021491bc7-5634db21a78so3293724eaf.0 for ; Mon, 17 Jul 2023 17:47:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1689641247; x=1692233247; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=7/VGkzHeIng6LZLdOiE8OpcvdoSFO1a2yPPXY5DYMhI=; b=ECb0Wdft3jRCG9h52I3ITA9rl8b2YQZCzZYMMw31VNkSX+I+t5WHZwOOQfPmn8zeBa N+PYlgS5IUX7+Ypav9vAtroMcd1Tnn7ArinCligpgu7iSl/WPZT09n6AMum5BceEjJdA 3z7n5FFsFHBYvtPCDNEVrcA0GSfExQJDHnTsY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689641247; x=1692233247; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7/VGkzHeIng6LZLdOiE8OpcvdoSFO1a2yPPXY5DYMhI=; b=eynWeLfPxDsCZRbVT4/suf/JgOmAtViqIYTiDJ+yNoqpziZMPs4oY9HIhfbSBpCKRi CfoZWzPxljnrPsGA5K80F7w+16sVyj/QbyPiF6kcd7PLmbKdEKfQ3dAKmUibFLMQi2JB uegKNbHd/eE5OT7DZ7w1EvUKguPvt+ReX9pu+MxstolAww8n+3NkvYR+gHSJAU4nBUEH IL73fLY2QnhuUdFDPsL5aetW83pkQ9WIN8XlqF3TSR/lwPbm4BStXmDsvgIlStHYGK7J xoc7nT3RQihCs6Yl/lqBa2uHYz9vlENRvhIyhlq7Ej/oahZQeY3mnjYE+U14uoNWtAJv 85Pg== X-Gm-Message-State: ABy/qLZBiQFQ3Eg0vSmsDgfl5EqOSVlzwFIX+VzojI18PPIEFWxXVQWQ 5OtS1dukT/fPSKw8iaFCShdQHzUMMepq3OZaJASEQDT++1Pskek1 X-Received: by 2002:a05:6808:1926:b0:3a4:3b56:68f0 with SMTP id bf38-20020a056808192600b003a43b5668f0mr1352445oib.41.1689641247628; Mon, 17 Jul 2023 17:47:27 -0700 (PDT) MIME-Version: 1.0 References: <20230713143406.14342-1-cyphar@cyphar.com> In-Reply-To: <20230713143406.14342-1-cyphar@cyphar.com> From: Jeff Xu Date: Mon, 17 Jul 2023 17:47:15 -0700 Message-ID: Subject: Re: [RFC PATCH 0/3] memfd: cleanups for vm.memfd_noexec To: Aleksa Sarai Cc: Andrew Morton , Shuah Khan , Jeff Xu , Kees Cook , Daniel Verkamp , Luis Chamberlain , YueHaibing , linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Aleksa, Thanks for your email and patches for discussion. On Thu, Jul 13, 2023 at 7:34=E2=80=AFAM Aleksa Sarai wr= ote: > > It seems that the most critical issue with vm.memfd_noexec=3D2 (the fact > that passing MFD_EXEC would bypass it entirely[1]) has been fixed in > Andrew's tree[2], but there are still some outstanding issues that need > to be addressed: > > * The dmesg warnings are pr_warn_once, which on most systems means that > they will be used up by systemd or some other boot process and > userspace developers will never see it. The original patch posted to > the ML used pr_warn_ratelimited but the merged patch had it changed > (with a comment about it being "per review"), but given that the > current warnings are useless, pr_warn_ratelimited makes far more > sense. > Ya, This was discussed in [1] Replacing pr_warn_once with pr_warn_ratelimited won't address Peter Xu's observation that "ratelimited" will fill syslog [2], I'm not sure it is acceptable to ones who is not interested in memfd, I will defer this to maintainers. [1] https://lore.kernel.org/lkml/202212161233.85C9783FB@keescook/ [2] https://lwn.net/ml/linux-kernel/Y5yS8wCnuYGLHMj4@x1n/ > * vm.memfd_noexec=3D2 shouldn't reject old-style memfd_create(2) syscall= s > because it will make it far to difficult to ever migrate. Instead it > should imply MFD_EXEC. > Though the purpose of memfd_noexec=3D2 is not to help with migration - but to disable creation of executable memfd for the current system/pid namespace. During the migration, vm.memfd_noexe =3D 1 helps overwriting for unmigrated user code as a temporary measure. Additional functionality/features should be implemented through security hook and LSM, not sysctl, I think. > * The ratcheting mechanism for vm.memfd_noexec doesn't make sense as a > security mechanism because a CAP_SYS_ADMIN capable user can create > executable binaries in a hidden tmpfs very easily, not to mention the > many other things they can do. > By further limiting CAP_SYS_ADMIN, an attacker can't modify this sysctl even after compromising some system service with high privilege, YAMA has the same approach for ptrace_scope=3D3 In addition, this sysctl is pid_name spaced, this means child pid_namespace will alway have the same or stricter security setting than its parent, this allows admin to maintain a tree like view. If we allow the child pid namespace to elevate its setting, then the system-wide setting is no longer meaningful. The code sample shared in this patch set indicates that the attacker already has the ability of creating tmpfs and executing complex steps, at that point, it doesn't matter if the code execution is from memfd or not. For a safe by default system such as ChromeOS, attackers won't easily run arbitrary code, memfd is one of the open doors for that, so we are disabling executable memfd in ChromeOS. In other words: if an attacker can already execute the arbitrary code as sample given in ChromeOS, without using executable memfd, then memfd is no longer the thing we need to worry about, the arbitrary code execution is already achieved by the attacker. Even though I use ChromeOS as an example, I think the same type of threat model applies to any system that wants to disable executable memfd entirely. > * The memfd selftests would not exit with a non-zero error code when > certain tests that ran in a forked process (specifically the ones > related to MFD_EXEC and MFD_NOEXEC_SEAL) failed. > I will test this code and follow up. Thanks! -Jeff Xu > (This patchset is based on top of Jeff Xu's patches[2] fixing the > MFD_EXEC bug in vm.memfd_noexec=3D2.) > > [1]: https://lore.kernel.org/all/ZJwcsU0vI-nzgOB_@codewreck.org/ > [2]: https://lore.kernel.org/all/20230705063315.3680666-1-jeffxu@google.c= om/ > > Aleksa Sarai (3): > memfd: cleanups for vm.memfd_noexec handling > memfd: remove racheting feature from vm.memfd_noexec > selftests: memfd: error out test process when child test fails > > include/linux/pid_namespace.h | 16 +++------ > kernel/pid_sysctl.h | 7 ---- > mm/memfd.c | 32 +++++++---------- > tools/testing/selftests/memfd/memfd_test.c | 41 ++++++++++++++++++---- > 4 files changed, 51 insertions(+), 45 deletions(-) > > -- > 2.41.0 > >