Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp2251828lqo; Mon, 13 May 2024 12:16:13 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVoUZ8zMkxYkE+DFKEcY42LcqowODx3+A3mGtQD3nvnGb6tMc+BqV6kdgJON0s0MYwr+QbjH7v9K/pUQNFwMQlH0x76PpPH4JkGWRdjyA== X-Google-Smtp-Source: AGHT+IGlpecesi0Cwa6E1ybjA6CMdtaegb3FxFn2pXM4feBrxOJjlEh6XxvWI6JTz0MTQEKLU49T X-Received: by 2002:a05:6a00:10c5:b0:6ea:e2fd:6100 with SMTP id d2e1a72fcca58-6f4e0384f96mr11065086b3a.30.1715627773026; Mon, 13 May 2024 12:16:13 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715627773; cv=pass; d=google.com; s=arc-20160816; b=mE7DDE+j/yY2CbMh8Ra3SPSrxbBfGxyfokW2zzbRQxu1QzlvAFsJ0pJkhF9MX4vHLS IlrRrVfEoqQhloOBVwZtEx1eVlZ3Qa4i4gx49rq8WS7STdc350W6F8THaCYK1wUlCC5N di1MGrGBNfceWvipAVbQ9mUh1wfeSKH2ZLf1FlzdcmToDROcSI4EYz6KICO38QoRt2sC wWhCTyxF3+bL+oajb+7uyT3T+iJLXm4Kk9LDdQW/cBRpiH9hA3mEFw5kkBRfaNX6JGZ/ ydv4bUJYWhF5T/hcWClsNzt5r3jSbyc+Hhvpf71iuCqYPeQvnKK9IrmBjf3CevtbhPH+ rL+g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:feedback-id:message-id:subject :from:to:date:dkim-signature; bh=dnjH8R0E9R4kgtyNo0zRZg9A30KPJQ23f20lyVjqLUg=; fh=MqG34JEA9rH4yo5z8kqVDgxUZcg3d05zjuH0Q1GddmA=; b=bys3xDp4EfrS0VQW82H8BCP2z0UVldEKl+ZjTP6f1cLscZvpwD8ux8uTeyokD12sg6 0qkL/zMyV+CyOT1AZXHMof+WTpr+S2JhlnOEFZcraUSKN1eMVl6opBsah2WGdoatmyic fCYz4CEl8gK9hKepoJta6RBNySI1i2PU9wxiE30dJfjNAAXcqjCmHhteOkeO7wskeDNc ymLnrlo9MPN47JyBL9agRzBBQFxyM0X/uVZVBR6jJCaEtM/x/alm4yazXTqo3ffaHgB1 A2Oe2ehpa0hDUWXAgG/QksjF6N/6ecWpxvFMMunUijxUSTaljCO86zluMoT6fGzY5W0W MVAw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=paUo6HvC; arc=pass (i=1 spf=pass spfdomain=protonmail.com dkim=pass dkdomain=protonmail.com dmarc=pass fromdomain=protonmail.com); spf=pass (google.com: domain of linux-kernel+bounces-178012-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-178012-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id d2e1a72fcca58-6f4f0359282si5700380b3a.104.2024.05.13.12.16.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 May 2024 12:16:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-178012-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=paUo6HvC; arc=pass (i=1 spf=pass spfdomain=protonmail.com dkim=pass dkdomain=protonmail.com dmarc=pass fromdomain=protonmail.com); spf=pass (google.com: domain of linux-kernel+bounces-178012-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-178012-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 35ED9285064 for ; Mon, 13 May 2024 19:16:12 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 716244CE1F; Mon, 13 May 2024 19:16:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com header.b="paUo6HvC" Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D91D14500D for ; Mon, 13 May 2024 19:16:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.70.43.16 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715627765; cv=none; b=iohPWXl2QS//mxujkGF1jCIXZm83h+v17afqwG3sRvwKOhtl8cal9HHRzR5sm/O8BcYdqn3JGFOn3fr4JeuMjhgB9pzwx4C+gKIEan+icPjFv2vQZoBTkfc0jrnT4YAEc6X2USf0ozgCIbpiyUD/8/00GGoT8oazvcTWKN1KBBw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715627765; c=relaxed/simple; bh=VTNZ62sNInU+Dd0cJEiFTSXsmrSxsvXnwZWnDCIDW1w=; h=Date:To:From:Subject:Message-ID:MIME-Version:Content-Type; b=oxFHP6AcsDjvEzUqHq5IMI2lblWqic/y0KcACOFtdadgLxkO/Rw3vco75PySNoqlnKB6cn3e4EEMuiSjNHWMRVgwo1XK4mJvoAQa9AT0510+xS3h85iv9U2v6nahWR0O1hmVI3M3PkXvrpwTWEPyya8JodnPZ041d3l2Eic5VNM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com; spf=pass smtp.mailfrom=protonmail.com; dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com header.b=paUo6HvC; arc=none smtp.client-ip=185.70.43.16 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=protonmail.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1715627756; x=1715886956; bh=dnjH8R0E9R4kgtyNo0zRZg9A30KPJQ23f20lyVjqLUg=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=paUo6HvCMLe0YNG7ppE6+OPvGgid8o+AocVm7IAPnTOOrvFA/8N/tGUWjA2zzNR1c GVx7xT77FF6o+JP6+Zh09H3imzNnz4rQhZagjM1M4nrgThGaih72r6wrtOP2kNxl1N DHbwRXhrAulrtdz47x25GKugAUt/IFC4+3U0hkAal6Rsx3QureSft5H303iwrUXdAZ 2d1HKUW2K6Qb8kG8VCuE3vE68ZJkRpggJJeRMvYUA1o6wPDzzN/Xw3TwTFvAZ09tQI fER0eEvBGTX1P0vNjY9qTuqab6A7AQNHppc7siqrvJvq4Vy0zENWkFww/RnFLoYQde aPh/FMAymeUSw== Date: Mon, 13 May 2024 19:15:47 +0000 To: linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, skhan@linuxfoundation.org, keescook@chromium.org From: =?utf-8?Q?Barnab=C3=A1s_P=C5=91cze?= Subject: [PATCH v1] memfd: `MFD_NOEXEC_SEAL` should not imply `MFD_ALLOW_SEALING` Message-ID: <20240513191544.94754-1-pobrn@protonmail.com> Feedback-ID: 20568564:user:proton X-Pm-Message-ID: 67eeb4ec5ac3eaf815ed12f6c17c9a0732f87faa Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable `MFD_NOEXEC_SEAL` should remove the executable bits and set `F_SEAL_EXEC` to prevent further modifications to the executable bits as per the comment in the uapi header file: not executable and sealed to prevent changing to executable However, currently, it also unsets `F_SEAL_SEAL`, essentially acting as a superset of `MFD_ALLOW_SEALING`. Nothing implies that it should be so, and indeed up until the second version of the of the patchset[0] that introduced `MFD_EXEC` and `MFD_NOEXEC_SEAL`, `F_SEAL_SEAL` was not removed, however it was changed in the third revision of the patchset[1] without a clear explanation. This behaviour is suprising for application developers, there is no documentation that would reveal that `MFD_NOEXEC_SEAL` has the additional effect of `MFD_ALLOW_SEALING`. So do not remove `F_SEAL_SEAL` when `MFD_NOEXEC_SEAL` is requested. This is technically an ABI break, but it seems very unlikely that an application would depend on this behaviour (unless by accident). [0]: https://lore.kernel.org/lkml/20220805222126.142525-3-jeffxu@google.com= / [1]: https://lore.kernel.org/lkml/20221202013404.163143-3-jeffxu@google.com= / Fixes: 105ff5339f498a ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC") Signed-off-by: Barnab=C3=A1s P=C5=91cze --- Or did I miss the explanation as to why MFD_NOEXEC_SEAL should imply MFD_ALLOW_SEALING? If so, please direct me to it and sorry for the noise. --- mm/memfd.c | 9 ++++----- tools/testing/selftests/memfd/memfd_test.c | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/mm/memfd.c b/mm/memfd.c index 7d8d3ab3fa37..8b7f6afee21d 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -356,12 +356,11 @@ SYSCALL_DEFINE2(memfd_create, =20 =09=09inode->i_mode &=3D ~0111; =09=09file_seals =3D memfd_file_seals_ptr(file); -=09=09if (file_seals) { -=09=09=09*file_seals &=3D ~F_SEAL_SEAL; +=09=09if (file_seals) =09=09=09*file_seals |=3D F_SEAL_EXEC; -=09=09} -=09} else if (flags & MFD_ALLOW_SEALING) { -=09=09/* MFD_EXEC and MFD_ALLOW_SEALING are set */ +=09} + +=09if (flags & MFD_ALLOW_SEALING) { =09=09file_seals =3D memfd_file_seals_ptr(file); =09=09if (file_seals) =09=09=09*file_seals &=3D ~F_SEAL_SEAL; diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/sel= ftests/memfd/memfd_test.c index 18f585684e20..b6a7ad68c3c1 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -1151,7 +1151,7 @@ static void test_noexec_seal(void) =09=09=09 mfd_def_size, =09=09=09 MFD_CLOEXEC | MFD_NOEXEC_SEAL); =09mfd_assert_mode(fd, 0666); -=09mfd_assert_has_seals(fd, F_SEAL_EXEC); +=09mfd_assert_has_seals(fd, F_SEAL_SEAL | F_SEAL_EXEC); =09mfd_fail_chmod(fd, 0777); =09close(fd); } --=20 2.45.0