Received: by 2002:ab2:7855:0:b0:1f9:5764:f03e with SMTP id m21csp726626lqp; Wed, 22 May 2024 19:33:30 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWybVYpIe+HFBPmJnn//QpGY0ZxkjuIb2FNaqQumqJLayfGOzdOGtG7DL3lQeCoHlb064Q76g8i+cGT/oPz4fPkQH2BtQTgd+vFkFpZYg== X-Google-Smtp-Source: AGHT+IE8o4KPFm1XdyBiuhtKDH/i1AMYt05Dt3I1wTOFEXX9ozGj7wrgJUdvBs8j+TZPaIujBJgy X-Received: by 2002:a05:6a00:a01:b0:6f4:4850:428b with SMTP id d2e1a72fcca58-6f6d6163d54mr3739109b3a.22.1716431609683; Wed, 22 May 2024 19:33:29 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716431609; cv=pass; d=google.com; s=arc-20160816; b=wqUcqKO2qzNuPzoa0cO7J2td/BrgOYxcIud7mXkTRB84PJODDH3/+tJFchebfgLC5G CEB3GH9+JJdghzfa0s2oYWxQRAkIdex6lQ00nYAVd2ANQhoHaGYhme0oIcppe3SMeP7O /lua42Avqo6Mlqt7AlrhhYkFWRncoLeBHvB9XR23teCqP4bWdUqo9847DcfOUvERBbfC sLbMI0yF0ImiDQUxtFwOhMbUjf2eOmuAba8e5s198dYjmGuFNe4mb+o0N/unMYPrdNiu TKouee3JqnsF9pd0YCc3vX/fNMOXaAuXv6NYUAYY8uUBGypV5xu2zDS5UxAZ5XGjOq2p K9aw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=TRtZAXBVtEg5v5aAZ0fCa+gcBJjQ9sT10KYuWxMy/d8=; fh=E4cieijnLFh4cS91xXk0eeqAwgtpVbYD4l1VC3Xl6Os=; b=nVYcm+v+uSVYHv9xVsAEbkXqt2pz5tRarF6wB+GSYcFo+kdu63wAHH1oGAV+4pkcWG 1pRfiHsrUe208ga3/lQqzfFIF6FNwakzSsjM1WtdIDalwhLVzetQDNphprMlIagmPOPd Sv81NMAa96I7UdwZHDW3j7cKdg3VX65Sr8SMf+nLSFHvyuovqbl4RDdLhvSmyp5AvYjQ bkA2lqP7qPmvwBeTqau7cDOl8zG+f8ZZhWzlbl8Zm1Nwf/JRPdu5Pfxq9mkuP/E9ndIQ DU2/SqyKBQGi657VpW6FM9oz5eU30Z+QQu2pI3UfePHUUfGm5EiQ0JAJijQWO0mVBVJx vgpg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=xe1KfzvX; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-186918-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-186918-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id 41be03b00d2f7-63411719343si26212303a12.551.2024.05.22.19.33.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 May 2024 19:33:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-186918-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=xe1KfzvX; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-186918-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-186918-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 23F2AB20C5A for ; Thu, 23 May 2024 02:33:26 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D6C9713A41E; Thu, 23 May 2024 02:33:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="xe1KfzvX" Received: from mail-ed1-f48.google.com (mail-ed1-f48.google.com [209.85.208.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F288E13A24A for ; Thu, 23 May 2024 02:33:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.48 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716431599; cv=none; b=Nk8G6QfbG3qoCZbj+v702BI8o8P4vUHPWdPqh/B6mSNpNx44GRvef1lJhOk0T8dYHbyA2yio/Mo+v/Ccyb2lU+3reNQz/QPynlCKrQ+qNoXMcTf99mw1AuLFaiaT7lMj8HZAagBVveW4YNoEzTyL3CD4jgB4+G+/l3OLTiGVMLY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716431599; c=relaxed/simple; bh=vpsfbCQk0PdJYIQqYIqdVJydenIqOknn2QrFSFRN3s0=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=gbAjbG22bJVZ17zTx1Q4mt8h5f/dVv9NRj/Zlgl9/l+UmD6/J1N2u+tHOQ5nB/YYfDaBvThZ2GVNkumn8So8IaBJRLfnJTfhXRtHNER2+0K32EAaWDLrVFv8Zveaz+iTjxj27auxcwwjl7KEsJ2NZBvJjNieQxizZk9ZgRCBqEg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=xe1KfzvX; arc=none smtp.client-ip=209.85.208.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-ed1-f48.google.com with SMTP id 4fb4d7f45d1cf-5750a8737e5so6887a12.0 for ; Wed, 22 May 2024 19:33:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1716431594; x=1717036394; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=TRtZAXBVtEg5v5aAZ0fCa+gcBJjQ9sT10KYuWxMy/d8=; b=xe1KfzvX2cgjKMZAUBX6/pOGb8IgIdWXO00oYHE6+V6nx31e2T5I6UITU9czEV7KGJ d1ig3RCbyGQcNyAD5w3YJKoNDhU0ujUhbkP6GPfFVF5BAJ1Qnm2mvN0oxQV9NjCUCUSi +prF9Tve4NF+e6g87YfNgTNEDfy+Li2mur48p7jWq8mDMpl0ZQBw35RqstcsK3tqRtfu qsPLbfU1BrkBF+uizyeTWFGa32AvkBuUqR68eAEaZrbdhQtdzvQkW7yOMOTet99IPTcs z6WQ25AhPdiOpcsC8lyt9+EqL+TB+LDtTjXnUZwsCdrIa5kT7J0j2/srYYOMQkqT/ZdY gJRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716431594; x=1717036394; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TRtZAXBVtEg5v5aAZ0fCa+gcBJjQ9sT10KYuWxMy/d8=; b=QxhPAc1LcXLmV3FIiuMpP0rV9NrTRjNrcVxD6HaoPtWIZ5iPecuk0rj64wngIC0ZPb MiZ4ubBPZ7DETvTi3/VkqfGPxZ62n6+pEkScid8sAc7k2Wwb/wqj+WBWtFbXgqryRHVt vs2dsoP4WpbhgCCpvX4syjLuhpPrbkiIqHlKJqdVlecX2kwklMlqr2zuP+hq3Oo/uWuy xs13XCaDp52BvsNLreDdaJ8EDUy9TIpuXeFlrbyrpdtIJ8vKFmNa/Ybhsj9Z/A1TFWwg q4LJ0q7dBFfeoq+ZZzMN2v5GzSp03tKJr9wwLs5IViS8lCeY+jgY16fnUUIDo2vm1zxu D2sQ== X-Forwarded-Encrypted: i=1; AJvYcCXa1x0WogHAGhJ/jQAIvUS5w4J+sBTCi4E1p4Pv04dA1HiUsveqxHuAQ9KjJchoQO3zMkwVMdJQ0Q/AgC2nPoFHMF79fos7JYdciee0 X-Gm-Message-State: AOJu0YzYbDXI4sV7O4kWoVwaeRWtsuA52OTnE93VfQs5rl1Be1Kz+GGZ cEFb5u4qkKfaOKvisK42jUAkg7N2War9WiAffek+PTFGcpN3RNk864LmDqQEl20eLFaOffIWWts CC/K3L7lzDWEo7XjrW/yZiHqng6D67IJRzoEu8qL2BKZA6Gj2wg== X-Received: by 2002:a05:6402:3549:b0:572:a154:7081 with SMTP id 4fb4d7f45d1cf-57843f25a14mr100130a12.4.1716431594087; Wed, 22 May 2024 19:33:14 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240513191544.94754-1-pobrn@protonmail.com> <20240522162324.0aeba086228eddd8aff4f628@linux-foundation.org> In-Reply-To: <20240522162324.0aeba086228eddd8aff4f628@linux-foundation.org> From: Jeff Xu Date: Wed, 22 May 2024 19:32:35 -0700 Message-ID: Subject: Re: [PATCH v1] memfd: `MFD_NOEXEC_SEAL` should not imply `MFD_ALLOW_SEALING` To: Andrew Morton Cc: =?UTF-8?B?QmFybmFiw6FzIFDFkWN6ZQ==?= , linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jorgelo@chromium.org, skhan@linuxfoundation.org, keescook@chromium.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, May 22, 2024 at 4:23=E2=80=AFPM Andrew Morton wrote: > > On Wed, 15 May 2024 23:11:12 -0700 Jeff Xu wrote: > > > On Mon, May 13, 2024 at 12:15=E2=80=AFPM Barnab=C3=A1s P=C5=91cze wrote: > > > > > > `MFD_NOEXEC_SEAL` should remove the executable bits and set > > > `F_SEAL_EXEC` to prevent further modifications to the executable > > > bits as per the comment in the uapi header file: > > > > > > not executable and sealed to prevent changing to executable > > > > > > However, currently, it also unsets `F_SEAL_SEAL`, essentially > > > acting as a superset of `MFD_ALLOW_SEALING`. Nothing implies > > > that it should be so, and indeed up until the second version > > > of the of the patchset[0] that introduced `MFD_EXEC` and > > > `MFD_NOEXEC_SEAL`, `F_SEAL_SEAL` was not removed, however it > > > was changed in the third revision of the patchset[1] without > > > a clear explanation. > > > > > > This behaviour is suprising for application developers, > > > there is no documentation that would reveal that `MFD_NOEXEC_SEAL` > > > has the additional effect of `MFD_ALLOW_SEALING`. > > > > > Ya, I agree that there should be documentation, such as a man page. I w= ill > > work on that. > > > > > So do not remove `F_SEAL_SEAL` when `MFD_NOEXEC_SEAL` is requested. > > > This is technically an ABI break, but it seems very unlikely that an > > > application would depend on this behaviour (unless by accident). > > > > > > [0]: https://lore.kernel.org/lkml/20220805222126.142525-3-jeffxu@goog= le.com/ > > > [1]: https://lore.kernel.org/lkml/20221202013404.163143-3-jeffxu@goog= le.com/ > > > > ... > > > > Reviewed-by: Jeff Xu > > It's a change to a userspace API, yes? Please let's have a detailed > description of why this is OK. Why it won't affect any existing users. > Unfortunately, this is a breaking change that might break a application if they do below: memfd_create("", MFD_NOEXEC_SEAL) fcntl(fd, F_ADD_SEALS, F_SEAL_WRITE); <-- this will fail in new semantics, due to mfd not being sealable. However, I still think the new semantics is a better, the reason is due to the sysctl: memfd_noexec_scope Currently, when the sysctl is set to MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL kernel adds MFD_NOEXEC_SEAL to memfd_create, and the memfd becomes sealabl= e. E.g. When the sysctl is set to MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL The app calls memfd_create("",0) application will get sealable memfd, which might be a surprise to applicati= on. If the app doesn't want this behavior, they will need one of two below in current implementation. 1> set the sysctl: memfd_noexec_scope to 0. So the kernel doesn't overwrite the mdmfd_create 2> modify their code to get non-sealable NOEXEC memfd. memfd_create("", MEMFD_NOEXEC_SCOPE_NOEXEC) fcntl(fd, F_ADD_SEALS, F_SEAL_SEAL) The new semantics works better with the sysctl. Since memfd noexec is new, maybe there is no application using the MFD_NOEXEC_SEAL to create sealable memfd. They mostly likely use memfd(MFD_NOEXEC_SEAL|MFD_ALLOW_SEALING) instead. I think it might benefit in the long term with the new semantics. If breaking change is not recommended, the alternative is to introduce a new flag. MFD_NOEXEC_SEAL_SEAL. (I can't find a better name...) What do you think ? > Also, please let's give consideration to a -stable backport so that all > kernel versions will eventually behave in the same manner. > Yes. If the new semantics is acceptable, backport is needed as bugfix to all kernel versions. I can do that if someone helps me with the process. And sorry about this bug that I created.