Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp10563lqb; Thu, 23 May 2024 09:21:46 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCX7hj0ZibZoj6rCncqbx76mZ/2F8sBpQSz4DAizegI/SI8SA6RJzO3vIWpVfFvnT7XSbadIGoFIAzBUJZwIMCcCBUiuTyC3ZuRq9n55ZA== X-Google-Smtp-Source: AGHT+IFNHv2hZvcOebQ3W+AAN5liDA7SOnGwhLRhYSGaWJUs3sUGoWLfAyDjxTO0jPHXnn1bgtHY X-Received: by 2002:a17:906:714e:b0:a5a:80fd:8fa5 with SMTP id a640c23a62f3a-a623e8cc0fbmr239842766b.5.1716481306651; Thu, 23 May 2024 09:21:46 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716481306; cv=pass; d=google.com; s=arc-20160816; b=LMQRFilvG7U5vhtth9GJe3KWa8ciNccZodEwr5Xf86ibX51FnW6J76el/BemKbF3tm QCFlDG9pF14RDJ9IYtkVRvcoEoCFbUA4xfai3Krdoz51DReRFa7tp1dVoY7BIM8MFT93 pOroALGr1dMnzc+rcrJ5Lqb9r/LS0/9gCvSrD5cx9P2q9eFy0QYNBcu3J6kpobVj/j3O wi3I7UtWKvGop39o/2vjxTZVfV5yy9NYuVMshNN7+3ASxJqmrhiztgCoKeBlXNw+98oo 2+UPwVed27Hx01dF4XlkS5LE4aD0Y/L/0Q4o1KJvtstObmX7hiF0P+WdrR20EED2KPiZ bWgQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=FB9/RUM+ns3PLgFlSVcvmGls/4xMPa5pg/Lm96fgSy4=; fh=myXVwPoNsMWWgk6XgTJFwsv/Bsr7Sv3jqQQx8QnKFuw=; b=MmLNSYFoAovuNYnrEBqhIrYHnlskB+4MU7R8BGvCHUlD4A3auDKu6JivAsxJNGadjL LG8ZoYODuTckwGvEmdEenK071CXbbEYE/6AZKCFlBafJ2XfzUOzEVjl4lvGZJKVCRHBb O30EiDguopz+gGwa03tu6Rw31bPV1+U9WoEcibR+0+rkvDKMApsIcCrFcbvNzMb1472e gLCM8HNkSHBdQ+4s3ln+tQAvjF0pZV79BdX7WsVvMgInGdCzgJQ6rYnqADcavYGgzAco /rdEOMAyHDKHKFczqOnEcmhv8hMhf5+jcaKkKjKE/r1KU0A9TnJveh16idcE0BC8bH/g u1aQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=gvBuEoG2; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-187779-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-187779-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id a640c23a62f3a-a5a179468a6si1669608266b.117.2024.05.23.09.21.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 May 2024 09:21:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-187779-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=gvBuEoG2; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-187779-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-187779-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 1D4821F22E90 for ; Thu, 23 May 2024 16:21:46 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B639917C77; Thu, 23 May 2024 16:21:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="gvBuEoG2" Received: from mail-ed1-f41.google.com (mail-ed1-f41.google.com [209.85.208.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 204D317736 for ; Thu, 23 May 2024 16:21:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.41 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716481298; cv=none; b=ijNa0NYWQTMYlZ2svRcCA6xL7teo4XesPjhRWGhOh+aDDUeq/BJg3XJ7Dsbveieunv38RSv6PTO3ga0zJglwy6QwLj+o3BImpEG1HwwvoIVm6/SuYsZ/3kI6BsdhDMHfbuTXc0bwGpqmdB3BUf93EtosnDNrlxn4FnHugGJCSsk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716481298; c=relaxed/simple; bh=+ehJ0HgY9Kbm/BV+/w1j7XuMWnlOPM8zqAp0NNdOWC0=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=GM1/tYuj0lltgbseC+O4iSMp+5jg3a0z+OAeCzJmApP/o1mAZMmITTjCJ6jB+aw5Z1bGqwpcO39tYTGeYDqwSdwT55F1bF4m3afRcwbtkDpuxfROgonlapsip1NQlMGHKj2pOQdEObf42PeKIBcw1BZ3RUf0iQ42Wm6Xb7OJuN4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=gvBuEoG2; arc=none smtp.client-ip=209.85.208.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-ed1-f41.google.com with SMTP id 4fb4d7f45d1cf-572a1b3d6baso15104a12.1 for ; Thu, 23 May 2024 09:21:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1716481295; x=1717086095; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=FB9/RUM+ns3PLgFlSVcvmGls/4xMPa5pg/Lm96fgSy4=; b=gvBuEoG2+2LlQrHQKxL+PCzfImapP1Mn9YmBZVOtGBNhHbDJmL/b4vZgyZTJ2f5QmW SWmlkr2fX2oD5AVJcaW5oa4GHKQUkjcC0q8gNLeLQLoFJbk45EcANubiJW9OVcTqj8yY u7boBKZs32kkHBMilro/NI+oNkeRFTDAMcZFPyNwJQNtyAy92PB5ovRojNbI32xaX4Af ATrF0eSAzlSnOjpr6UhER1yUIFzfYVM2mDr8aFHtZIgzne81LcjJJEXUGce92e2ILsav KwZaoCVxC+DXe2uQ/JXoFbCgGPH70IwfmjzmPrJOED/FSkEmSU3BSA2MqcIX0OMKeDyC 1gbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716481295; x=1717086095; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FB9/RUM+ns3PLgFlSVcvmGls/4xMPa5pg/Lm96fgSy4=; b=JUfYC6jV/03f7206cyzGjAOoYXkQdwBl/H9fZ7rcG49WaM+JwYRoRzkMBk/158kWOO yrQgZK0c/THgWWXxuJ5Vi3wIJpo+xlsQBNAp9dP32FwrXfFvCv1DM5+P/wC8Gijy7A5/ QmnhGWqHbwt1iGKJS4cRC1LfRN4L2zlkuoHsULFuI8fYrmu/CrkS41BH5qrAy0njuQuB wimTRHvoyumJ7hvA0RALRJAt/nLeY6+UiEc74xiKgOHVT1BKsAvwH2WeRBi2IQV6/Wqg bjnp+LCZu2uFfCaXJb9M1JoeR5PMRZ8QGbxrnDRO3gxLbIg2EbTIQu5ie71KAYozubtR 17KQ== X-Forwarded-Encrypted: i=1; AJvYcCWyK1/gdhRNQ7wwV9NWWZJzvGzR4XJQxw+8U2JKc7MQlrbI/OCYl83D9+i6rPBUqjdPW/grBivSB4cB2H5m/qHnNbXh++4CPLd83N1w X-Gm-Message-State: AOJu0Yy0arKaG2+DEzREI8vWzSJNmQlWT4u+ZulmyDXjI/rTx2B1+N7J wQgJ3TXhHmY8Fr5CxIQiscV8OWk6zDkGmLWFrbpKWdlxG4eBdK/G24s9FucgEPza19JPeKLlUn4 F8glbphBL4CteU3MG5oH+xMGQL1/huUCGkyckJ1iB32sOE9sqDWsJ X-Received: by 2002:a50:8d85:0:b0:574:e7e1:35bf with SMTP id 4fb4d7f45d1cf-57845bac601mr156326a12.7.1716481295251; Thu, 23 May 2024 09:21:35 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240513191544.94754-1-pobrn@protonmail.com> <20240522162324.0aeba086228eddd8aff4f628@linux-foundation.org> <1KDsEBw8g7ymBVpGJZp9NRH1HmCBsQ_jjQ_jKOg90gLUFhW5W6lcG-bI4-5OPkrD24RiG7G83VoZL4SXPQjfldsNFDg7bFnFFgrVZWwSWXQ=@protonmail.com> <08450f80-4c33-40db-886f-fee18e531545@app.fastmail.com> In-Reply-To: <08450f80-4c33-40db-886f-fee18e531545@app.fastmail.com> From: Jeff Xu Date: Thu, 23 May 2024 09:20:55 -0700 Message-ID: Subject: Re: [PATCH v1] memfd: `MFD_NOEXEC_SEAL` should not imply `MFD_ALLOW_SEALING` To: David Rheinsberg , Aleksa Sarai Cc: =?UTF-8?B?QmFybmFiw6FzIFDFkWN6ZQ==?= , Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, dmitry.torokhov@gmail.com, Daniel Verkamp , hughd@google.com, jorgelo@chromium.org, skhan@linuxfoundation.org, Kees Cook Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, May 23, 2024 at 1:24=E2=80=AFAM David Rheinsberg wrote: > > Hi > > On Thu, May 23, 2024, at 4:25 AM, Barnab=C3=A1s P=C5=91cze wrote: > > 2024. m=C3=A1jus 23., cs=C3=BCt=C3=B6rt=C3=B6k 1:23 keltez=C3=A9ssel, A= ndrew Morton > > =C3=ADrta: > >> It's a change to a userspace API, yes? Please let's have a detailed > >> description of why this is OK. Why it won't affect any existing users= . > > > > Yes, it is a uAPI change. To trigger user visible change, a program has= to > > > > - create a memfd > > - with MFD_NOEXEC_SEAL, > > - without MFD_ALLOW_SEALING; > > - try to add seals / check the seals. > > > > This change in essence reverts the kernel's behaviour to that of Linux > > <6.3, where > > only `MFD_ALLOW_SEALING` enabled sealing. If a program works correctly > > on those > > kernels, it will likely work correctly after this change. > > > > I have looked through Debian Code Search and GitHub, searching for > > `MFD_NOEXEC_SEAL`. > > And I could find only a single breakage that this change would case: > > dbus-broker > > has its own memfd_create() wrapper that is aware of this implicit > > `MFD_ALLOW_SEALING` > > behaviour[0], and tries to work around it. This workaround will break. > > Luckily, > > however, as far as I could tell this only affects the test suite of > > dbus-broker, > > not its normal operations, so I believe it should be fine. I have > > prepared a PR > > with a fix[1]. > > We asked for exactly this fix before, so I very much support this. Our te= st-suite in `dbus-broker` merely verifies what the current kernel behavior = is (just like the kernel selftests). I am certainly ok if the kernel breaks= it. I will gladly adapt the test-suite. > > Previous discussion was in: > > [PATCH] memfd: support MFD_NOEXEC alongside MFD_EXEC > https://lore.kernel.org/lkml/20230714114753.170814-1-david@readahead.= eu/ > > Note that this fix is particularly important in combination with `vm.memf= d_noexec=3D2`, since this breaks existing user-space by enabling sealing on= all memfds unconditionally. I also encourage backporting to stable kernels= . > Also with vm.memfd_noexec=3D1. I think that problem must be addressed either with this patch, or with a new flag. Regarding vm.memfd_noexec, on another topic. I think in addition to vm.memfd_noexec =3D 1 and 2, there still could be another state: 3 =3D0. Do nothing. =3D1. This will add MFD_NOEXEC_SEAL if application didn't set EXEC or MFD_NOEXE_SEAL (to help with the migration) =3D2: This will reject all calls without MFD_NOEXEC_SEAL (the whole system doesn't allow executable memfd) =3D3: Application must set MFD_EXEC or MFD_NOEXEC_SEAL explicitly, or else it will be rejected. 3 is useful because it lets applications choose what to use, and forces applications to migrate to new semantics (this is what 2 did before 9876cfe8). The caveat is 3 is less restrictive than 2, so must document it clearly. -Jeff > Reviewed-by: David Rheinsberg > > Thanks > David