Received: by 2002:ab2:6309:0:b0:1fb:d597:ff75 with SMTP id s9csp1135345lqt;
        Fri, 7 Jun 2024 08:58:35 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCXzf0xXkMMjU1+Fc2HTn87UDHKQylPUn8vMef2SI6EvdHLZi/bYID2IoDiaT+pFve/+SYCYRGxMqoBgRj1O7JPrkzyQxO/3yM9JGegh8g==
X-Google-Smtp-Source: AGHT+IEjSXf7++zIjLcX/k+/FouQ2stoGZ43zuAE3xqi8fTy5USgIaMoeWvgLOrU/Vi6CzEwQr47
X-Received: by 2002:a05:6214:5c01:b0:6ae:116b:ef71 with SMTP id 6a1803df08f44-6b059bc7f92mr36543586d6.35.1717775915516;
        Fri, 07 Jun 2024 08:58:35 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1717775915; cv=pass;
        d=google.com; s=arc-20160816;
        b=DDxo4YdbZupGA+x0Q6/oOpcLI1dto5dc6RhNTgRz8yPhEKx89Vj0muhkNanoih13Kd
         IMLkIzfnjBFlBD4eRNU7ESxLXCUoFlxUoZfQ+bci+fkZYIocj5xrD9Cgd6cmzCRiODnv
         uMtH/Uak7NCJANefAploSceIMt/XymIitO6UOhavx4xUO3U2JVPzkNLWqgyMNnrcyf2q
         cbXeZXyCTS2KGGAGBecplXFNWFDBuJzSUy5yzgWfeEm72w//5BJ9ft11J5QDbcb8mhOD
         YT0VF9X6HDlzLg1Ley4RfrwOH9q21H6xkelFxr7DsDrlAEoSCzogsK4XjJ4+bVdT7iSv
         Fbbg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe
         :list-id:precedence:dkim-signature;
        bh=TEadrKSLCgbuFYvra79wv6BZ/tbvq8SfRbQUE/5o6is=;
        fh=jwygLywaTbeeUVgY6mpd0mYIDX19Dsq2eBaL7NBXb9Q=;
        b=NDsi+VwVuDu1y5grAGFzYGOwxqGhgicSPX/HFUgiNRNPJdrnuIjcXYYEV2eIFNxc35
         I73illy06G7cyBvvmOWPI7f8+3P/rdZwTtvAQ4DFpvVx72658u8DW9fbbMXF2rSvZ9/W
         GiJOfNueVWk3WP31pAiw2RKtksgZqDZEr/y73eLvJFkNA+8WT7KCCEUBXTlXmfQQFKuD
         qXIOyrlyoguId5kTVAw9Q5J8F3ZD8dSgzIfl5SbABWxcSqa5AkSyHAf585e/EQNlvlHV
         YaY6RL2mxzqfP8j8Le4mv1sAfJmj6tFfwTLLO8aWsptN7YHUzG4GYOU8W1arERtwx1Gf
         8jOQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=A2odiTsw;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of linux-kernel+bounces-206439-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-206439-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel+bounces-206439-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id 6a1803df08f44-6b04f967cd3si41184886d6.229.2024.06.07.08.58.35
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 07 Jun 2024 08:58:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-206439-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=A2odiTsw;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of linux-kernel+bounces-206439-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-206439-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 2E0011C22B49
	for <linux.lists.archive@gmail.com>; Fri,  7 Jun 2024 15:58:35 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 40BE919A2A8;
	Fri,  7 Jun 2024 15:58:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="A2odiTsw"
Received: from mail-oi1-f174.google.com (mail-oi1-f174.google.com [209.85.167.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id DB84119414D
	for <linux-kernel@vger.kernel.org>; Fri,  7 Jun 2024 15:58:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.174
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1717775903; cv=none; b=dqgyvhSDnoBpN4k4ZhP6HkHayTyQb+yHgXnkVWBLdQ4UIn1nd16Jp61t2yVRsCTuuUPBQHP6GhPk9Mj+Zrds3PdkBXeEPWCXVDfW3uG68LlfMAgy7fsb5OApwK6e9wyx80A3dP7Li4Tfp17FtV282/7gnUOHNZ73aIrcKm7Rffk=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1717775903; c=relaxed/simple;
	bh=s1JvENtGfwCSbl34GscOC+aW3XbtXE7cv0+2CV0e8uQ=;
	h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:
	 To:Cc:Content-Type; b=fDm+daHkNUTOVfy9FaZ0+6p+stG4gWVgElrXE4iNIohaMe+/PEW+AU5bwTFNfdSoY+av/WtRGAI2MrX7YCyPzfwE6a4NMAmSjzM5RLbpU3uaFI7lh+yl93XMv2XoIscdBOAkbGanISWULntXivxmo8z3dRw522OaktLxhbj/cvs=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=A2odiTsw; arc=none smtp.client-ip=209.85.167.174
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org
Received: by mail-oi1-f174.google.com with SMTP id 5614622812f47-3d200c45db5so1273958b6e.1
        for <linux-kernel@vger.kernel.org>; Fri, 07 Jun 2024 08:58:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1717775901; x=1718380701; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TEadrKSLCgbuFYvra79wv6BZ/tbvq8SfRbQUE/5o6is=;
        b=A2odiTsw9WFX43GAf7A9LjVbjJdaFzR84DJqUae0HCzxhGNwD43rmMZmIHfC1zpb3j
         1+yc2z6db0GsA+Po7fstjDRkYnOb/HDQk6RrAF3qSvOlAq1JaOKiSG+EGQBjY/YnxL/c
         nv/i0lB4AfcSBRl95ur9XjHYLbTvrN9/+tcIc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1717775901; x=1718380701;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=TEadrKSLCgbuFYvra79wv6BZ/tbvq8SfRbQUE/5o6is=;
        b=vgEbfRZSBYdFG80FgCMnCPtkh293vGAHj6RCBkRyqkarrsgVxAXgWytIp6noToXuQO
         kFxfszd9wURrFFILDE4eNgafQTZDz5/k2C281xio32E9EobJlmGR9ommgxzaf6BsjZ6g
         y+xcnPep++XYtyyR3zQXoeVkec2H/LjHI9gCvqC7YvWFVFRtCKe/3JBiPLCgNYMVdFF3
         PUK1y3im/zpZZ19w1cNSpnWVpt+uGdzbwKe7/iwuBEYPsMDbwIXipxqekfcwRFxpAUVW
         yH1O5Iwo1ySk7HQD1ZmEpoDzYU4RQ6ownINuIkKH5yxUE75gn5r74rJt6I00dQPykCsz
         2fNw==
X-Forwarded-Encrypted: i=1; AJvYcCXC3w7hWps0TJGGmtE3S6K7tW6qrmJCWpVO9enLr/u2j1hssVmzDHkMte8UNYWkZHw/cxI7b81vNYjopLk60o0A0sVDJpj6CqNvQIG9
X-Gm-Message-State: AOJu0YzPLHMzpTUbncOhObz9tsF31fSW8w17bMP5VeixPGVvA4g6GKp1
	K8H/wAltFK9ZfXr6feYyi0e0/kP1dACQD3XmUr7/KhVs/CxdyiblpzRASCcpKvjEw9t40xfif28
	UBaitsIvki9VJYBP8ZjimqNYmlQPA1v0v9p6lDWYOX4e9xDA=
X-Received: by 2002:a05:6871:289:b0:254:8bb9:d0c2 with SMTP id
 586e51a60fabf-2548bba70dbmr376857fac.33.1717775900892; Fri, 07 Jun 2024
 08:58:20 -0700 (PDT)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <20240513191544.94754-1-pobrn@protonmail.com> <CALmYWFt7MYbWrCDVEKH4DrMQGxaXA2kK8qth-JVxzkvMd6Ohtg@mail.gmail.com>
 <20240522162324.0aeba086228eddd8aff4f628@linux-foundation.org>
 <1KDsEBw8g7ymBVpGJZp9NRH1HmCBsQ_jjQ_jKOg90gLUFhW5W6lcG-bI4-5OPkrD24RiG7G83VoZL4SXPQjfldsNFDg7bFnFFgrVZWwSWXQ=@protonmail.com>
 <08450f80-4c33-40db-886f-fee18e531545@app.fastmail.com> <CALmYWFv9dK5ZPzwx3WCLMXzuuDadvFxh84+8rrT7aL105+ZZAQ@mail.gmail.com>
 <CALmYWFtedtEnfGFp5DYacHYOE7+GB8yoQC-iyw7JAxySmgQ7vw@mail.gmail.com>
 <f880562e-9521-4270-82e2-c6fb14dc853a@app.fastmail.com> <CALmYWFuPBEM2DE97mQvB2eEgSO9Dvt=uO9OewMhGfhGCY66Hbw@mail.gmail.com>
 <1e1edbdc-f91f-4106-baa6-b765b78e6abc@app.fastmail.com>
In-Reply-To: <1e1edbdc-f91f-4106-baa6-b765b78e6abc@app.fastmail.com>
From: Jeff Xu <jeffxu@chromium.org>
Date: Fri, 7 Jun 2024 08:58:08 -0700
Message-ID: <CABi2SkUMppyL_LRKJV6BfgGu=1GpGCEOdZ5VHCENMUtzHcRTkA@mail.gmail.com>
Subject: Re: [PATCH v1] memfd: `MFD_NOEXEC_SEAL` should not imply `MFD_ALLOW_SEALING`
To: David Rheinsberg <david@readahead.eu>
Cc: Jeff Xu <jeffxu@google.com>, Aleksa Sarai <cyphar@cyphar.com>, 
	=?UTF-8?B?QmFybmFiw6FzIFDFkWN6ZQ==?= <pobrn@protonmail.com>, 
	Andrew Morton <akpm@linux-foundation.org>, linux-mm@kvack.org, 
	linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, 
	dmitry.torokhov@gmail.com, Daniel Verkamp <dverkamp@chromium.org>, hughd@google.com, 
	jorgelo@chromium.org, skhan@linuxfoundation.org, 
	Kees Cook <keescook@chromium.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi David,

On Fri, Jun 7, 2024 at 1:38=E2=80=AFAM David Rheinsberg <david@readahead.eu=
> wrote:
>
> Hi
>
> On Tue, May 28, 2024, at 7:13 PM, Jeff Xu wrote:
> >> > Another solution is to change memfd to be by-default sealable,
> >> > although that will be an api change, but what side effect  will it b=
e
> >> > ?
> >> > If we are worried about the memfd being sealed by an attacker, the
> >> > malicious code could also overwrite the content since memfd is not
> >> > sealed.
> >>
> >> You cannot change the default-seals retrospectively. There are existin=
g shmem-users that share file-descriptors and *expect* the other party to b=
e able to override data, but do *not* expect the other party to be able to =
apply seals. Note that these models explicitly *want* shared, writable acce=
ss to the buffer (e.g., render-client shares a buffer with the display serv=
er for scanout), so just because you can *write* to a shmem-file does not m=
ean that sharing is unsafe (e.g., using SIGBUS+mmap can safely deal with pa=
ge-faults).
> >>
> > If the other party is controlled by an attacker, the attacker can
> > write garbage to the shm-file/memfd, that is already the end of the
> > game, at that point, sealing is no longer a concern, right?
>
> No. If a graphics client shares a buffer with a graphics server, the clie=
nt is free to write garbage into the buffer. This is not unsafe. The graphi=
cs server will display whatever the client writes into the buffer. This is =
completely safe, without sealing and with a writable buffer.
>
> > If the threat-model is preventing attacker on the other side to write
> > the garbage data, then F_SEAL_WRITE|F_SEAL_SHRINK|F_SEAL_GROW can be
> > applied, in that case, default-sealable seems preferable because of
> > less code change.
>
> Again, the threat-model is *NOT* concerned with writes.
>
> Graphics clients/servers are a good example where *ANY* data is valid and=
 can be processed by the privileged server. Hence, *ANY* writes are allowed=
 and safe. No need for any seals. Those setups existed way before `memfd_cr=
eate` was added (including seals).
>
> However, when windows are resized, graphic buffers need to be resized as =
well. In those setups, the graphics server might call `ftruncate(2)`. If yo=
u suddenly make shmem-files sealable by default, a client can set `F_SEAL_S=
HRINK/GROW` and the privileged graphics server will get an error from `ftru=
ncate(2)`, which it might not be able to handle, as it correctly never expe=
cted this to happen.
>

The graphic buffer  is a good example for shmem-files of
not-sealable-by-default. Thanks for the details.

-Jeff


> Thanks
> David