Received: by 2002:ab2:6c55:0:b0:1fd:c486:4f03 with SMTP id v21csp81457lqp; Tue, 11 Jun 2024 15:41:20 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVHvOd7MQXZ606GO8wcrpYZ19sVRYlmp1JcfmX9ESzi2A+nE7MbUO8A8KT4KVPGO0DzLC4bfUQ4ysEfA/h14/onRYZh+gSIhHwJsK1nXA== X-Google-Smtp-Source: AGHT+IG1Nwv1nHvUqALMMDaHC7Iw+poqqEFFOV2/sZ9gf5of9TCdqE3jasVPgVZ+pax9tadzX8ya X-Received: by 2002:a17:902:dac1:b0:1f7:4021:508a with SMTP id d9443c01a7336-1f83b6257efmr2838255ad.33.1718145680164; Tue, 11 Jun 2024 15:41:20 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718145680; cv=pass; d=google.com; s=arc-20160816; b=G/k3pDvT/qLTbkk8RVpaYH2l7WMwHagYX6zdh5jcL8k6hkgo3/r6qcozy3vcJ6ltQu 2pAbksr/UnJt7rDnN8JhR2tDlciSsw/OaqykaMvsQwXKO5f8loVsMd0dBVKM9t3MgTRz GFjpeZiahwc37c/sr+clyvShlefce9lFafXb1NJx435zUuOYqoPPFqIWNx0B3izmKsn5 jnHSF6RDfl4t4nxEzQpoSLs8lLD2GRP8yVF8LKqEk76A7tFXQuhc6ebF4Lrm4Ks+Qtkl aZTS4MFCyB+uZSjV6cm/zM8+UGlovdowZANq7JiBbDtGdahk3KGyhwUCV6SPTPiNXvKz OvpQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=ywBbGaPOeq2fMv0XWMs74qxEU0SIGLuY7vHTY5iY8/k=; fh=6I8XcRHNzOxm5cC2jf0v3b6L/ymbFtOrGv6b7N78J48=; b=MsqQ29rQF1pND4Q19kZPRDRGqY3QxcjMAqhOiYjEUGPq02Utk7Iyu5TNEUUUL37Y8a SZnsWoLYkxm+xjk00seTQVNXbcW2vJLS8Kt6O8foNakEJ6xKetTbu1TSHl0CzqvRRGny apTd6em9LyNpUxNev9KcolEiRuJ8TNj8ybqddow+EfQG4NbRa5aoJ1cW2GrxLX1u5GxT A6eEgPO7ONvTPfit/KJ8f8f4nGHD8pQf7P6DO7AY4YW3oYa1Knl8Uop1L2PwQ9qVH9LJ sVZXY7MBBR9FbWWDCIN+3vWZZ/nTDy1MKQc5k0mwp9/VSIGvqF5Iaj0jzcmuKCYAemAJ yEyw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@infradead.org header.s=bombadil.20210309 header.b=oYfRHv+u; arc=pass (i=1 dkim=pass dkdomain=infradead.org); spf=pass (google.com: domain of linux-kernel+bounces-210673-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-210673-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id d9443c01a7336-1f8393e8d26si3573165ad.398.2024.06.11.15.41.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 15:41:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-210673-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=bombadil.20210309 header.b=oYfRHv+u; arc=pass (i=1 dkim=pass dkdomain=infradead.org); spf=pass (google.com: domain of linux-kernel+bounces-210673-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-210673-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id B6E662861F2 for ; Tue, 11 Jun 2024 22:41:19 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id CB32C1553BF; Tue, 11 Jun 2024 22:41:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="oYfRHv+u" Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C034046444; Tue, 11 Jun 2024 22:41:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.137.202.133 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718145672; cv=none; b=T9H/+xrAVkm5YrmE/WlapM7MKn94lIsCWxkw/7NQn2D14azIULVbGfZGRhuf+l13IYpdP5FyqBKLjzNO2AL961MR4BwrKYFcTDQf2jSxcxZJd9X0t9P9zcJIOo053hALTKmsgwuJHyVJmd2srRy3Y/jyh3m+otlmATEoPim4ZL4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718145672; c=relaxed/simple; bh=OhZYm424562dFi7gzOtDyfJQyLHkoQIZJKgJaFXdMDo=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=IlGucj+tRUocXMT7GTBxUW0fVAkHXFNPgBoak+eopQAdPBCvdDMZ3v4kgGHzAwhw8fxYytbk7Gw/LlVFr9n6TG0ADpsqyae02jr+XKqVSHM5T4ztxKou95mkSeGOHUsDtFFK0zpkYSHF9vQX5Nptac66lOQLUu4tXQsDUZXjfrE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org; spf=none smtp.mailfrom=infradead.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b=oYfRHv+u; arc=none smtp.client-ip=198.137.202.133 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Content-Transfer-Encoding: Content-Type:In-Reply-To:From:References:Cc:To:Subject:MIME-Version:Date: Message-ID:Sender:Reply-To:Content-ID:Content-Description; bh=ywBbGaPOeq2fMv0XWMs74qxEU0SIGLuY7vHTY5iY8/k=; b=oYfRHv+u76v9FmwrmVNPqx9Acx vRC8Qia98qviQJkpLtLhmC70Kzmp6BgZiYZ8dbtnmSvv6PlG5AXS821CxgaJu+unAv0KTvOt2HZUi flJ50feCWZ4gblKUmybyg/eIDnWEgtrdrIoKCa1ulwlg7+1w3Q1CbWcAcfiW5ETJ8+RcEpaL9EGL+ jeAKBbI280YfuY4zgFggRWPrQJB3VA3UqKnEICeNtE2Tlqwkhgoq83k5vJPD212DK1m/zjISUGvlb yNaTnzJPITdbXTgFh7FC/lJBVd/xicmdqm0BiSLQiSpRxq/nsZ6Dv6DCWB8zl28Y+pvL3VIYdxBlN 9KrOvEZg==; Received: from [50.53.4.147] (helo=[192.168.254.15]) by bombadil.infradead.org with esmtpsa (Exim 4.97.1 #2 (Red Hat Linux)) id 1sHAAn-0000000AQia-0nYq; Tue, 11 Jun 2024 22:41:01 +0000 Message-ID: <595b6353-6da6-432b-96b4-42c4e3ec1146@infradead.org> Date: Tue, 11 Jun 2024 15:40:59 -0700 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2 1/1] mm/memfd: add documentation for MFD_NOEXEC_SEAL MFD_EXEC To: jeffxu@chromium.org Cc: akpm@linux-foundation.org, cyphar@cyphar.com, david@readahead.eu, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pobrn@protonmail.com, skhan@linuxfoundation.org, stable@vger.kernel.org References: <20240611034903.3456796-1-jeffxu@chromium.org> <20240611034903.3456796-2-jeffxu@chromium.org> Content-Language: en-US From: Randy Dunlap In-Reply-To: <20240611034903.3456796-2-jeffxu@chromium.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On 6/10/24 8:49 PM, jeffxu@chromium.org wrote: > From: Jeff Xu > > Add documentation for memfd_create flags: MFD_NOEXEC_SEAL > and MFD_EXEC > > Cc: stable@vger.kernel.org > Signed-off-by: Jeff Xu > > --- > Documentation/userspace-api/index.rst | 1 + > Documentation/userspace-api/mfd_noexec.rst | 86 ++++++++++++++++++++++ > 2 files changed, 87 insertions(+) > create mode 100644 Documentation/userspace-api/mfd_noexec.rst > > diff --git a/Documentation/userspace-api/index.rst b/Documentation/userspace-api/index.rst > index 5926115ec0ed..8a251d71fa6e 100644 > --- a/Documentation/userspace-api/index.rst > +++ b/Documentation/userspace-api/index.rst > @@ -32,6 +32,7 @@ Security-related interfaces > seccomp_filter > landlock > lsm > + mfd_noexec > spec_ctrl > tee > > diff --git a/Documentation/userspace-api/mfd_noexec.rst b/Documentation/userspace-api/mfd_noexec.rst > new file mode 100644 > index 000000000000..ec6e3560fbff > --- /dev/null > +++ b/Documentation/userspace-api/mfd_noexec.rst > @@ -0,0 +1,86 @@ > +.. SPDX-License-Identifier: GPL-2.0 > + > +================================== > +Introduction of non executable mfd Missed: non-executable > +================================== > +:Author: > + Daniel Verkamp > + Jeff Xu > + > +:Contributor: > + Aleksa Sarai > + > +Since Linux introduced the memfd feature, memfds have always had their > +execute bit set, and the memfd_create() syscall doesn't allow setting > +it differently. > + > +However, in a secure-by-default system, such as ChromeOS, (where all > +executables should come from the rootfs, which is protected by verified > +boot), this executable nature of memfd opens a door for NoExec bypass > +and enables “confused deputy attack”. E.g, in VRP bug [1]: cros_vm > +process created a memfd to share the content with an external process, > +however the memfd is overwritten and used for executing arbitrary code > +and root escalation. [2] lists more VRP of this kind. > + > +On the other hand, executable memfd has its legit use: runc uses memfd’s > +seal and executable feature to copy the contents of the binary then > +execute them. For such a system, we need a solution to differentiate runc's > +use of executable memfds and an attacker's [3]. > + > +To address those above: > + - Let memfd_create() set X bit at creation time. > + - Let memfd be sealed for modifying X bit when NX is set. > + - Add a new pid namespace sysctl: vm.memfd_noexec to help applications to help applications in > + migrating and enforcing non-executable MFD. > + > +User API > +======== The rest looks good. Thanks. -- ~Randy