Received: by 2002:ab2:6c55:0:b0:1fd:c486:4f03 with SMTP id v21csp89481lqp; Tue, 11 Jun 2024 16:04:48 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXpdRHf1ShaC6FE74QHPuFNWv/eXQ7Bbq2H05DJ0zt8GQM7BYjNG4ooGFRnXYdTvy2xaUQ4hG6eA+BssNt65UMgaCT0IU6CS5YvxvG1YA== X-Google-Smtp-Source: AGHT+IGkQrwQy0ZwR84AKPhg82CFg0GhU+Fc4gjRSG2lnfqc1QfjYp4BsKHJ7rYIaicb2u5jP213 X-Received: by 2002:a05:6808:1307:b0:3d2:20fb:9579 with SMTP id 5614622812f47-3d23e0a5242mr266631b6e.7.1718147088112; Tue, 11 Jun 2024 16:04:48 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718147088; cv=pass; d=google.com; s=arc-20160816; b=WYvDN5nhu6rTTLahUqjc3YbnUchYq950Etgl1aoJxzVmdmT/WEUVnw4z7EXyEaLTsn tZZqSbZE75KKseCJ3U59aDrlM9YqgFlqC7UkZdKhYHzmDZ/1+Dy4BHKb1OxuD4iHZqbN +ODSszCJmKvZaw6B5rSqe4vPOGFdNS1gvdXOdpBcMZuUFr+GQZCIoe6ddVoiT1KSzMbG pfqoa43sCQXvT26FRbulwK/HnxCa8uUJHuWYYECv61JuT266Xc6T9efZJ7Ob/9m76Hdg oxnI58CW0pflPdaiTKLINybbRrw7QRqGnQNzvB2DS5bF/DToDRV0Y1LDMT9t4zLLp+Vi aHxQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=LtbvaoMsCJ9k1mz6SgmK+4gae6eOunhj2wDuCSNJ/mk=; fh=n3oD+f7b2R2rh982wAxkaROdSf13ob+WKwKMp1nveng=; b=h8ObB7Hrmh5yaasilZXqjS0VCP7UMHSLNMbcUuJ2JwfsWxb4NeumKrOdxH8aMS9y6H FV8oIg4uWNkXYYnVLbxHBInA2hHS6jKyCHIXlcLX5+t5eozsMqEJnRKPDlA4GKFMFJZw lFsUIVfTVj/2OsHBNy153Z0/Ys7x6oRPwUyhpqaapyc2aQ5HnbhB5JSsyrIHxq5q9i4v HWLXmXmc30ssjYYymUEc+totoYDHDA57C1itAQDUnNE5kPzGqGL85u33MXoP2kALh6KQ jX8NlAigA6ZxuJN2x2rtSskBV1MYntdhD3UV2hqRzSCs8C5BRDVAydIGHPjxorUbeP0p TqwA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=X1xfI8EO; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-210688-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-210688-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id d75a77b69052e-44159bed928si2908331cf.15.2024.06.11.16.04.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 16:04:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-210688-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=X1xfI8EO; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-210688-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-210688-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id BF3511C2258F for ; Tue, 11 Jun 2024 23:04:47 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 40B22155C87; Tue, 11 Jun 2024 23:04:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="X1xfI8EO" Received: from mail-ed1-f47.google.com (mail-ed1-f47.google.com [209.85.208.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 92C5C5BAFC for ; Tue, 11 Jun 2024 23:04:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718147080; cv=none; b=StwHh/D6RXq+pjMyBN7adEC1tI8zKm+bNcHqHWkUtWDrxnnyTwk0EmS3O8Uc1NtsP4WYDJfd7tjEGchB319IT019DPsvzb1gxT210dpjpuapcNaz/fUAlRqRy0mYo+fwWP+5X8JFEBTowg0/RvWU8ePb1GyuJf7b/Ylibqq9GVM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718147080; c=relaxed/simple; bh=T8OozrZR+1vkIaOz0Hl0kOkEndiy3BvvGmc+cmCPeVo=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=S1LuO0Ycj0AhBNm1l50QkH1Hmob6f2gXwIHGKl27CPX5ULc/dQqyaPmeywFwoMfsyqcyayOpnoYIfobx7SxWVg9AOEoFm5aLgblfqWaV9h4cJOTS1HvOE6f1OdQ7f3pOPvqFEXkwNFMnO3VkhoJMCHWvhxW6MY7EOhE66fOc5wk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=X1xfI8EO; arc=none smtp.client-ip=209.85.208.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-ed1-f47.google.com with SMTP id 4fb4d7f45d1cf-57a16f4b8bfso7010a12.0 for ; Tue, 11 Jun 2024 16:04:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1718147077; x=1718751877; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=LtbvaoMsCJ9k1mz6SgmK+4gae6eOunhj2wDuCSNJ/mk=; b=X1xfI8EOfeGhBs02hzzC/mvZhmC3X2sHmvVhnuQ9nm7ZA5CFPkfzuDse7x/9/TA7UC rZUnvbxdprr/kKExu9m2gqwyBa2IT9sxDlkWw9Lsk0guRkjn3zaxgjp2l6RsRCVQ97SK 3KWhIvrRvDW5jfbCccjjidi+u0X5um3Wqdtls1rOCNOEo6hgjAadPDgO1RiwFH5Wi36F bIdSikjwMczp770rK1Hv8N3/0ntZm7cBS6a9bBYPfwklOQ6918z2zUqkUrhVESATQRg5 e3jJd5lUMwV2AhQIwDecd57iK94Nx6BJs4jzHHBpHUr9dcB9MHtjKH+5w4c2+W66U6V/ cq5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718147077; x=1718751877; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LtbvaoMsCJ9k1mz6SgmK+4gae6eOunhj2wDuCSNJ/mk=; b=Jq/K8qGKUB2wkcHCRRAvUF1BXH/Ux8WptJFasoh0FkLmmtBi2Wg32OE2kJNFlfZE9M /oWRZInVWka/tgSnYABX5VylMyAkIRaep513ak3BhqZC23ZjAXuwtsSJg2FTRSa1xs5L QEQAvCoKUWw0PtxwGqSRZk4a1daJmc7rxYpVbDUCYaM180AXtI7aEuHms/23LWe8oKyx AZ/HTypdltvDWQtJcoTAwrNeNPBKAQoLdOm9j/RJ2oky5izAINz8diiNuJyQsZWfonMD G4wdBZsBYzBnoeam4Dt6+NWnv658Dz2Uud6zscdFOhDxcD+TDBtCKCqhDFnASjktRdQ5 cYvA== X-Forwarded-Encrypted: i=1; AJvYcCVHARlSR/qYLP795IsGqzGMpMa9YQpjsMTDPsdEg/fhYoLrQZC52znnjUT9/kL8I9Rs/LI3Zrwlsjzx9XPVk4XKJCecAUMB+DyGfSgK X-Gm-Message-State: AOJu0YzS+z5zU4G6qGu7u13vQJQq3kBIX8eIZXtXq3VUpdux7mZ0YDas VPDtSOomv3xlkwM+Z9b17Lacdm9DPAPhAoz6c7DdZ875obXy2F7JbbGdKCB2LsX3tj5Km1CxbGb WeBm0oQ9vIwWeCrbs1H6CGqfJCtHvgHgQMDwF X-Received: by 2002:a05:6402:38a:b0:57c:ab3f:d200 with SMTP id 4fb4d7f45d1cf-57cab3fd29amr7343a12.0.1718147075504; Tue, 11 Jun 2024 16:04:35 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240611034903.3456796-1-jeffxu@chromium.org> <20240611034903.3456796-2-jeffxu@chromium.org> <595b6353-6da6-432b-96b4-42c4e3ec1146@infradead.org> In-Reply-To: <595b6353-6da6-432b-96b4-42c4e3ec1146@infradead.org> From: Jeff Xu Date: Tue, 11 Jun 2024 16:03:56 -0700 Message-ID: Subject: Re: [PATCH v2 1/1] mm/memfd: add documentation for MFD_NOEXEC_SEAL MFD_EXEC To: Randy Dunlap Cc: jeffxu@chromium.org, akpm@linux-foundation.org, cyphar@cyphar.com, david@readahead.eu, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jorgelo@chromium.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pobrn@protonmail.com, skhan@linuxfoundation.org, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Jun 11, 2024 at 3:41=E2=80=AFPM Randy Dunlap wrote: > > > > On 6/10/24 8:49 PM, jeffxu@chromium.org wrote: > > From: Jeff Xu > > > > Add documentation for memfd_create flags: MFD_NOEXEC_SEAL > > and MFD_EXEC > > > > Cc: stable@vger.kernel.org > > Signed-off-by: Jeff Xu > > > > --- > > Documentation/userspace-api/index.rst | 1 + > > Documentation/userspace-api/mfd_noexec.rst | 86 ++++++++++++++++++++++ > > 2 files changed, 87 insertions(+) > > create mode 100644 Documentation/userspace-api/mfd_noexec.rst > > > > diff --git a/Documentation/userspace-api/index.rst b/Documentation/user= space-api/index.rst > > index 5926115ec0ed..8a251d71fa6e 100644 > > --- a/Documentation/userspace-api/index.rst > > +++ b/Documentation/userspace-api/index.rst > > @@ -32,6 +32,7 @@ Security-related interfaces > > seccomp_filter > > landlock > > lsm > > + mfd_noexec > > spec_ctrl > > tee > > > > diff --git a/Documentation/userspace-api/mfd_noexec.rst b/Documentation= /userspace-api/mfd_noexec.rst > > new file mode 100644 > > index 000000000000..ec6e3560fbff > > --- /dev/null > > +++ b/Documentation/userspace-api/mfd_noexec.rst > > @@ -0,0 +1,86 @@ > > +.. SPDX-License-Identifier: GPL-2.0 > > + > > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > +Introduction of non executable mfd > > Missed: > non-executable > > > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > +:Author: > > + Daniel Verkamp > > + Jeff Xu > > + > > +:Contributor: > > + Aleksa Sarai > > + > > +Since Linux introduced the memfd feature, memfds have always had their > > +execute bit set, and the memfd_create() syscall doesn't allow setting > > +it differently. > > + > > +However, in a secure-by-default system, such as ChromeOS, (where all > > +executables should come from the rootfs, which is protected by verifie= d > > +boot), this executable nature of memfd opens a door for NoExec bypass > > +and enables =E2=80=9Cconfused deputy attack=E2=80=9D. E.g, in VRP bug= [1]: cros_vm > > +process created a memfd to share the content with an external process, > > +however the memfd is overwritten and used for executing arbitrary code > > +and root escalation. [2] lists more VRP of this kind. > > + > > +On the other hand, executable memfd has its legit use: runc uses memfd= =E2=80=99s > > +seal and executable feature to copy the contents of the binary then > > +execute them. For such a system, we need a solution to differentiate r= unc's > > +use of executable memfds and an attacker's [3]. > > + > > +To address those above: > > + - Let memfd_create() set X bit at creation time. > > + - Let memfd be sealed for modifying X bit when NX is set. > > + - Add a new pid namespace sysctl: vm.memfd_noexec to help application= s to > > help application= s in > > > + migrating and enforcing non-executable MFD. > > + > > +User API > > +=3D=3D=3D=3D=3D=3D=3D=3D > > The rest looks good. Thanks. > Thanks for your review! > -- > ~Randy