From patchwork Fri Aug  5 22:21:21 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeff Xu <jeffxu@google.com>
X-Patchwork-Id: 12937864
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D2D12C00140
	for <linux-mm@archiver.kernel.org>; Fri,  5 Aug 2022 22:21:32 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id F0D598E0001; Fri,  5 Aug 2022 18:21:31 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id EBC836B0072; Fri,  5 Aug 2022 18:21:31 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id D84498E0001; Fri,  5 Aug 2022 18:21:31 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com
 [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id C79CC6B0071
	for <linux-mm@kvack.org>; Fri,  5 Aug 2022 18:21:31 -0400 (EDT)
Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id 910861206FD
	for <linux-mm@kvack.org>; Fri,  5 Aug 2022 22:21:31 +0000 (UTC)
X-FDA: 79766961582.29.98277A7
Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com
 [209.85.219.202])
	by imf22.hostedemail.com (Postfix) with ESMTP id F19B4C002F
	for <linux-mm@kvack.org>; Fri,  5 Aug 2022 22:21:30 +0000 (UTC)
Received: by mail-yb1-f202.google.com with SMTP id
 s14-20020a5b044e000000b00672caf96368so3119182ybp.21
        for <linux-mm@kvack.org>; Fri, 05 Aug 2022 15:21:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=vA6JwiPIQ35idH1LwuHfAoXwWih02NenmEQERtaUlQk=;
        b=jhXFbm4GcOo7tzG+m2t/JAjwLoRiHbKfayX9CRJ+Z1nBjUfj/kt8Ulq1F0LhapnHWU
         vQlRbYT/RRAr/19sZxiy7+Gw5YKLAuSi4obedsMyt5ePFm2VbgAXa76LqWzI0gy3+k7G
         auoB2i1RLoWlA1oVdLXZeqvneSg9IDJwiQbvRGCr9hOj2w857WdGRB+BjlL6R4waJY4P
         UezKtbOhs+xqa+UUczDURSiB9HsJ+jdEiKKrN79HQVMKHizSOYPwBCpveob6fId8+EHN
         bXZmZjRBWoxEGFljMetZFd/jY81w8X/1pO15hW5wCu1fcpJu1QQ4WMOAumNIK4XDuGno
         KpcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=vA6JwiPIQ35idH1LwuHfAoXwWih02NenmEQERtaUlQk=;
        b=vgsH8irlZ5b6icIkqr9cFMbFf68oKetlwMEDNSMgH14k2ufWXVQDpq91ewrG0w8+Tu
         8RFzKBvvf9rFfDjFGoAGTBkgir/JPWPXMHFVwzk/6soeW3mZhDkC1RNwUGdXSeEGfmEm
         QWRXF0+5x01f0VkpNCOca8RbSf4ZzT+woxVq8vx6FkCaQisvRNoe0A+YQe4XDOm3xFH8
         KcntK5KmU00GwS3++gu5eYb7D3CEDigOJy4YUH8frcka7CZmI5mMj11WLER4nkeZcTWC
         XBu77AoyLpFu+bUvlDFGHdDO5sUTJnsP2Sy/6ylxxOmdmApXuuzuC9x17A6IiJMyhia6
         32/Q==
X-Gm-Message-State: ACgBeo1RPRliKiV0qvJJX6/wpRZ4zZ0EsCmDcZiQtWsLtpOTjbEFZc2F
	KenQ8YOyP6Z4WtMGFpakvNqSOdY2KzM=
X-Google-Smtp-Source: 
 AA6agR5/FcLDV3dK7SdDaErdRpC2Y/obPbr0lLOpjjFPaMlZeqQoYgCKLv8ONTsUzWRhe9Uj92AsbR6yrYs=
X-Received: from jeffxud.c.googlers.com
 ([fda3:e722:ac3:cc00:20:ed76:c0a8:e37])
 (user=jeffxu job=sendgmr) by 2002:a05:6902:13c7:b0:671:7cb2:9a82 with SMTP id
 y7-20020a05690213c700b006717cb29a82mr7285411ybu.334.1659738090124; Fri, 05
 Aug 2022 15:21:30 -0700 (PDT)
Date: Fri,  5 Aug 2022 22:21:21 +0000
Message-Id: <20220805222126.142525-1-jeffxu@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.37.1.559.g78731f0fdb-goog
Subject: [PATCH v2 0/5] mm/memfd: MFD_NOEXEC for memfd_create
From: <jeffxu@google.com>
To: skhan@linuxfoundation.org
Cc: akpm@linux-foundation.org, dmitry.torokhov@gmail.com,
	dverkamp@chromium.org, hughd@google.com, jeffxu@google.com,
	jorgelo@chromium.org, keescook@chromium.org, linux-kernel@vger.kernel.org,
	linux-kselftest@vger.kernel.org, linux-mm@kvack.org, mnissler@chromium.org,
	jannh@google.com, Jeff Xu <jeffxu@chromium.org>
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1659738091; a=rsa-sha256;
	cv=none;
	b=WR10k6jNgwWFIHDAYBmTl609sekDJPlfN5Ir49CXDsCg7z8Ebhkp56EfmGLmRz2sPveXs0
	+ovocJ40F7iFpvY2AaTKiNsPmUsuvljw1qh0oIqOHgAXFIdADd75xWw0QN3pxIg+oZk3aL
	KcyGGBs3v52QP+GosseEVL4lISuud3s=
ARC-Authentication-Results: i=1;
	imf22.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=jhXFbm4G;
	spf=pass (imf22.hostedemail.com: domain of
 36pftYgYKCO0YTUUmjVddVaT.RdbaXcjm-bbZkPRZ.dgV@flex--jeffxu.bounces.google.com
 designates 209.85.219.202 as permitted sender)
 smtp.mailfrom=36pftYgYKCO0YTUUmjVddVaT.RdbaXcjm-bbZkPRZ.dgV@flex--jeffxu.bounces.google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1659738091;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:in-reply-to:
	 references:dkim-signature; bh=vA6JwiPIQ35idH1LwuHfAoXwWih02NenmEQERtaUlQk=;
	b=Ts3rW6BHyNLwUBNg/5Skpq3zgvKrD3KVX+Dy5cmGbqDswVJNBsORrLUU4lz+752tSuBLYc
	K0Vg4Ua154Tmq2U9X95TeU6EqsUU70VKbnOttmXzjZ7QUK61jtFN6lzajaEC7bSJccKAVK
	MmY+tRTLWta4QSrhQosHRWrwjmj4TNE=
X-Rspam-User: 
X-Stat-Signature: qkawt575cbpu6yajap4zucipq345shcn
X-Rspamd-Queue-Id: F19B4C002F
Authentication-Results: imf22.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=jhXFbm4G;
	spf=pass (imf22.hostedemail.com: domain of
 36pftYgYKCO0YTUUmjVddVaT.RdbaXcjm-bbZkPRZ.dgV@flex--jeffxu.bounces.google.com
 designates 209.85.219.202 as permitted sender)
 smtp.mailfrom=36pftYgYKCO0YTUUmjVddVaT.RdbaXcjm-bbZkPRZ.dgV@flex--jeffxu.bounces.google.com;
	dmarc=pass (policy=reject) header.from=google.com
X-Rspamd-Server: rspam02
X-HE-Tag: 1659738090-501659
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Jeff Xu <jeffxu@chromium.org>

Hi,

This v2 series MFD_NOEXEC, this series includes:
1> address comments in V1
2> add sysctl (vm.mfd_noexec) to change the default file permissions
    of memfd_create to be non-executable.

Below are cover-level for v1:

The default file permissions on a memfd include execute bits, which
means that such a memfd can be filled with a executable and passed to
the exec() family of functions. This is undesirable on systems where all
code is verified and all filesystems are intended to be mounted noexec,
since an attacker may be able to use a memfd to load unverified code and
execute it.

Additionally, execution via memfd is a common way to avoid scrutiny for
malicious code, since it allows execution of a program without a file
ever appearing on disk. This attack vector is not totally mitigated with
this new flag, since the default memfd file permissions must remain
executable to avoid breaking existing legitimate uses, but it should be
possible to use other security mechanisms to prevent memfd_create calls
without MFD_NOEXEC on systems where it is known that executable memfds
are not necessary.

This patch series adds a new MFD_NOEXEC flag for memfd_create(), which
allows creation of non-executable memfds, and as part of the
implementation of this new flag, it also adds a new F_SEAL_EXEC seal,
which will prevent modification of any of the execute bits of a sealed
memfd.

I am not sure if this is the best way to implement the desired behavior
(for example, the F_SEAL_EXEC seal is really more of an implementation
detail and feels a bit clunky to expose), so suggestions are welcome
for alternate approaches.

v1: https://lwn.net/Articles/890096/

Daniel Verkamp (4):
  mm/memfd: add F_SEAL_EXEC
  mm/memfd: add MFD_NOEXEC flag to memfd_create
  selftests/memfd: add tests for F_SEAL_EXEC
  selftests/memfd: add tests for MFD_NOEXEC

Jeff Xu (1):
  sysctl: add support for mfd_noexec

 include/linux/mm.h                         |   4 +
 include/uapi/linux/fcntl.h                 |   1 +
 include/uapi/linux/memfd.h                 |   1 +
 kernel/sysctl.c                            |   9 ++
 mm/memfd.c                                 |  39 ++++-
 mm/shmem.c                                 |   6 +
 tools/testing/selftests/memfd/memfd_test.c | 163 ++++++++++++++++++++-
 7 files changed, 221 insertions(+), 2 deletions(-)


base-commit: 9e2f40233670c70c25e0681cb66d50d1e2742829