[v1,0/2] mm: In-kernel support for memory-deny-write-execute (MDWE)

Message ID	20221026150457.36957-1-joey.gouly@arm.com (mailing list archive)
Headers	show Return-Path: <owner-linux-mm@kvack.org> Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 40.67.248.234 as permitted sender) receiver=protection.outlook.com; client-ip=40.67.248.234; helo=nebula.arm.com; pr=C From: Joey Gouly <joey.gouly@arm.com> To: Catalin Marinas <catalin.marinas@arm.com>, Andrew Morton <akpm@linux-foundation.org>, Lennart Poettering <lennart@poettering.net>, =?utf-8?q?Zbigniew_J=C4=99drze?= =?utf-8?q?jewski-Szmek?= <zbyszek@in.waw.pl> CC: Alexander Viro <viro@zeniv.linux.org.uk>, Kees Cook <keescook@chromium.org>, Szabolcs Nagy <szabolcs.nagy@arm.com>, Mark Brown <broonie@kernel.org>, Jeremy Linton <jeremy.linton@arm.com>, Topi Miettinen <toiwoton@gmail.com>, <linux-mm@kvack.org>, <linux-arm-kernel@lists.infradead.org>, <linux-kernel@vger.kernel.org>, <linux-abi-devel@lists.sourceforge.net>, <nd@arm.com>, <joey.gouly@arm.com>, <shuah@kernel.org> Subject: [PATCH v1 0/2] mm: In-kernel support for memory-deny-write-execute (MDWE) Date: Wed, 26 Oct 2022 16:04:55 +0100 Message-ID: <20221026150457.36957-1-joey.gouly@arm.com> MIME-Version: 1.0 Content-Type: text/plain NoDisclaimer: true Sender: owner-linux-mm@kvack.org Precedence: bulk
Series	mm: In-kernel support for memory-deny-write-execute (MDWE) \| expand [v1,0/2] mm: In-kernel support for memory-deny-write-execute (MDWE) [v1,1/2] mm: Implement memory-deny-write-execute as a prctl [v1,2/2] kselftest: vm: add tests for memory-deny-write-execute

Message ID

20221026150457.36957-1-joey.gouly@arm.com (mailing list archive)

Headers

Received-SPF: Pass (protection.outlook.com: domain of arm.com designates
 63.35.35.123 as permitted sender) receiver=protection.outlook.com;
 client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
 pr=C
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates
 40.67.248.234 as permitted sender) receiver=protection.outlook.com;
 client-ip=40.67.248.234; helo=nebula.arm.com; pr=C
From: Joey Gouly <joey.gouly@arm.com>
To: Catalin Marinas <catalin.marinas@arm.com>,
 Andrew Morton <akpm@linux-foundation.org>,
 Lennart Poettering <lennart@poettering.net>, =?utf-8?q?Zbigniew_J=C4=99drze?=
	=?utf-8?q?jewski-Szmek?= <zbyszek@in.waw.pl>
CC: Alexander Viro <viro@zeniv.linux.org.uk>, Kees Cook
	<keescook@chromium.org>, Szabolcs Nagy <szabolcs.nagy@arm.com>, Mark Brown
	<broonie@kernel.org>, Jeremy Linton <jeremy.linton@arm.com>, Topi Miettinen
	<toiwoton@gmail.com>, <linux-mm@kvack.org>,
	<linux-arm-kernel@lists.infradead.org>, <linux-kernel@vger.kernel.org>,
	<linux-abi-devel@lists.sourceforge.net>, <nd@arm.com>, <joey.gouly@arm.com>,
	<shuah@kernel.org>
Subject: [PATCH v1 0/2] mm: In-kernel support for memory-deny-write-execute
 (MDWE)
Date: Wed, 26 Oct 2022 16:04:55 +0100
Message-ID: <20221026150457.36957-1-joey.gouly@arm.com>
MIME-Version: 1.0
Content-Type: text/plain
NoDisclaimer: true
X-Microsoft-Antispam-Message-Info-Original: 
 OJ0tWd0jGXCt6Vsu2MsRJPz5IB/Wd5mNXe09jlXyMjJMXg966b/fWOjJBnSfJR+y8rn5z4wHz6BhKJQD30wDSdZmJrIEKOFOBM8aT6CKkVUFyIIzqElosDM2LznIKRWgM2MAdrzBibpMVQ5inlyBL8nBqaqcDcR6yEhpvkDXuarI5IarkvCaZpPvSD1RtY4Q0BOB6fXPrwPBhLfin7D8uenNlYDSZnmX2OHRXwsZ/4u3af3PGu5FLt3EAaT4QUXE1LH1N8z+8b3KZv+wZcAOsau+Arw2hGaBAGlht8C3DgXwWpc4cwf/avdaIRwz5vK6FSGmxUIhKibwU+fxn4I6VeDf0Hz04efGJJ+TSl1iL4MQGLi2OHLk17cJcTPXFChjtTf1AMiA1M2C+Nwnuw5XnmLtxaW9SUSfS/Xdrr6oYll55KJ+JG7giRdmorhmQADPdlKD3mmdTiPn51uUT0h1kV/DXFrVgJa0PWuRjcA/j9kJDhjIVD6wZxjh1KjSs4G46ZBWYIvTV/yS3LAJsGrreJ9pJw/RZPcg+q7xjbuoixPgsoWmvpZhMfVFGWvXuv+yT/unYJpAC/Hi1c40vUEK+4YPv22yjWPC3V6W+jFSRoli4q4K2U4+Rxiq5Wuct19jaqfoFQZmYILGtEuWXOyeU5VKEUufCpZvxnyuurvzi3DvSJaa3kFTmgyRnxVz6NgoN4HVp3j0vJmUxMzcS+4FfdXwPGhtusQ9iQCIBNzHtFUeJf9+jOA7lzgSrTPxaZdYYWhGPCO01WmCl/+unCfNJmgnBzuEsI6YTS/Dw1QMyw/qRApS9MWM/cIOtktFSWyQxiozxY3BMIHJbAETpbm/POqcqnGqGBVypHtneFqsj46m2mbW6XAbKO8YqgluXpqn
X-Forefront-Antispam-Report-Untrusted: 
 CIP:40.67.248.234;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:nebula.arm.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230022)(4636009)(396003)(346002)(136003)(376002)(39860400002)(451199015)(40470700004)(36840700001)(46966006)(110136005)(478600001)(36756003)(86362001)(44832011)(2906002)(81166007)(40460700003)(82740400003)(426003)(1076003)(47076005)(186003)(83380400001)(356005)(336012)(6666004)(7696005)(966005)(70586007)(316002)(70206006)(8676002)(4326008)(54906003)(8936002)(5660300002)(36860700001)(41300700001)(82310400005)(7416002)(40480700001)(26005)(2616005)(36900700001);DIR:OUT;SFP:1101;
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR08MB5974
X-MS-Exchange-Transport-CrossTenantHeadersStripped: 
 DBAEUR03FT035.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 
	f6ded434-6ca5-4c7c-5168-08dab7637d63
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	xjy7Abjb/18Rs8hMsXiqOZ7/LIREomQ0b9eHsjLzxHi69/ht09PIMwjguCOgP4xcq3i7mTZTJtV3L/i+DDyH4DlxqKDHceX877zaPeEx8vAgF+jYX2FV9wLfMw4ZleQl38kLrRly8pT5RUHha6gwXXKacQkeY/GxcCS6+WZU4Vb1plPpEudesXCfAKooepyYX/9EUFcQl8HQT/4riGfP1jW8EwcPvOE3kVRK6ounH1DHfubGqqJ7HR62WmgHPhdGZo37aMnuC91LnJsV2098OGoRCmcaTZQmx3oodoAvFOaBpGNJvfikSWL7u2z5jYTU+mBEZJq82K3UwxX/rZvVoHZ9PACugAoGnDsw4oeNgeXcuJDt3HLC2Ck6uXyZZaiunbtQdHJ1r52OalyeafBZzeMk9clMkLAm/gHJFcDJxfteVuBc3I3IY6xwkyjt2Opg7cJG4Z8KfY4dr/OlGA3U8OmA3jHPdE4+32GN6S9eAHX5WSerydHvMSY3/xbUZAeURJxtz0be+9dsV6AZRd7Xqhnjbc6jzRrp2/ZUkDzNICMUvP2WaIRFNBqPzyCqTVmPBcTSk4gTNVup9e0v/teCSycb5QR6b0ThI3CCYKY5uTKghW82/NxqyMFMtrn1wXNV/bOv3jxXpuoc2YVi/moZ5JWWeExlos1AtFH8TC4OQja1hB6coxffgWA3blWzbgRvQKvd0py+oLT6IfZuyZY5YpSXiwgUnpBxLNVbF4oBK+SkFnt9oGHPgL1p8ZPKsT6hleDe5VgdNvBqwZcnByHCNregEZr0OZRGQsBbT3ztIn97SEmKikKsb4QIWdjSRO5OU0NiDadTSYgg2ffW6y5dig==
X-Forefront-Antispam-Report: 
	CIP:63.35.35.123;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:64aa7808-outbound-1.mta.getcheckrecipient.com;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;CAT:NONE;SFS:(13230022)(4636009)(39860400002)(376002)(136003)(346002)(396003)(451199015)(46966006)(36840700001)(40470700004)(36860700001)(8676002)(83380400001)(82740400003)(6666004)(47076005)(426003)(36756003)(4326008)(478600001)(44832011)(2906002)(54906003)(316002)(82310400005)(110136005)(8936002)(966005)(86362001)(41300700001)(40460700003)(26005)(81166007)(40480700001)(2616005)(5660300002)(186003)(1076003)(107886003)(7696005)(336012)(70206006)(70586007);DIR:OUT;SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Oct 2022 15:08:28.9945
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 3925d923-e328-4e91-a132-08dab763f073
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	DBAEUR03FT035.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVXPR08MB7797
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1666796915;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:in-reply-to:
	 references:dkim-signature; bh=BSROhHN+ILW5PCl2wDM9wNCCF0OA08XemKwknaWV3Dk=;
	b=z8cnt20+Z/ivB8y8f5pNxUh0+k9sa7y38EL59XVYt5qDxCpTXx6CfLRqP4KZ/a4Psy7cFz
	WbUgw+PnxJGua3u5fN2K005HAu47G+mbQaomzfUiyrb0XCnEDacEia4jGfIylli24XVlBg
	umJbAPcE/EZu0aQAKTnrDSSsEF5QMLQ=
ARC-Authentication-Results: i=3;
	imf10.hostedemail.com;
	dkim=pass header.d=armh.onmicrosoft.com
 header.s=selector2-armh-onmicrosoft-com header.b=1KYUW+i5;
	dkim=pass header.d=armh.onmicrosoft.com
 header.s=selector2-armh-onmicrosoft-com header.b=1KYUW+i5;
	arc=pass ("microsoft.com:s=arcselector9901:i=2");
	spf=pass (imf10.hostedemail.com: domain of Joey.Gouly@arm.com designates
 40.107.6.84 as permitted sender) smtp.mailfrom=Joey.Gouly@arm.com;
	dmarc=pass (policy=none) header.from=arm.com
ARC-Seal: i=3; s=arc-20220608; d=hostedemail.com; t=1666796915; a=rsa-sha256;
	cv=pass;
	b=Lol5MaF/binWhg0a8bzgiwSBnpb30szke9GFlwno8AYRfpzdEM1Sj6fYvhCgkVswWwyOhY
	oWeoJKA0aKaqqibZpoQA88jRiBK6wkIDIBVVmqysJChxayhj7exWHZY8CIEFTmmpQVcZ/j
	7SYeQyHC3a8QPvxDdGvT7SuMsclX7xo=
Authentication-Results: imf10.hostedemail.com;
	dkim=pass header.d=armh.onmicrosoft.com
 header.s=selector2-armh-onmicrosoft-com header.b=1KYUW+i5;
	dkim=pass header.d=armh.onmicrosoft.com
 header.s=selector2-armh-onmicrosoft-com header.b=1KYUW+i5;
	arc=pass ("microsoft.com:s=arcselector9901:i=2");
	spf=pass (imf10.hostedemail.com: domain of Joey.Gouly@arm.com designates
 40.107.6.84 as permitted sender) smtp.mailfrom=Joey.Gouly@arm.com;
	dmarc=pass (policy=none) header.from=arm.com
X-Stat-Signature: ahmc7s8q4f4ewohhducw8tt9gdnpywpy
X-Rspamd-Queue-Id: 38A85C003C
X-Rspamd-Server: rspam07
X-Rspam-User: 
X-HE-Tag: 1666796914-561189
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Series

mm: In-kernel support for memory-deny-write-execute (MDWE) | expand

Message

Joey Gouly Oct. 26, 2022, 3:04 p.m. UTC

Hi all,

This is a follow up to the RFC that Catalin posted:
  https://lore.kernel.org/linux-arm-kernel/20220413134946.2732468-1-catalin.marinas@arm.com/

The background to this is that systemd has a configuration option called
MemoryDenyWriteExecute [1], implemented as a SECCOMP BPF filter. Its aim
is to prevent a user task from inadvertently creating an executable
mapping that is (or was) writeable. Since such BPF filter is stateless,
it cannot detect mappings that were previously writeable but
subsequently changed to read-only. Therefore the filter simply rejects
any mprotect(PROT_EXEC). The side-effect is that on arm64 with BTI
support (Branch Target Identification), the dynamic loader cannot change
an ELF section from PROT_EXEC to PROT_EXEC|PROT_BTI using mprotect().
For libraries, it can resort to unmapping and re-mapping but for the
main executable it does not have a file descriptor. The original bug
report in the Red Hat bugzilla - [2] - and subsequent glibc workaround
for libraries - [3].

This series adds in-kernel support for this feature as a prctl PR_SET_MDWE,
that is inherited on fork(). The prctl denies PROT_WRITE | PROT_EXEC mappings.
Like the systemd BPF filter it also denies adding PROT_EXEC to mappings.
However unlike the BPF filter it only denies it if the mapping didn't previous
have PROT_EXEC. This allows to PROT_EXEC -> PROT_EXEC | PROT_BTI with mprotect(),
which is a problem with the BPF filter.

Thanks,
Joey

[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute=
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1888842
[3] https://sourceware.org/bugzilla/show_bug.cgi?id=26831

Joey Gouly (2):
  mm: Implement memory-deny-write-execute as a prctl
  kselftest: vm: add tests for memory-deny-write-execute

 include/linux/mman.h                   |  15 ++
 include/linux/sched/coredump.h         |   6 +-
 include/uapi/linux/prctl.h             |   6 +
 kernel/sys.c                           |  18 +++
 mm/mmap.c                              |   3 +
 mm/mprotect.c                          |   5 +
 tools/testing/selftests/vm/mdwe_test.c | 194 +++++++++++++++++++++++++
 7 files changed, 246 insertions(+), 1 deletion(-)
 create mode 100644 tools/testing/selftests/vm/mdwe_test.c

Comments

Topi Miettinen Nov. 6, 2022, 7:42 p.m. UTC | #1

On 26.10.2022 18.04, Joey Gouly wrote:
> Hi all,
> 
> This is a follow up to the RFC that Catalin posted:
>    https://lore.kernel.org/linux-arm-kernel/20220413134946.2732468-1-catalin.marinas@arm.com/
> 
> The background to this is that systemd has a configuration option called
> MemoryDenyWriteExecute [1], implemented as a SECCOMP BPF filter. Its aim
> is to prevent a user task from inadvertently creating an executable
> mapping that is (or was) writeable. Since such BPF filter is stateless,
> it cannot detect mappings that were previously writeable but
> subsequently changed to read-only. Therefore the filter simply rejects
> any mprotect(PROT_EXEC). The side-effect is that on arm64 with BTI
> support (Branch Target Identification), the dynamic loader cannot change
> an ELF section from PROT_EXEC to PROT_EXEC|PROT_BTI using mprotect().
> For libraries, it can resort to unmapping and re-mapping but for the
> main executable it does not have a file descriptor. The original bug
> report in the Red Hat bugzilla - [2] - and subsequent glibc workaround
> for libraries - [3].
> 
> This series adds in-kernel support for this feature as a prctl PR_SET_MDWE,
> that is inherited on fork(). The prctl denies PROT_WRITE | PROT_EXEC mappings.
> Like the systemd BPF filter it also denies adding PROT_EXEC to mappings.
> However unlike the BPF filter it only denies it if the mapping didn't previous
> have PROT_EXEC. This allows to PROT_EXEC -> PROT_EXEC | PROT_BTI with mprotect(),
> which is a problem with the BPF filter.

Draft PR for systemd: https://github.com/systemd/systemd/pull/25276

-Topi

> 
> Thanks,
> Joey
> 
> [1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute=
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1888842
> [3] https://sourceware.org/bugzilla/show_bug.cgi?id=26831
> 
> Joey Gouly (2):
>    mm: Implement memory-deny-write-execute as a prctl
>    kselftest: vm: add tests for memory-deny-write-execute
> 
>   include/linux/mman.h                   |  15 ++
>   include/linux/sched/coredump.h         |   6 +-
>   include/uapi/linux/prctl.h             |   6 +
>   kernel/sys.c                           |  18 +++
>   mm/mmap.c                              |   3 +
>   mm/mprotect.c                          |   5 +
>   tools/testing/selftests/vm/mdwe_test.c | 194 +++++++++++++++++++++++++
>   7 files changed, 246 insertions(+), 1 deletion(-)
>   create mode 100644 tools/testing/selftests/vm/mdwe_test.c
>