From patchwork Fri Jun  7 20:35:40 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Jeff Xu <jeffxu@chromium.org>
X-Patchwork-Id: 13690641
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id ABBCEC27C53
	for <linux-mm@archiver.kernel.org>; Fri,  7 Jun 2024 20:35:57 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 2DDE06B009A; Fri,  7 Jun 2024 16:35:57 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 28D426B009B; Fri,  7 Jun 2024 16:35:57 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 155606B009C; Fri,  7 Jun 2024 16:35:57 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com
 [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id ED6D06B009A
	for <linux-mm@kvack.org>; Fri,  7 Jun 2024 16:35:56 -0400 (EDT)
Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay08.hostedemail.com (Postfix) with ESMTP id 77F951404A5
	for <linux-mm@kvack.org>; Fri,  7 Jun 2024 20:35:56 +0000 (UTC)
X-FDA: 82205249112.11.66FA600
Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com
 [209.85.215.178])
	by imf24.hostedemail.com (Postfix) with ESMTP id 6ABDD180008
	for <linux-mm@kvack.org>; Fri,  7 Jun 2024 20:35:54 +0000 (UTC)
Authentication-Results: imf24.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=oKMYqcYB;
	spf=pass (imf24.hostedemail.com: domain of jeffxu@chromium.org designates
 209.85.215.178 as permitted sender) smtp.mailfrom=jeffxu@chromium.org;
	dmarc=pass (policy=none) header.from=chromium.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1717792554; a=rsa-sha256;
	cv=none;
	b=LOB85GawnGXj6yRe35f3u0v+NOSHCvXU8Gw2kSSU5LsWYednS3ktFYRYPN6Th010buin2P
	1q7bXMRWszajlVWdlwZJkDdIjYEFQDZPxICsXj2cHDqLWIz4J28L5KriUYyxn9q++O/U56
	9l0vQ3jjeZSzwwrJoKZ0n9ZRC14TleQ=
ARC-Authentication-Results: i=1;
	imf24.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=oKMYqcYB;
	spf=pass (imf24.hostedemail.com: domain of jeffxu@chromium.org designates
 209.85.215.178 as permitted sender) smtp.mailfrom=jeffxu@chromium.org;
	dmarc=pass (policy=none) header.from=chromium.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1717792554;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:in-reply-to:
	 references:dkim-signature; bh=/aZumHyRcpOIT74DOJSEusSl9YmG7Mt7kBbt+rZmDfc=;
	b=mF1ruqZkzUZpGduwQ/B0AJnzJKOoRTJ8V/9NxXBxjAmN9hiUPrb921OxOVX9T7OKSiaeGf
	5Xif4HguHDGYBhROjp4GscBIPjrWOUKoBA6vRYP8JQs6XOp1T9QbfA8BbmnNxVrHQAFNpY
	GO3JeQOBWC/GzyRpYON8THDzt9OkFOU=
Received: by mail-pg1-f178.google.com with SMTP id
 41be03b00d2f7-681ad081695so2010039a12.3
        for <linux-mm@kvack.org>; Fri, 07 Jun 2024 13:35:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1717792553; x=1718397353; darn=kvack.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=/aZumHyRcpOIT74DOJSEusSl9YmG7Mt7kBbt+rZmDfc=;
        b=oKMYqcYBwn8rO0NFP9hKZjjNIQEJW+g2KkkygHAzTcAi25tZ29MAAbf72Y8XT2wut5
         GCsOpGVXrF/A0+F7ayhoJHoQGBWsaypYOWtAaMJPmMpWVY5R7G7UFfZZSwsyl02D1Oym
         +H7FK1nzybPGtfsiRehKoZ0DlO/3VHrbL9lTQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1717792553; x=1718397353;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=/aZumHyRcpOIT74DOJSEusSl9YmG7Mt7kBbt+rZmDfc=;
        b=JbyQyNJfsEywUsRa5VrVJSXJWGZOSEXuV4/ir16sOuo9aNFMvPrusxltYzltox0SW3
         2TuXKFnIFusT0Yv03ZrFzp1czQx+S1InTdeTno9chpa58sGBg3ydIaVKt7FitERB5Nh8
         dwWwJZEOn+rgV2XvXWk7DM2v7GXqYSXLpBNFQWKUiRWA6TCcHSZqE4CwvqL23/UPRQ9g
         1hnwNeVhVFCkGbgGRXvysRcY/cfWtnUuNpOxvwkHgh8wpaJkxrM19P9y3n7aGoki3D+F
         iFt0FfVZkHtrEC3mkE2EioswBbU6/ltQAxoAAcIzzUzUWxNfKfWzI0s4Kwsw0Utd93wI
         GDyw==
X-Forwarded-Encrypted: i=1;
 AJvYcCX3rcuM/zVFm3a96J93fcC/UeVXzqPm/YfxilyD3gO7JVgmvU68NLQdN3MnEbgNSB3Zrw5UYQHWN9upKuxkpGIdE6I=
X-Gm-Message-State: AOJu0YzfjkAeHmPZCQeoMWguC1fsHO4dgy1yZ2h5073baLulRE029nko
	K+5lxqn7SolHhIsvULJ9YEWppkwVpmSKB2MiHGV8JsI0yYwxFxd/Ys12aooTjQ==
X-Google-Smtp-Source: 
 AGHT+IG0zwY6vWwEtQpPZbj4cEzreBvdQwz6RkitHdPJvAt200tHqjh+4UzHLnKkUgI6qaWZ3+6VsA==
X-Received: by 2002:a17:90a:ee4a:b0:2c1:aa8e:d70 with SMTP id
 98e67ed59e1d1-2c2bc7cf895mr4084944a91.0.1717792553031;
        Fri, 07 Jun 2024 13:35:53 -0700 (PDT)
Received: from localhost (213.126.145.34.bc.googleusercontent.com.
 [34.145.126.213])
        by smtp.gmail.com with UTF8SMTPSA id
 98e67ed59e1d1-2c2806d1be2sm5904787a91.55.2024.06.07.13.35.52
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 07 Jun 2024 13:35:52 -0700 (PDT)
From: jeffxu@chromium.org
To: jeffxu@chromium.org
Cc: akpm@linux-foundation.org,
	cyphar@cyphar.com,
	david@readahead.eu,
	dmitry.torokhov@gmail.com,
	dverkamp@chromium.org,
	hughd@google.com,
	jeffxu@google.com,
	jorgelo@chromium.org,
	keescook@chromium.org,
	linux-kernel@vger.kernel.org,
	linux-kselftest@vger.kernel.org,
	linux-mm@kvack.org,
	pobrn@protonmail.com,
	skhan@linuxfoundation.org,
	stable@vger.kernel.org
Subject: [PATCH v1 0/1] mm/memfd: add documentation for MFD_NOEXEC_SEAL
Date: Fri,  7 Jun 2024 20:35:40 +0000
Message-ID: <20240607203543.2151433-1-jeffxu@google.com>
X-Mailer: git-send-email 2.45.2.505.gda0bf45e8d-goog
MIME-Version: 1.0
X-Rspamd-Queue-Id: 6ABDD180008
X-Rspam-User: 
X-Rspamd-Server: rspam12
X-Stat-Signature: afg47ocmejibqf7r3t1cmu94w7wgm6wt
X-HE-Tag: 1717792554-436163
X-HE-Meta: 
 U2FsdGVkX1861oGGZhWsrMphWzvliZN30UxMJ2HA9YY7+7VTPy3pr/I7lD5skpVb0zpiRA3qWMGS4fHR1BNyiMsM49sK4P0oMQWP1iiA/wvDnHBuCFTSqQbOtLBZLEqV+T1pI/indRSGWQiP2iOyhVP9r9s7dQUi6xD3o4PevYN6sIaLLSj5lRvqfjwFbDYHAyJu5OBuP6vdrRBzGXifmohlAp0rPErimm+z8P0e9zRUTH3Ypm+EPEyj2FYk1osb9SmB1snVY5dkLJ6YDWJH3oGlxlf59e7DwLdN0SaFMJb7g8NQmY6HSnLc0AAetEuV2zAWlzDcrJe/PVoc+E4eGy2y+m91wpq6VnZvlg526v4U+xhOyJe0vdTlk0ojohJq1nbJku4s/TTL2x9ZieNRA1EXwT7V2MYtJa37hU5TwaWN4yt0I1StfiKFDqWtZIuVok0jB1SLNKpXphYGWkvoSewxX6I/UFa0LCz2ygIB7eGYNC0fpK/UEbdv43Dz3BMYTdnCjTs3302l6yw5TAEMYK3domTkL+stAHqSACSezXV1naOAB1mxuKnmdVWPoz0zvn/JviyVLgP8vc81/pIgvgIvWGaluGe1tdspBRv7EML4ftRAeSD9MpQNsYEy4DXUJu6R6kKlnbWS2Ja9lmTwIiTr+8Mru2kBttE+MUed5+AsDbltfW4HOS8/DImT4BCrzeCSq7OYtAe3YQzyNQ+aoskmbGwWFEFUIbB11Vfkx91UaGNbmcuRZ76fhmCH8eKEKAp8tBVsOcmDMSagR5kEmKAYMs1XXpUccxucVyIiW2+mjvz7cv/dxrqkOvRi12BImLylSVq4M/sq5HXy/kkJ2l6mZ58zSbviC16FYc+/vmBlGwJirzVtpcK2x+KOX5rMn+mOrw7nMjrmqJU/Pwvjkq9Ki71wqFCjPspRGsBqODZR9O/MS5AAMA9ukkNIjYvvLQp4WNYkyHGPierWTvg
 Jtbe27pv
 Yo1Qibf7sVsQtuWN4tfcEx8Q3A2EpT3MWVra8SLmW2itNTK5+lYtkn+7dVeJqyfJPnIfqcFnk3cUp/liLfCgPvajhydeiFMJHm5bMTK1WGbcYAheRX+fxOJWz5KWfEWDGlLiVnNGbGSaa65kr+npWMkdXB2WFsM25Ajk4Cmv/Zkd32SPv/iPl7kasQXUV4aprI7guJuiNwRpdwubGU/8qpBQ2Hfa2oY2a/FhSFnpt2d6Gl1aKuAuOgWVJxZNvQJNjGJUR35IbNx8ZBiKzrZobjS454ppED2UEzZ5kM57EGl9PuRxf+h/OIfaXeRw6MbPfzKPfQrm4MMyvC2BEk99S3UyMjOXK3XslgdDJ1bPbCsjaJBvOhIsvPSs4at/FkoJqCYmEjSOIGM1y2LVFEltu4OW/KSkrnQg0W+qIwXk4nlUbgavYzOkbvYJLN2e7vVkkgmsIWKLrotoiU0jpVwemhqCbEYB6vJVwWQdIO92wlvgt11BlmE/ikAzatg9VpJWmqktd3BJdmR4lI0UhIFCRwVhPBBrUWol4SpK7rfQT38ofwkZ3ZVEh6p+2qXjv1GCfzoSCDzDDOy9v+Mby5Q0zME/9HwOWgWOISmiMWcNFRJgojHjmAs39/anWldVj4tfpvqToGupXcnr3ucH2jQy72YQ/s0vE+XQMmPt449UCyuDUTtA=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

From: Jeff Xu <jeffxu@chromium.org>

When MFD_NOEXEC_SEAL was introduced, there was one big mistake: it
didn't have proper documentation. This led to a lot of confusion,
especially about whether or not memfd created with the MFD_NOEXEC_SEAL
flag is sealable. Before MFD_NOEXEC_SEAL, memfd had to explicitly set
MFD_ALLOW_SEALING to be sealable, so it's a fair question.

As one might have noticed, unlike other flags in memfd_create,
MFD_NOEXEC_SEAL is actually a combination of multiple flags. The idea
is to make it easier to use memfd in the most common way, which is
NOEXEC + F_SEAL_EXEC + MFD_ALLOW_SEALING. This works with sysctl
vm.noexec to help existing applications move to a more secure way of
using memfd.

Proposals have been made to put MFD_NOEXEC_SEAL non-sealable, unless
MFD_ALLOW_SEALING is set, to be consistent with other flags [1] [2],
Those are based on the viewpoint that each flag is an atomic unit,
which is a reasonable assumption. However, MFD_NOEXEC_SEAL was
designed with the intent of promoting the most secure method of using
memfd, therefore a combination of multiple functionalities into one
bit.

Furthermore, the MFD_NOEXEC_SEAL has been added for more than one
year, and multiple applications and distributions have backported and
utilized it. Altering ABI now presents a degree of risk and may lead
to disruption.

MFD_NOEXEC_SEAL is a new flag, and applications must change their code
to use it. There is no backward compatibility problem.

When sysctl vm.noexec == 1 or 2, applications that don't set
MFD_NOEXEC_SEAL or MFD_EXEC will get MFD_NOEXEC_SEAL memfd. And
old-application might break, that is by-design, in such a system
vm.noexec = 0 shall be used. Also no backward compatibility problem.

I propose to include this documentation patch to assist in clarifying
the semantics of MFD_NOEXEC_SEAL, thereby preventing any potential
future confusion.

This patch supersede previous patch which is trying different
direction [3], and please remove [2] from mm-unstable branch when
applying this patch.

Finally, I would like to express my gratitude to David Rheinsberg and
Barnabás Pőcze for initiating the discussion on the topic of sealability.

[1]
https://lore.kernel.org/lkml/20230714114753.170814-1-david@readahead.eu/

[2] 
https://lore.kernel.org/lkml/20240513191544.94754-1-pobrn@protonmail.com/

[3]
https://lore.kernel.org/lkml/20240524033933.135049-1-jeffxu@google.com/

Jeff Xu (1):
  mm/memfd: add documentation for MFD_NOEXEC_SEAL MFD_EXEC

 Documentation/userspace-api/index.rst      |  1 +
 Documentation/userspace-api/mfd_noexec.rst | 86 ++++++++++++++++++++++
 2 files changed, 87 insertions(+)
 create mode 100644 Documentation/userspace-api/mfd_noexec.rst