From patchwork Wed Nov 13 19:16:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 13874205 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2E60BD637A8 for ; Wed, 13 Nov 2024 19:16:12 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B5B666B0093; Wed, 13 Nov 2024 14:16:11 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id B0BF86B0095; Wed, 13 Nov 2024 14:16:11 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9AC236B0096; Wed, 13 Nov 2024 14:16:11 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 7A66C6B0093 for ; Wed, 13 Nov 2024 14:16:11 -0500 (EST) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 407841A0D47 for ; Wed, 13 Nov 2024 19:16:11 +0000 (UTC) X-FDA: 82782026040.23.C424844 Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by imf30.hostedemail.com (Postfix) with ESMTP id D223880024 for ; Wed, 13 Nov 2024 19:14:47 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=MNxVwVWh; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf30.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.210.177 as permitted sender) smtp.mailfrom=jeffxu@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1731525192; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=yJ1xBx06y8ZAnA3UnsQH/PtPZjuuHaBD+33LmtepObE=; b=zXxRg1UGm2d8ky3dyUO6ZrASSd8M0TiIAjTsIBlvvS/I8X6ms1aXOmtBML3beb/WTOO3yj C9dejUrzjm0q0zskxx8vJxDa6rX1mHKsZOztCUH26AXxDwzP4vsEnoVWL4GkkE2OKQYBcQ /vhzsbF163tLRjnrwovHiuK+1Jk9SAQ= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=MNxVwVWh; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf30.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.210.177 as permitted sender) smtp.mailfrom=jeffxu@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1731525192; a=rsa-sha256; cv=none; b=KhUl8AnfxKL4D/YTaupFQ+vN9Yy4COZ/+YPiMYIFjQY1Mcd8Yg4ajlq5cz1/3ZiOahCFJx ccEHYmdScu4TO5XrXlw4xAfeHcIW7rRorGA8X0cXtdG2GeaHjgRqMxeH2Qme9KMVFqg/Nm fQjyN9wdPC7KH5daZCwkZU0PdaRLWMU= Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-71e5417f8d4so128139b3a.3 for ; Wed, 13 Nov 2024 11:16:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1731525368; x=1732130168; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=yJ1xBx06y8ZAnA3UnsQH/PtPZjuuHaBD+33LmtepObE=; b=MNxVwVWh8VQnqjDNxXFMGgevzxcTNkMdz/sswz+lFD2fKZuqRlt4ly0M41FvlnufnJ +Tqys4YUM22TpW4MN7a3iYr0JCVWUxGJXWTFN3p2CA4AdEaTtdt7A9XIdPJD8Wb0cNJQ iSp4MLwzt2HvfbyEwN9i1JBlXKxoKcaYfWJJI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731525368; x=1732130168; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=yJ1xBx06y8ZAnA3UnsQH/PtPZjuuHaBD+33LmtepObE=; b=FOXEjH55ehxVjCSZzWt3a+e+P0hqDDS9s/ySXZNPwIhikLpjC9ETfVovQiHxfO8ANE XSEglQiCmh+iJNJiddI1bkfaCiaqX/+OZGYiVscVMYmFydq2gon8D/5KM5LOrdDae02h WEGQ+BeyNG0L4A7TdPmVYBnu2gVha0mbce/ej1XNe3zoAoZuPvC7HYkBGGAdyiDB6utO W3/2bYGUo70ncEf4Fj9a4QiGjq17KRB3r2TC9LczzQi1p0CXW+g96/iJJelysFvwblIF 9uVVctciozRc0SP3NvzaLyjI7lTlTMQ1iatitCvPoKemLruHNEK9VPqMaxuVVLDSLRpO TIRg== X-Forwarded-Encrypted: i=1; AJvYcCUL79FbboFm+aDvw7WXCKTwMFfuwBNoQYv3QjSAim6fJtpRAv4AAES0GVGgs3TLfAySkE982yQKFA==@kvack.org X-Gm-Message-State: AOJu0YwU3ncwMGRneO/ppr4mJua7oQpTA/B1oKr07J8Wsniq4I6OpyHL CLA25n7+7L+SqTYIGquR2LBcza80mx2B1Xh8FnpNBOukkE+plFdDOezKGLwaag== X-Google-Smtp-Source: AGHT+IE57qKtu5zFu6AlasoUgUPGht35UyGvr0mAKtZBxlpo0wcpjfLve2+qn74cQ7eZo0jnCIbaSg== X-Received: by 2002:a05:6a00:b56:b0:71e:770d:2c00 with SMTP id d2e1a72fcca58-7241334b1c4mr11122411b3a.4.1731525367948; Wed, 13 Nov 2024 11:16:07 -0800 (PST) Received: from localhost (238.76.127.34.bc.googleusercontent.com. [34.127.76.238]) by smtp.gmail.com with UTF8SMTPSA id d2e1a72fcca58-724078cd2bcsm13635731b3a.84.2024.11.13.11.16.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Nov 2024 11:16:07 -0800 (PST) From: jeffxu@chromium.org To: akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, torvalds@linux-foundation.org, adhemerval.zanella@linaro.org, oleg@redhat.com Cc: linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, jorgelo@chromium.org, sroettger@google.com, ojeda@kernel.org, adobriyan@gmail.com, anna-maria@linutronix.de, mark.rutland@arm.com, linus.walleij@linaro.org, Jason@zx2c4.com, deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net, hch@lst.de, peterx@redhat.com, hca@linux.ibm.com, f.fainelli@gmail.com, gerg@kernel.org, dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org, Liam.Howlett@Oracle.com, mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org, ardb@google.com, enh@google.com, rientjes@google.com, groeck@chromium.org, lorenzo.stoakes@oracle.com, Jeff Xu Subject: [PATCH v3 0/1] seal system mappings Date: Wed, 13 Nov 2024 19:16:01 +0000 Message-ID: <20241113191602.3541870-1-jeffxu@google.com> X-Mailer: git-send-email 2.47.0.277.g8800431eea-goog MIME-Version: 1.0 X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: D223880024 X-Stat-Signature: qhuy8mc3dp51c9t8jbs8wbo49xoprrak X-Rspam-User: X-HE-Tag: 1731525287-997193 X-HE-Meta: U2FsdGVkX1+0kXWZmXkRnlIx9p37Yrhaa+lDXA2oGw6fZ1TWZnJEKxm0geaE8+KWnxG3Kc8ei6n9qKWLtqN5H0YAZl5hqVER3DE6KVODf1kwXAX3ObmGJ1XlfrSPbnzXm+3J7rQ+LulLG+NTtJ+RiTIfSFEBM+DeXNrv7cvPcWy2lZYBxiKTt46UA1cC6MpK9bcvSyslywzT26HOZ24O+uVSTDzt7w46gAkDUHvIHL7mDgDE2+a5ywFN47ik8neMfDJVeYXx8QLYApsxip+6/+C5prSwVcKD8SM6kakRnv9w12594zW42cEz4p8ICZaAh0nDid7jpaoTm1NqIzQwXNlIkJHBS2+sSGLdyKU+vwSJnrrecPLK+uwOtGN4VOUjDsQP8vWzxtnm60d9TTb5gQA+2QlXdRRWnoGRX/CkoiWsXuMUvYMFkv+q4vhwyzS5xL9+8486njguRaBDZ5zS1JTWs6aBwQeTnVk6cSftpdxJISBufcmSK39YzQ/jRDy7H9qaAf6oV2Sg9sABjAlhqsRQ4hrtZTQrwdGUvSjNjHzmQXHOLLQ+l/4H+XdW1+o/rc0iDmXHU6CtRXzR91HEnrw0sjUF5SgcPGvTH+sEogqeXYai881RsywKn4JUuApcdAoEwYdxHbf4uHzyC8yrhXEyYG7MdhtHkX3pHenGBHRWbn4oj2CtYEbfKU4TNccLPj61HLEgtgw5XncUqqrbrMC8u6+0y2eAVYAlrlo4UU5gmMfRKoejUR229JjwjDgXHxzyeyXxHcYTeAyXuZrU+c0RvbuObFASKlM1l9jqpTigg9xHStypbRGGpo6NXVOSaWOiQe3gR5b4o0w7m0XH6nAcY2B2twaTd0OYfll91gZ8vtY9wkLdkpiljpfbBYQtQ1fj8Xf+CqgeWpn7ULLwTVHr2P4Bzaw/JZuZ3SLgNuAg7qDZV8KCXI9GOK/zufBRwDa/OxDDTEDFiLiZPMO SEqVXF+H ls9HDsDF4D/7GQ3gp2O7BSiPbm/SYzA2hb6Ankr6v/1GfLq4SIWE8I617C3z/HLh6OfFNOIuddDQ3otp4mlupRASglnOZgGFy03ehHShUynsL0EWEL7mmQrjHOjsJbVD3xhp5m8aMpTJtjhwVFeknRaf8fMX4CwDSuRtQJhbaqD37AdXhjQHe+MWCYuoFnfr4YFVGc4zyzjoVJpYj9MsDSpBZjCY+pmf6yzAyWrZb3uOjwQwk86I6E2R4nv6678BVohKm+b45gaYA9ktiyMv1BYpJiwhfbJ5SyFqefWohZbls4qDuY6sKpbVb8q2RM9VvjvRYPxgXK3J2GvbiHtNT6rRy6agegpdiVFgk X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Jeff Xu Seal vdso, vvar, sigpage, uprobes and vsyscall. Those mappings are readonly or executable only, sealing can protect them from ever changing or unmapped during the life time of the process. For complete descriptions of memory sealing, please see mseal.rst [1]. System mappings such as vdso, vvar, and sigpage (for arm) are generated by the kernel during program initialization, and are sealed after creation. Unlike the aforementioned mappings, the uprobe mapping is not established during program startup. However, its lifetime is the same as the process's lifetime [1]. It is sealed from creation. The vdso, vvar, sigpage, and uprobe mappings all invoke the _install_special_mapping() function. As no other mappings utilize this function, it is logical to incorporate sealing logic within _install_special_mapping(). This approach avoids the necessity of modifying code across various architecture-specific implementations. The vsyscall mapping, which has its own initialization function, is sealed in the XONLY case, it seems to be the most common and secure case of using vsyscall. It is important to note that the CHECKPOINT_RESTORE feature (CRIU) may alter the mapping of vdso, vvar, and sigpage during restore operations. Consequently, this feature cannot be universally enabled across all systems. To address this, a kernel configuration option has been introduced to enable or disable this functionality. [1] Documentation/userspace-api/mseal.rst [2] https://lore.kernel.org/all/CABi2SkU9BRUnqf70-nksuMCQ+yyiWjo3fM4XkRkL-NrCZxYAyg@mail.gmail.com/ History: V3: Revert uprobe to v1 logic (Oleg Nesterov) use CONFIG_SEAL_SYSTEM_MAPPINGS instead of _ALWAYS/_NEVER (Kees Cook) Move kernel cmd line from fs/exec.c to mm/mseal.c and misc. refactor (Liam R. Howlett) V2: https://lore.kernel.org/all/20241014215022.68530-1-jeffxu@google.com/ Seal uprobe always (Oleg Nesterov) Update comments and description (Randy Dunlap, Liam R.Howlett, Oleg Nesterov) Rebase to linux_main V1: https://lore.kernel.org/all/20241004163155.3493183-1-jeffxu@google.com/ Jeff Xu (1): exec: seal system mappings .../admin-guide/kernel-parameters.txt | 10 +++++ arch/x86/entry/vsyscall/vsyscall_64.c | 9 ++++- include/linux/mm.h | 12 ++++++ mm/mmap.c | 10 +++++ mm/mseal.c | 39 +++++++++++++++++++ security/Kconfig | 11 ++++++ 6 files changed, 89 insertions(+), 2 deletions(-)