From patchwork Fri Aug 5 22:21:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 12937866 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A0D3C25B08 for ; Fri, 5 Aug 2022 22:21:52 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 151A18E0002; Fri, 5 Aug 2022 18:21:52 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 0DAE86B0073; Fri, 5 Aug 2022 18:21:52 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id EBE768E0002; Fri, 5 Aug 2022 18:21:51 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id DEC196B0072 for ; Fri, 5 Aug 2022 18:21:51 -0400 (EDT) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id B872CABA54 for ; Fri, 5 Aug 2022 22:21:51 +0000 (UTC) X-FDA: 79766962422.03.5E9C500 Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) by imf16.hostedemail.com (Postfix) with ESMTP id 6BD1D180132 for ; Fri, 5 Aug 2022 22:21:51 +0000 (UTC) Received: by mail-yb1-f202.google.com with SMTP id bu13-20020a056902090d00b00671743601f1so3133793ybb.0 for ; Fri, 05 Aug 2022 15:21:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=5E4PGAWMReAFHkj0eA7xzWpJk8N5M4FgV4LT8CvMVPA=; b=TDuzZmP48qciezv1MXsf3LVuEa0sxCTwiXmz3GaFb6bY9Qtk1DrEr4hk/hgSUCSU9D AfNdO6ggJ2vgmMWeMOlX/leMgSXGcQVjNK0zYR0phfm+32xYcPAHGvQSYoqPiNbxudnk HvE2bkCtTLZ4+b3Ay+j53c5ejYOvr0jzKdc8h62ng9xyA/YGHmq7HQjrLzA1ZaYH+BV9 0FZ6JoFGedju30kgJTOIXqXWVdCHFjQ55uchR5QBZO9lhMl46oSxaKE6Z0a+P78bLdDl tNj+/17Hexg7tUbRBM+OCbb+sqB6gZJt9lxBqysd3REOSfOgCXMUXOEiZd1Awo0K8DSt 9wmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=5E4PGAWMReAFHkj0eA7xzWpJk8N5M4FgV4LT8CvMVPA=; b=K0eBoTEd30JSEJQGhsxCM9Nw/E2aaHo5uq70oJp/gKwoMFEf37pPpDFeIOwsC+ojHI Lz/Nm2gz5kBjKG2NXqLz6XesBSIl1S3BVtKcGP9k3MPd7W711oGcMUVPl69VxWa7dHBk yJ9+ZBOz1iOfuQJ2qwcj7tViVFxJu6/7Urb1DrXFNcQTSd13186JPo7nNOl2D0q7TWIs s1i7SFG7qgop7+e4ViUqDQtvuvstXXKNqI4zQo/ZeifxM5aeFLmvigSwjfBsQtzVBa0O egrEQbhiQmxdzM6x3O0Mk3xFHnOsLY5+nIg6AKp861NrME8OznQciLbTlbXhAl/pnQDw G+1w== X-Gm-Message-State: ACgBeo3M014Axm8TSDOk4pIAPCSyROmSGU6nPViVQGrYW48EhsDXdB42 TYdR3ivMqF53nsbhf0+jSyBWpqqTYp8= X-Google-Smtp-Source: AA6agR55Nd+GF+Zicb9UzLXVsBAJG/nkDrQRMgHX77YRUR2vsXmmAEpB7Hc955x1MuY3F3Ah7dc0fEbCssM= X-Received: from jeffxud.c.googlers.com ([fda3:e722:ac3:cc00:20:ed76:c0a8:e37]) (user=jeffxu job=sendgmr) by 2002:a25:9c87:0:b0:671:82fd:9106 with SMTP id y7-20020a259c87000000b0067182fd9106mr7167620ybo.546.1659738110679; Fri, 05 Aug 2022 15:21:50 -0700 (PDT) Date: Fri, 5 Aug 2022 22:21:23 +0000 In-Reply-To: <20220805222126.142525-1-jeffxu@google.com> Message-Id: <20220805222126.142525-3-jeffxu@google.com> Mime-Version: 1.0 References: <20220805222126.142525-1-jeffxu@google.com> X-Mailer: git-send-email 2.37.1.559.g78731f0fdb-goog Subject: [PATCH v2 2/5] mm/memfd: add MFD_NOEXEC flag to memfd_create From: To: skhan@linuxfoundation.org Cc: akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, mnissler@chromium.org, jannh@google.com, Jeff Xu ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=TDuzZmP4; spf=pass (imf16.hostedemail.com: domain of 3_pftYgYKCAMmhii0xjrrjoh.frpolqx0-ppnydfn.ruj@flex--jeffxu.bounces.google.com designates 209.85.219.202 as permitted sender) smtp.mailfrom=3_pftYgYKCAMmhii0xjrrjoh.frpolqx0-ppnydfn.ruj@flex--jeffxu.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1659738111; a=rsa-sha256; cv=none; b=Y3WXT5Zz+AXz44AcEfOxnfiiPT5kWfZhhEdI5k8VMVPyvAhtzOHcDSb3k5dKLO/iCK5EEP dgaFQKLJcpjbyrpUjsO8bS1UbPJsd7QBAPtHmylgUTD0Iscd6iCobQzc0ZSeIGV8lp1Wdm DKHE7VZY0Jxd0aNfWQupKTvXPEiGEzs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1659738111; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=5E4PGAWMReAFHkj0eA7xzWpJk8N5M4FgV4LT8CvMVPA=; b=gc3ygqukHqrL1LhQQN8De9JlZJWJj6xpqx3piCyNBEPIsjsh15WljniDuM6px02M8sQkd/ 2tP1n1ta5SbLFslOZ/yAHfsfcqJ+KN4UHv+V15+YFsUxWK+t2IsOzTjVYJNS3/bJHYgJTI VGMGsfs5DGoH841d/CjikQp0xpYN0kQ= X-Stat-Signature: eqokawu5uuar41oa9s6k8mxyys81n3nx X-Rspamd-Queue-Id: 6BD1D180132 Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=TDuzZmP4; spf=pass (imf16.hostedemail.com: domain of 3_pftYgYKCAMmhii0xjrrjoh.frpolqx0-ppnydfn.ruj@flex--jeffxu.bounces.google.com designates 209.85.219.202 as permitted sender) smtp.mailfrom=3_pftYgYKCAMmhii0xjrrjoh.frpolqx0-ppnydfn.ruj@flex--jeffxu.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com X-Rspam-User: X-Rspamd-Server: rspam12 X-HE-Tag: 1659738111-909836 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Daniel Verkamp The new MFD_NOEXEC flag allows the creation of a permanently non-executable memfd. This is accomplished by creating it with a different set of file mode bits (0666) than the default (0777) and applying the F_SEAL_EXEC seal at creation time, so there is no window between memfd creation and seal application. Unfortunately, the default for memfd must remain executable, since changing this would be an API break, and some programs depend on being able to exec code from a memfd directly. However, this new flag will allow programs to create non-executable memfds, and a distribution may choose to enforce use of this flag in memfd_create calls via other security mechanisms. Co-developed-by: Jeff Xu Signed-off-by: Jeff Xu Signed-off-by: Daniel Verkamp --- include/uapi/linux/memfd.h | 1 + mm/memfd.c | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/memfd.h b/include/uapi/linux/memfd.h index 7a8a26751c23..140e125c9f65 100644 --- a/include/uapi/linux/memfd.h +++ b/include/uapi/linux/memfd.h @@ -8,6 +8,7 @@ #define MFD_CLOEXEC 0x0001U #define MFD_ALLOW_SEALING 0x0002U #define MFD_HUGETLB 0x0004U +#define MFD_NOEXEC 0x0008U /* * Huge page size encoding when MFD_HUGETLB is specified, and a huge page diff --git a/mm/memfd.c b/mm/memfd.c index 4ebeab94aa74..b841514eb0fd 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -263,7 +263,7 @@ long memfd_fcntl(struct file *file, unsigned int cmd, unsigned long arg) #define MFD_NAME_PREFIX_LEN (sizeof(MFD_NAME_PREFIX) - 1) #define MFD_NAME_MAX_LEN (NAME_MAX - MFD_NAME_PREFIX_LEN) -#define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_HUGETLB) +#define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_HUGETLB | MFD_NOEXEC) SYSCALL_DEFINE2(memfd_create, const char __user *, uname, @@ -333,6 +333,14 @@ SYSCALL_DEFINE2(memfd_create, *file_seals &= ~F_SEAL_SEAL; } + if (flags & MFD_NOEXEC) { + struct inode *inode = file_inode(file); + + inode->i_mode &= ~0111; + file_seals = memfd_file_seals_ptr(file); + *file_seals |= F_SEAL_EXEC; + } + fd_install(fd, file); kfree(name); return fd;