From patchwork Fri May 24 03:39:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 13672654 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66DA1C25B74 for ; Fri, 24 May 2024 03:39:58 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id EB04E6B00A0; Thu, 23 May 2024 23:39:57 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E5E426B00A1; Thu, 23 May 2024 23:39:57 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CB2496B00A2; Thu, 23 May 2024 23:39:57 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id A8D506B00A0 for ; Thu, 23 May 2024 23:39:57 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 5AB1AA07A7 for ; Fri, 24 May 2024 03:39:57 +0000 (UTC) X-FDA: 82151885634.25.A0D65A3 Received: from mail-pg1-f175.google.com (mail-pg1-f175.google.com [209.85.215.175]) by imf17.hostedemail.com (Postfix) with ESMTP id 09B8240002 for ; Fri, 24 May 2024 03:39:53 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=QrzMPzsK; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf17.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.215.175 as permitted sender) smtp.mailfrom=jeffxu@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1716521994; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=pesQo+6XyB9Sz7NquWrLJtfwCa+DVcXbb+XOLlmmUJA=; b=SJsCzQe+drYNEUTxXJk2wdtB1oohSFQPUokoVZGiY54ny7zNahVXo7JBZtlsJO81E6IauA O9CLt7dfczhRgsWjxEC6+/izeXxGcgK+umHmdYLA18c6f81xHheVsBKqhXYbzLSKbBXiKT PxyxfreBlz495le5PVku8dP+3H4DP8g= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=QrzMPzsK; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf17.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.215.175 as permitted sender) smtp.mailfrom=jeffxu@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1716521994; a=rsa-sha256; cv=none; b=6BasLn0mtGvGp+RazZqczL4DVMksiCZ3ECAdBJR4Hra4ETiJ4/tNyCfSbze4l6FgO+DUdF Vlnb8V/ajeGge0fxHsXAGo7vaLiiW1oKdcYX5RStc48fZdUx6yozQ3DYSn8IUSL/z94QHK 5zQFVmTag0HXq36B+L06tmZ8n2o9IIA= Received: by mail-pg1-f175.google.com with SMTP id 41be03b00d2f7-652fd0bb5e6so2752809a12.0 for ; Thu, 23 May 2024 20:39:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1716521993; x=1717126793; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pesQo+6XyB9Sz7NquWrLJtfwCa+DVcXbb+XOLlmmUJA=; b=QrzMPzsK6vA+4OgUX7BoWCJGLXUl3QGSETtQRnf9ZQIk5F0ELbWIqRZmzU5PIjMJCY AvhyQeWinKqZpRpwbb5VceTcxeqbcIr6qkbxaAM+zVKwLuEto3ynMEuE+0cnX5XzWZDL LkJZTPV/IYrqF9g6vEENxOLTvkv9dYBOFvC94= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716521993; x=1717126793; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pesQo+6XyB9Sz7NquWrLJtfwCa+DVcXbb+XOLlmmUJA=; b=SKINkkM/ULG1xm5+tIrNinIwKkt8RQn4N0NheZ4or3e3fR2fdtyxrVQUdXw57dIOnt dV1MDPjJno33NlqH1LR3fp0rTk5914Yu8LynwLn4jxJ7yInlhx8Gy0NueSgHMnu+03S0 +LxXVD4Au++GK+04eT3Hs9gLOr7G0jV1VpccZaGJR3hv9xs0XBCvgaENx0jEhMwLn9mD r16MBp8zzD5dVjy+gmszZg6ZE030pBHfllEIe0Z9Pswtn67umBPmHl5EnUT5hl5WyKTO Lmxc/bDHE5KzKiXVYOB/goWSMJSjL6q8y4qrgUGxqQZjWCtEfzoUuSBhlVtrpuLzRfCf 4R2A== X-Forwarded-Encrypted: i=1; AJvYcCXK5bM3GLMlNWpTrtsae2RXh3mX7GVCjRsz6CyF+rJp+ZevZXKXtxq6i69f/L3KrSI+jsThYrG0adIiGkjzEKfgXtk= X-Gm-Message-State: AOJu0YzntoytQQBg5pi1ebv+2WzsTgFU1l1nDxSkULliUXQkCsfobUhO E1wOZAxJyM9eLbT75WX3B2kMhZD0piSMB96PyQARA6tgS/yu+HIycnfqrSyVdg== X-Google-Smtp-Source: AGHT+IHdjBENRrBcj6qYEjj9L5n5wO1aZ+m3thRvOckQZLAGNspYj6ieCFrZ+b+e26D15nt1k6EE2w== X-Received: by 2002:a17:90b:604:b0:2b6:c650:fb54 with SMTP id 98e67ed59e1d1-2bf5f50a0cdmr948929a91.49.1716521992881; Thu, 23 May 2024 20:39:52 -0700 (PDT) Received: from localhost (197.59.83.34.bc.googleusercontent.com. [34.83.59.197]) by smtp.gmail.com with UTF8SMTPSA id 98e67ed59e1d1-2bf5f50c450sm406666a91.17.2024.05.23.20.39.52 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 23 May 2024 20:39:52 -0700 (PDT) From: jeffxu@chromium.org To: jeffxu@google.com Cc: jeffxu@chromium.org, akpm@linux-foundation.org, cyphar@cyphar.com, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jorgelo@chromium.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pobrn@protonmail.com, skhan@linuxfoundation.org, stable@vger.kernel.org Subject: [PATCH v2 2/2] memfd:add MEMFD_NOEXEC_SEAL documentation Date: Fri, 24 May 2024 03:39:31 +0000 Message-ID: <20240524033933.135049-3-jeffxu@google.com> X-Mailer: git-send-email 2.45.1.288.g0e0cd299f1-goog In-Reply-To: <20240524033933.135049-1-jeffxu@google.com> References: <20240524033933.135049-1-jeffxu@google.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: 09B8240002 X-Stat-Signature: 3786pgpzdhggpibnx5c3hkmat9okdjp4 X-Rspam-User: X-Rspamd-Server: rspam04 X-HE-Tag: 1716521993-57385 X-HE-Meta: U2FsdGVkX18l49oTx4XCaWvy8X4w9SVffHKBnj5WK86Bs9nWw5pNhqcHqBUIcjXAZcsOFiq3LsOmPFPWXOOnvHh3E+Au+rNdMa+Uj3Lhq4r2yPWvakQ926kn+uuibsPuAwSW5/dSefwYYG1kr5T8SPmAGbU5ZU66BLgQQPmKo1JmFXLADj/fwW7ILg89EkIWaN78m0IqaKq+Fbqc2i6prIr3cTgQlb9WoE5eNBtHsHCjCyUjqQZMOODZir2k1Qsof4aLTjZlhaYrnFLjwRndtMZ2m4HwvaaMu6Xr/hCnNsFamPSciht3kUYY6oGd1/rSg6KODZRiX41XHJ+n+x1bAWE3h5BuT3ZLE/NLeNkIugo1zMmDaxaWZkMLC8W8wyt7/pE7Bx7pKHfAA2BtFDfo9pUUOZKJpbJ5rR8ExqQ19GQQ+h+bL27Qni0lpDALxaciTSBJB4XpT6GQ4mSsZFUwQ3XPmsGYeT2Y1LeMuc4YKUrp9Oq4DsxMa77bg+P8gPpWkLWCd9URVOugtJxux7OJXyv9KJPOs2EPCK3fL1PIMTpBf6A1d/sCBMNBPB5OEl4unR09X97BVRQKrWghsuHJHVlpYSwTWBXvD9H8vKHnKAYui4ZFnddM8u210Q83zoj17b+JlsefZLidCICXtFe+ViHKFnecAlYuj0AJ+/MRqQqjXz6+H8TGD7dBZMt6xKIlHyXKV02TytkPh9Mlvx5m1qQSf2Ftrb6GUgboQMXqBdWK3VFIYnNMM3ANA2elEgMWLXZg2CTvW03fQkSAiW8QSgRmI/tw/jmon8flWgd4B1NWY5jEeSNspipRkWo+IXo/Fd1arGY/7ujk75odqKfSqCB5MrzDQhsrAzczSbtPFMiBja4x3bjNvo9rR0X67YYEDg7RvBWoK74WxTHRUD6kJq0SLiKxNNIclV1KBHPk8T1jbCvPLIcEIGSpC2pkK5rtors8aQjVJB56mwBGciS 81othBJG 6w4u/qbz8Ham3Wix82VmEYPn7h+hsvuLs/Fli7oDrlOUW9rZd2K5ZFyF8zA/q1DJc5EkbW4qCDFBgxaL6oBc2uKfRCVQsiHqKS1wFl+8lkXPd47P02EyA1PmGe8buu/MjzGLR7jvQ9tx2RG2ErNaYiTkUYGJPry2oejUaMWNqxmkuKgPhyOUYzSGcTU/dY4sceOaBYRW9GbEYkzipq1ZGEjwYsJAEQBbx+t7oatrkPZIbBWUxH0iXm8s+TIPLfLWx+d2pXBI5pwjgQVCNlYTYGvZQeHwGKkWwTTMKcMjyX0ZUkfygqTkAXy68Fn8FBNJtaQZRHJoi6yGBq+3cC1kGfKHkdqYCUixcetcM5xPhu6K1NafY5PzozUTuXVLua4Qif7jwK0pFwQW1kY3DaRILgsw51ZSc10P1w4m9/6AlHj+uG0qdM/eRTCyam1oYMFS93kd5XDiouJBl8Jmu00JKvi/cBveEUjp2ekYaZuPD4twe2DCDkV0wcRBGvn5BMhsasL5bzrE9uHzDmLo/olIwI47MelbkZTXFrzxDVHLIK7DmqknWY+7W8rmH1mmi+xkqiQjkgfkNzpZc6fXQDzGoiJMDjXwevJXxEtISoWMkJMQyqtp6wsVaGwEDsqEF8mRAlQj0b8OCNYd6iQzd9pi20Yg8doYFxcUzE6tU2QnUj1jGb+pKIzS05WOAZWEUREYGDh6fFfc0lb6XH7u3RGfM+BRmTlva8vQe0WeTGsork8vhugp/HS6yW9E758RsdlKABmc0vLQXd1XsBgKADFzfpgrHpdvE0F6hJ1p+5s9NKri6MKEReQ0+PPZdqCXylmZ7uWoRm6Ac5YURXPvPIyVPuuf4WZYI1yH1VRcc6gIZ+2TTHl8n9TPy403FBLJ3AMDKxS0plGW59IBxetE= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000002, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Jeff Xu Add documentation for MFD_NOEXEC_SEAL and MFD_EXEC Cc: stable@vger.kernel.org Signed-off-by: Jeff Xu --- Documentation/userspace-api/index.rst | 1 + Documentation/userspace-api/mfd_noexec.rst | 90 ++++++++++++++++++++++ 2 files changed, 91 insertions(+) create mode 100644 Documentation/userspace-api/mfd_noexec.rst diff --git a/Documentation/userspace-api/index.rst b/Documentation/userspace-api/index.rst index 5926115ec0ed..8a251d71fa6e 100644 --- a/Documentation/userspace-api/index.rst +++ b/Documentation/userspace-api/index.rst @@ -32,6 +32,7 @@ Security-related interfaces seccomp_filter landlock lsm + mfd_noexec spec_ctrl tee diff --git a/Documentation/userspace-api/mfd_noexec.rst b/Documentation/userspace-api/mfd_noexec.rst new file mode 100644 index 000000000000..6f11ad86b076 --- /dev/null +++ b/Documentation/userspace-api/mfd_noexec.rst @@ -0,0 +1,90 @@ +.. SPDX-License-Identifier: GPL-2.0 + +================================== +Introduction of non executable mfd +================================== +:Author: + Daniel Verkamp + Jeff Xu + +:Contributor: + Aleksa Sarai + Barnabás Pőcze + David Rheinsberg + +Since Linux introduced the memfd feature, memfd have always had their +execute bit set, and the memfd_create() syscall doesn't allow setting +it differently. + +However, in a secure by default system, such as ChromeOS, (where all +executables should come from the rootfs, which is protected by Verified +boot), this executable nature of memfd opens a door for NoExec bypass +and enables “confused deputy attack”. E.g, in VRP bug [1]: cros_vm +process created a memfd to share the content with an external process, +however the memfd is overwritten and used for executing arbitrary code +and root escalation. [2] lists more VRP in this kind. + +On the other hand, executable memfd has its legit use, runc uses memfd’s +seal and executable feature to copy the contents of the binary then +execute them, for such system, we need a solution to differentiate runc's +use of executable memfds and an attacker's [3]. + +To address those above. + - Let memfd_create() set X bit at creation time. + - Let memfd be sealed for modifying X bit when NX is set. + - A new pid namespace sysctl: vm.memfd_noexec to help applications to + migrating and enforcing non-executable MFD. + +User API +======== +``int memfd_create(const char *name, unsigned int flags)`` + +``MFD_NOEXEC_SEAL`` + When MFD_NOEXEC_SEAL bit is set in the ``flags``, memfd is created + with NX. F_SEAL_EXEC is set and the memfd can't be modified to + add X later. + This is the most common case for the application to use memfd. + +``MFD_EXEC`` + When MFD_EXEC bit is set in the ``flags``, memfd is created with X. + +Note: + ``MFD_NOEXEC_SEAL`` and ``MFD_EXEC`` doesn't change the sealable + characteristic of memfd, which is controlled by ``MFD_ALLOW_SEALING``. + + +Sysctl: +======== +``pid namespaced sysctl vm.memfd_noexec`` + +The new pid namespaced sysctl vm.memfd_noexec has 3 values: + + - 0: MEMFD_NOEXEC_SCOPE_EXEC + memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL acts like + MFD_EXEC was set. + + - 1: MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL + memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL acts like + MFD_NOEXEC_SEAL was set. + + - 2: MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED + memfd_create() without MFD_NOEXEC_SEAL will be rejected. + +The sysctl allows finer control of memfd_create for old-software that +doesn't set the executable bit, for example, a container with +vm.memfd_noexec=1 means the old-software will create non-executable memfd +by default while new-software can create executable memfd by setting +MFD_EXEC. + +The value of memfd_noexec is passed to child namespace at creation time, +in addition, the setting is hierarchical, i.e. during memfd_create, +we will search from current ns to root ns and use the most restrictive +setting. + +Reference: +========== +[1] https://crbug.com/1305267 + +[2] https://bugs.chromium.org/p/chromium/issues/list?q=type%3Dbug-security%20memfd%20escalation&can=1 + +[3] https://lwn.net/Articles/781013/