From patchwork Wed Nov 13 19:16:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 13874206 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D68C6D637A8 for ; Wed, 13 Nov 2024 19:16:14 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3BBF86B0096; Wed, 13 Nov 2024 14:16:14 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 3449D6B0098; Wed, 13 Nov 2024 14:16:14 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 149DE6B0099; Wed, 13 Nov 2024 14:16:14 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id E9C6B6B0096 for ; Wed, 13 Nov 2024 14:16:13 -0500 (EST) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 93BD080128 for ; Wed, 13 Nov 2024 19:16:13 +0000 (UTC) X-FDA: 82782025242.03.247F8ED Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by imf26.hostedemail.com (Postfix) with ESMTP id D314D140012 for ; Wed, 13 Nov 2024 19:15:38 +0000 (UTC) Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=hrkL9VEZ; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf26.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.210.180 as permitted sender) smtp.mailfrom=jeffxu@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1731525308; a=rsa-sha256; cv=none; b=l62ILVbli8YYIsheQB9wOyDkbyDNPeDpFk3nLiY+Xo8uSoi3CWDkNcmTenrx2RYxvYf3qu re7dAxklXQtaDQWWvM8D8mcY3e+1u1hlX+dX5FtlT8fqWN2q2B8hKQ0tYv3FarICedU2e3 4V4PswPVa2/Ve12Xp+lcgOGfk6dz5Rw= ARC-Authentication-Results: i=1; imf26.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=hrkL9VEZ; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf26.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.210.180 as permitted sender) smtp.mailfrom=jeffxu@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1731525308; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=bn2E6rL2wYZCI4wKkEUP+kNNk1goC17qlLY+yflZowg=; b=ZLrEZ1NjyvqnvT8g1PXWuqRj9ZohAgeOahkmNu3OW70BNR9h885hNIlgcWUwVoBrWPfon1 w4gp4qLbY/5Y/K/RH7RGkJfYDpz926qNBGCtte0phvcZdDrA4iGb/kEeuK8CRcJNY/Kp9d 3OecRKo7TI4WE8D2IYYX09uZp6uNzqY= Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-71e4c2e36d5so446054b3a.2 for ; Wed, 13 Nov 2024 11:16:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1731525370; x=1732130170; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bn2E6rL2wYZCI4wKkEUP+kNNk1goC17qlLY+yflZowg=; b=hrkL9VEZsX/kMwghzFDoao9oEB/qf7+vsEJEBdgWzWgzyBfRqxXCS9YPWqVsaeUohY xzm9fob9EQ0pAoCBdVSkaC9aM5ytyyLd0MrUANuOg4LWx0ON6IAJ74dDgvqNd86DLCRV T6mIZPRdRVhl+7gsQYD1zifPITz4TiEqfeJFA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731525370; x=1732130170; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bn2E6rL2wYZCI4wKkEUP+kNNk1goC17qlLY+yflZowg=; b=iA8sa974xw690MqR8WB5JE0Y+6cVO8WXH/PvDNNMxKJglLn1Ycyc2wRImfYsVmaLPe 6gxQoAR2wAHkEyamm4NvMih9yopMrcSfPgaGyiKMXZWRaRUkzBW9Uf3RqduVHl2a0mV1 7d/kzPM42L8lYJ7nZLcDuJ1yOzDepy7diArax9aOVbkssYqk9ry8DsVIFEpNAwmKqSyB OelI1SGngmOGZOa6byVQcsR3H1mMlRiJwhah1YmnaRJg6dys7tUzR9U2J7GesVPFD+k8 iYFT/ded8bXxCu2xXm+8eYvqVqDAofVCXAmuiQaipaYGKRCMa3NEOgIIystyj2W+08/Y 8dsQ== X-Forwarded-Encrypted: i=1; AJvYcCVfTJi7d+VRI58cjCxVMsdQMwzoSrJ9gAkG/esFEu96FRnyrWk6sb3MuRBmU/5+HjeWpDbS+N0b1g==@kvack.org X-Gm-Message-State: AOJu0YxfRyPD/SSfCyiJJdQQg8FPeth12mKJCo4bTYNdnRiabIoOSJm8 /qOFFnrfJ4v6MayvJ4yMyCcDA5AkiaezkDU0ixi26XW76pIP8o41FL5UVWqIPg== X-Google-Smtp-Source: AGHT+IEjwSOXUNHmhOLuGYAncEdgOGnW561Ct4JZEuctDeRoO+bnsvsBpmpGsZv2e9Yi5LCKaGE3/g== X-Received: by 2002:a05:6a00:1797:b0:71e:4ec7:aece with SMTP id d2e1a72fcca58-724133a1cfdmr11762091b3a.7.1731525370297; Wed, 13 Nov 2024 11:16:10 -0800 (PST) Received: from localhost (238.76.127.34.bc.googleusercontent.com. [34.127.76.238]) by smtp.gmail.com with UTF8SMTPSA id d2e1a72fcca58-724079a3b03sm13445412b3a.117.2024.11.13.11.16.09 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Nov 2024 11:16:09 -0800 (PST) From: jeffxu@chromium.org To: akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, torvalds@linux-foundation.org, adhemerval.zanella@linaro.org, oleg@redhat.com Cc: linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, jorgelo@chromium.org, sroettger@google.com, ojeda@kernel.org, adobriyan@gmail.com, anna-maria@linutronix.de, mark.rutland@arm.com, linus.walleij@linaro.org, Jason@zx2c4.com, deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net, hch@lst.de, peterx@redhat.com, hca@linux.ibm.com, f.fainelli@gmail.com, gerg@kernel.org, dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org, Liam.Howlett@Oracle.com, mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org, ardb@google.com, enh@google.com, rientjes@google.com, groeck@chromium.org, lorenzo.stoakes@oracle.com, Jeff Xu Subject: [PATCH v3 1/1] exec: seal system mappings Date: Wed, 13 Nov 2024 19:16:02 +0000 Message-ID: <20241113191602.3541870-2-jeffxu@google.com> X-Mailer: git-send-email 2.47.0.277.g8800431eea-goog In-Reply-To: <20241113191602.3541870-1-jeffxu@google.com> References: <20241113191602.3541870-1-jeffxu@google.com> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Queue-Id: D314D140012 X-Rspamd-Server: rspam11 X-Stat-Signature: hfhz7m5xb1k8wjao959iby41pth9e3jz X-HE-Tag: 1731525338-174940 X-HE-Meta: U2FsdGVkX18n4cqwkni9B/nf0FGfO3uL+Z2UmTEZmpoH2FH8Clc4JWOAx5gggzECGt3RlcaGJIVSRvH+dhFw2AZtm5K0RtAD/rrz32sqNj3ksU9OUulnadsvWl25b0UH6l7X+6WvnolWOjEbMasii/kd71nYInNyFbVfgxXN2CoFYGP/tqgVtlsKoOkFfKICVcea1FdWrf7WGBPk5EsFYp2HFjeh+yLK4oJOxXfmICigEICOhmjMmVqwujTzvmeZsvI7mBds2gg+N9b4NRo0V8RcB/L7dbuHgn/G1Pw566J2PD4+lc4RGqN3ehx3iW2ieh9HRlvFGatMlA5V+Nihb8xw+CLG7jPT2tzaOzoTBTBCeAbc45aA9vkXa//p1UwPM5oTDWXzGvc92kHVo1NFfAZsWfUj85VwVyI+hoTM1qnqOCupVzbQY5TbHyCIeqa+BROo+4kDcWsVbbZ/rNp0M7xliVeB96i430kAw+QgjrWpuoYA02h0xR5uks1Waq6Bo+bhD1QwZBs2WuCkTdO/ORy5KheQ0bs+ecoXy9xOP+IjQalFn9eKLXlFsKQF3JTE8Nr2obNd5S6GoewXQ1BBqsfHg2OUqe/QxkW0Ucodq7C8OyarazjxoKdlJgAsLedZxi6/nSg7+NIjsESoC+ACwAt6XIiSmF+1NMfF8um6dlZmG80Izah9G3gUBIAb6ihfeIM6OBrA1TQERll5+MnBa5RxjM41XYQXOhDxVEk8gAVJ0L0MPuB3UfMLt3G9QmY8nK8RXtpzAiCid1NgI/hJI++YOqwqxePGD/Fxn485goKG+4k3wA2oYU2X5S/b2lripikWYOoB7AnGr1k+w/WfCgxeA0/GEww7xAywXHkjsY9No531J2+gSJktayiCq2c3u5bH4gOF+6XynyA0LFnWGd99oKF641f8XpK6i0btlk99P7BNyVE/iM2NxdgaYJDnPb44CE11jSWVvIZ9wVA UHw1z2eO jTukd5Fi65GnogQwc7nCZBV6tBqN4S5BkE8avjLfgKxjuIB/PeTASPB0c1aM+WWWMDqw/ejuaa9vNb2LqoKzIjkI6ozvhiHsznzYJ2xtTI1+TS8uyNiDmB8CLE2b7bWtveYTGfr5uDFewSaog2S2iFxCGf+Cxrn3B6RrN7CGsEYO8rwNOgkMpUOjkGNC/dlxytBNL8ehm9yWY/aGps7+UASxG3wT9PiYexWx+1IocdcwNIs2iruuvCYD4FADBTleEAwhtZDK9qwYIujukq4Rq+xuzyP1AjxJZNagwzdUvxsUfOLaVy7A6dve5rO6XqNcJbL5+kMyPH7je3oiHzZ9pRKQuN1jwfxNFtih2w/hwnMYa9VdKm7vZg5qzuw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Jeff Xu Seal vdso, vvar, sigpage, uprobes and vsyscall. Those mappings are readonly or executable only, sealing can protect them from ever changing or unmapped during the life time of the process. For complete descriptions of memory sealing, please see mseal.rst [1]. System mappings such as vdso, vvar, and sigpage (for arm) are generated by the kernel during program initialization, and are sealed after creation. Unlike the aforementioned mappings, the uprobe mapping is not established during program startup. However, its lifetime is the same as the process's lifetime [1]. It is sealed from creation. The vdso, vvar, sigpage, and uprobe mappings all invoke the _install_special_mapping() function. As no other mappings utilize this function, it is logical to incorporate sealing logic within _install_special_mapping(). This approach avoids the necessity of modifying code across various architecture-specific implementations. The vsyscall mapping, which has its own initialization function, is sealed in the XONLY case, it seems to be the most common and secure case of using vsyscall. It is important to note that the CHECKPOINT_RESTORE feature (CRIU) may alter the mapping of vdso, vvar, and sigpage during restore operations. Consequently, this feature cannot be universally enabled across all systems. To address this, a kernel configuration option has been introduced to enable or disable this functionality. [1] Documentation/userspace-api/mseal.rst [2] https://lore.kernel.org/all/CABi2SkU9BRUnqf70-nksuMCQ+yyiWjo3fM4XkRkL-NrCZxYAyg@mail.gmail.com/ Signed-off-by: Jeff Xu --- .../admin-guide/kernel-parameters.txt | 10 +++++ arch/x86/entry/vsyscall/vsyscall_64.c | 9 ++++- include/linux/mm.h | 12 ++++++ mm/mmap.c | 10 +++++ mm/mseal.c | 39 +++++++++++++++++++ security/Kconfig | 11 ++++++ 6 files changed, 89 insertions(+), 2 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index e7bfe1bde49e..469a65b3cf50 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -1538,6 +1538,16 @@ Permit 'security.evm' to be updated regardless of current integrity status. + exec.seal_system_mappings = [KNL] + Format: { no | yes } + Seal system mappings: vdso, vvar, sigpage, vsyscall, + uprobe. + This overwrites KCONFIG CONFIG_SEAL_SYSTEM_MAPPINGS + - 'no': do not seal system mappings. + - 'yes': seal system mappings. + If not specified or invalid, default is the KCONFIG value. + This option has no effect if CONFIG_64BIT=n + early_page_ext [KNL,EARLY] Enforces page_ext initialization to earlier stages so cover more early boot allocations. Please note that as side effect some optimizations diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c index 2fb7d53cf333..185553376f39 100644 --- a/arch/x86/entry/vsyscall/vsyscall_64.c +++ b/arch/x86/entry/vsyscall/vsyscall_64.c @@ -366,8 +366,13 @@ void __init map_vsyscall(void) set_vsyscall_pgtable_user_bits(swapper_pg_dir); } - if (vsyscall_mode == XONLY) - vm_flags_init(&gate_vma, VM_EXEC); + if (vsyscall_mode == XONLY) { + unsigned long vm_flags = VM_EXEC; + + vm_flags |= seal_system_mappings(); + + vm_flags_init(&gate_vma, vm_flags); + } BUILD_BUG_ON((unsigned long)__fix_to_virt(VSYSCALL_PAGE) != (unsigned long)VSYSCALL_ADDR); diff --git a/include/linux/mm.h b/include/linux/mm.h index df0a5eac66b7..f787d6c85cbb 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -4238,4 +4238,16 @@ int arch_get_shadow_stack_status(struct task_struct *t, unsigned long __user *st int arch_set_shadow_stack_status(struct task_struct *t, unsigned long status); int arch_lock_shadow_stack_status(struct task_struct *t, unsigned long status); +#ifdef CONFIG_64BIT +/* + * return VM_SEALED if seal system mapping is enabled. + */ +unsigned long seal_system_mappings(void); +#else +static inline unsigned long seal_system_mappings(void) +{ + return 0; +} +#endif + #endif /* _LINUX_MM_H */ diff --git a/mm/mmap.c b/mm/mmap.c index 57fd5ab2abe7..bc694c555805 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -2133,6 +2133,16 @@ struct vm_area_struct *_install_special_mapping( unsigned long addr, unsigned long len, unsigned long vm_flags, const struct vm_special_mapping *spec) { + /* + * At present, all mappings (vdso, vvar, sigpage, and uprobe) that + * invoke the _install_special_mapping function can be sealed. + * Therefore, it is logical to call the seal_system_mappings_enabled() + * function here. In the future, if this is not the case, i.e. if certain + * mappings cannot be sealed, then it would be necessary to move this + * check to the calling function. + */ + vm_flags |= seal_system_mappings(); + return __install_special_mapping(mm, addr, len, vm_flags, (void *)spec, &special_mapping_vmops); } diff --git a/mm/mseal.c b/mm/mseal.c index ece977bd21e1..0a9d1e9faa28 100644 --- a/mm/mseal.c +++ b/mm/mseal.c @@ -7,6 +7,7 @@ * Author: Jeff Xu */ +#include #include #include #include @@ -266,3 +267,41 @@ SYSCALL_DEFINE3(mseal, unsigned long, start, size_t, len, unsigned long, { return do_mseal(start, len, flags); } + +/* + * Kernel cmdline overwrite for CONFIG_SEAL_SYSTEM_MAPPINGS + */ +enum seal_system_mappings_type { + SEAL_SYSTEM_MAPPINGS_DISABLED, + SEAL_SYSTEM_MAPPINGS_ENABLED +}; + +static enum seal_system_mappings_type seal_system_mappings_v __ro_after_init = + IS_ENABLED(CONFIG_SEAL_SYSTEM_MAPPINGS) ? SEAL_SYSTEM_MAPPINGS_ENABLED : + SEAL_SYSTEM_MAPPINGS_DISABLED; + +static const struct constant_table value_table_sys_mapping[] __initconst = { + { "no", SEAL_SYSTEM_MAPPINGS_DISABLED}, + { "yes", SEAL_SYSTEM_MAPPINGS_ENABLED}, + { } +}; + +static int __init early_seal_system_mappings_override(char *buf) +{ + if (!buf) + return -EINVAL; + + seal_system_mappings_v = lookup_constant(value_table_sys_mapping, + buf, seal_system_mappings_v); + return 0; +} + +early_param("exec.seal_system_mappings", early_seal_system_mappings_override); + +unsigned long seal_system_mappings(void) +{ + if (seal_system_mappings_v == SEAL_SYSTEM_MAPPINGS_ENABLED) + return VM_SEALED; + + return 0; +} diff --git a/security/Kconfig b/security/Kconfig index 28e685f53bd1..63b87a218943 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -51,6 +51,17 @@ config PROC_MEM_NO_FORCE endchoice +config SEAL_SYSTEM_MAPPINGS + bool "seal system mappings" + default n + depends on 64BIT + depends on !CHECKPOINT_RESTORE + help + Seal system mappings such as vdso, vvar, sigpage, vsyscall, uprobes. + Note: CHECKPOINT_RESTORE might relocate vdso mapping during restore, + and remap will fail if the mapping is sealed, therefore + !CHECKPOINT_RESTORE is added as dependency. + config SECURITY bool "Enable different security models" depends on SYSFS