From patchwork Tue Nov 20 05:21:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joel Fernandes X-Patchwork-Id: 10689857 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 274691923 for ; Tue, 20 Nov 2018 05:21:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 173462A325 for ; Tue, 20 Nov 2018 05:21:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0AAD72A270; Tue, 20 Nov 2018 05:21:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7C65E2A325 for ; Tue, 20 Nov 2018 05:21:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726979AbeKTPtL (ORCPT ); Tue, 20 Nov 2018 10:49:11 -0500 Received: from mail-pg1-f194.google.com ([209.85.215.194]:33550 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726794AbeKTPtL (ORCPT ); Tue, 20 Nov 2018 10:49:11 -0500 Received: by mail-pg1-f194.google.com with SMTP id z11so384179pgu.0 for ; Mon, 19 Nov 2018 21:21:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelfernandes.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ZGjhfyB62ZBE0Pl3zrr5IPaSCTrMuQUlFPIG+7VVFnc=; b=IR2MbOVYMj3U+8v4jTjEJi0bB/H0X8D1FslRcoRNeZ86p0CTbT3EV1LPoT3oQ/x5o1 K0KN3NwIAjcwlPnNmIoBsk6Bcn1DswvVt75ZYvSgdYIP0jmmaPk8og5MFoPOFnBr3CJB sfs+xdqcSzMOVQ/gXooR1zwPOhb+OjobBu7aI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ZGjhfyB62ZBE0Pl3zrr5IPaSCTrMuQUlFPIG+7VVFnc=; b=ZNDv/F/t1Ec3x1j0GPo8zSUym4rUvLxqMjklLDHrc7YUheBZTyRPORIoAr0le9sr8T 0MsZusPLIDZLbx+WtW8B02MFVyFoCK0VH4Qs2l2CxFva00qoZKgWQvhH8yVe/nqO1De9 SqZl59x6zGlvnL0x+f8F4UXcM9jQUb1vCuV0OA4jb0Xh3dNpogWeenK/eR3xK3QO2OzV vr3BEavHOLfSQOwn+IUpA4imn6AmT26d6Ju/hwIfgbBK2Z4WdRzKB9WPoyIXxwsxCgfE L3M6F05RGBnyInvRlcf7BVv/JDGmfUd3ZqkmEaeKio0BkDVNJyPEDng9X2PUOVGNSp1d N7Qw== X-Gm-Message-State: AGRZ1gIqYaqParkrKfgzJCNmUdsIO2LcPZvs1D1n/baaDY/scjQnwNNy ISmdPbkE6t90vvuF0JyAuQa9xA== X-Google-Smtp-Source: AJdET5eZckjl1cfIWi1ApcqBgha7ZlHsRT0nWreuEqc6sUj908rKDkkihjtpOuI7hwV60G5hhk5+FQ== X-Received: by 2002:a62:1912:: with SMTP id 18-v6mr783240pfz.194.1542691317005; Mon, 19 Nov 2018 21:21:57 -0800 (PST) Received: from joelaf.mtv.corp.google.com ([2620:0:1000:1601:3aef:314f:b9ea:889f]) by smtp.gmail.com with ESMTPSA id q199sm34237451pfc.97.2018.11.19.21.21.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Nov 2018 21:21:55 -0800 (PST) From: "Joel Fernandes (Google)" To: linux-kernel@vger.kernel.org Cc: "Joel Fernandes (Google)" , Andy Lutomirski , Andrew Morton , Hugh Dickins , Jann Horn , Khalid Aziz , linux-api@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, =?utf-8?q?Marc-Andr?= =?utf-8?q?=C3=A9_Lureau?= , Matthew Wilcox , Mike Kravetz , Shuah Khan , Stephen Rothwell Subject: [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust Date: Mon, 19 Nov 2018 21:21:36 -0800 Message-Id: <20181120052137.74317-1-joel@joelfernandes.org> X-Mailer: git-send-email 2.19.1.1215.g8438c0b245-goog MIME-Version: 1.0 Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP A better way to do F_SEAL_FUTURE_WRITE seal was discussed [1] last week where we don't need to modify core VFS structures to get the same behavior of the seal. This solves several side-effects pointed out by Andy [2]. [1] https://lore.kernel.org/lkml/20181111173650.GA256781@google.com/ [2] https://lore.kernel.org/lkml/69CE06CC-E47C-4992-848A-66EB23EE6C74@amacapital.net/ Suggested-by: Andy Lutomirski Fixes: 5e653c2923fd ("mm: Add an F_SEAL_FUTURE_WRITE seal to memfd") Signed-off-by: Joel Fernandes (Google) Signed-off-by: Joel Fernandes (Google) Signed-off-by: Andrew Morton Signed-off-by: Joel Fernandes (Google) --- fs/hugetlbfs/inode.c | 2 +- mm/memfd.c | 19 ------------------- mm/shmem.c | 24 +++++++++++++++++++++--- 3 files changed, 22 insertions(+), 23 deletions(-) diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 762028994f47..5b54bf893a67 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -558,7 +558,7 @@ static long hugetlbfs_punch_hole(struct inode *inode, loff_t offset, loff_t len) inode_lock(inode); /* protected by i_mutex */ - if (info->seals & F_SEAL_WRITE) { + if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) { inode_unlock(inode); return -EPERM; } diff --git a/mm/memfd.c b/mm/memfd.c index 63fff5e77114..650e65a46b9c 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -201,25 +201,6 @@ static int memfd_add_seals(struct file *file, unsigned int seals) } } - if ((seals & F_SEAL_FUTURE_WRITE) && - !(*file_seals & F_SEAL_FUTURE_WRITE)) { - /* - * The FUTURE_WRITE seal also prevents growing and shrinking - * so we need them to be already set, or requested now. - */ - int test_seals = (seals | *file_seals) & - (F_SEAL_GROW | F_SEAL_SHRINK); - - if (test_seals != (F_SEAL_GROW | F_SEAL_SHRINK)) { - error = -EINVAL; - goto unlock; - } - - spin_lock(&file->f_lock); - file->f_mode &= ~(FMODE_WRITE | FMODE_PWRITE); - spin_unlock(&file->f_lock); - } - *file_seals |= seals; error = 0; diff --git a/mm/shmem.c b/mm/shmem.c index 32eb29bd72c6..cee9878c87f1 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2121,6 +2121,23 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user) static int shmem_mmap(struct file *file, struct vm_area_struct *vma) { + struct shmem_inode_info *info = SHMEM_I(file_inode(file)); + + /* + * New PROT_READ and MAP_SHARED mmaps are not allowed when "future + * write" seal active. + */ + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE) && + (info->seals & F_SEAL_FUTURE_WRITE)) + return -EPERM; + + /* + * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED read-only + * mapping, take care to not allow mprotect to revert protections. + */ + if (info->seals & F_SEAL_FUTURE_WRITE) + vma->vm_flags &= ~(VM_MAYWRITE); + file_accessed(file); vma->vm_ops = &shmem_vm_ops; if (IS_ENABLED(CONFIG_TRANSPARENT_HUGE_PAGECACHE) && @@ -2346,8 +2363,9 @@ shmem_write_begin(struct file *file, struct address_space *mapping, pgoff_t index = pos >> PAGE_SHIFT; /* i_mutex is held by caller */ - if (unlikely(info->seals & (F_SEAL_WRITE | F_SEAL_GROW))) { - if (info->seals & F_SEAL_WRITE) + if (unlikely(info->seals & (F_SEAL_GROW | + F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))) { + if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) return -EPERM; if ((info->seals & F_SEAL_GROW) && pos + len > inode->i_size) return -EPERM; @@ -2610,7 +2628,7 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq); /* protected by i_mutex */ - if (info->seals & F_SEAL_WRITE) { + if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) { error = -EPERM; goto out; } From patchwork Tue Nov 20 05:21:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joel Fernandes X-Patchwork-Id: 10689861 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 50C4814BD for ; Tue, 20 Nov 2018 05:22:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4047429D46 for ; Tue, 20 Nov 2018 05:22:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 344CB2A31A; Tue, 20 Nov 2018 05:22:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BCDDD29D46 for ; Tue, 20 Nov 2018 05:22:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727880AbeKTPtO (ORCPT ); Tue, 20 Nov 2018 10:49:14 -0500 Received: from mail-pl1-f193.google.com ([209.85.214.193]:40075 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730372AbeKTPtM (ORCPT ); Tue, 20 Nov 2018 10:49:12 -0500 Received: by mail-pl1-f193.google.com with SMTP id b22-v6so400730pls.7 for ; Mon, 19 Nov 2018 21:21:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelfernandes.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=eR81rLySgIbDOhD8bNr9ndHHVi59qZndCmsNdWWRUlQ=; b=o3lrtmuznJQ69cKw2Zm19SroG4DVyNaUlDT0/Sob5PFF0C7I/USX1eBAnxxrXDke7p w0BYdYfVuFU7H3NMe0gnkqQQ81HTQjKC/COIp5mitnc399grM9MqqT3piCurPUBJ0MNL y8U6o6EJ9sFcGtxsGMtIjuKdras2AK5sNwWLc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=eR81rLySgIbDOhD8bNr9ndHHVi59qZndCmsNdWWRUlQ=; b=qzw/b1GogG7W5im0ZMhQPkqAX3XRonvPYeMciV9lWn/CqeTsy521K8YnXNGITwMu+k /FG7ExQwvjUVQ07sidGzF5BmUDqLLIpaTsWkIIr00XfUeMXZE6djQZLSTXUD+ctUIxUz YqVK3afwpzkMgajScXxDOuxfBp4q4FPDIkfSjvRPRFluQJHeiwdWZ15azfp2Ut5S+7LM O3Odn7vaq82jZ3ORTQiJDgUHd0UO3gHWF9dvNGT+MiU2NQqYU60Pzg2db0isuhQF3gxR jX/6Sau/itzo1/IaRm6pSl9h2Gn1kjODeRxmqatU/QFvpnzLeyLNnf/h/kHH/j5+BOuz zA3g== X-Gm-Message-State: AA+aEWYJWFwL1Uv62NMzjliaY8BjpY3kzoYxHeqefA1jPwi9yoV2gN5F MIYtBkgPRvwmo/mwPxLlSv//Gw== X-Google-Smtp-Source: AFSGD/W6hBaX3uX6kwGz1b1Ho5J/1rdkjv+kXaTxehYbSVp1p3dkkt42U4BBV6zxLt9PpR28q9LKbw== X-Received: by 2002:a17:902:163:: with SMTP id 90-v6mr749732plb.87.1542691318562; Mon, 19 Nov 2018 21:21:58 -0800 (PST) Received: from joelaf.mtv.corp.google.com ([2620:0:1000:1601:3aef:314f:b9ea:889f]) by smtp.gmail.com with ESMTPSA id q199sm34237451pfc.97.2018.11.19.21.21.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Nov 2018 21:21:57 -0800 (PST) From: "Joel Fernandes (Google)" To: linux-kernel@vger.kernel.org Cc: "Joel Fernandes (Google)" , Jann Horn , Andrew Morton , Andy Lutomirski , Hugh Dickins , Khalid Aziz , linux-api@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, =?utf-8?q?Marc-Andr?= =?utf-8?q?=C3=A9_Lureau?= , Matthew Wilcox , Mike Kravetz , Shuah Khan , Stephen Rothwell Subject: [PATCH -next 2/2] selftests/memfd: modify tests for F_SEAL_FUTURE_WRITE seal Date: Mon, 19 Nov 2018 21:21:37 -0800 Message-Id: <20181120052137.74317-2-joel@joelfernandes.org> X-Mailer: git-send-email 2.19.1.1215.g8438c0b245-goog In-Reply-To: <20181120052137.74317-1-joel@joelfernandes.org> References: <20181120052137.74317-1-joel@joelfernandes.org> MIME-Version: 1.0 Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Modify the tests for F_SEAL_FUTURE_WRITE based on the changes introduced in previous patch. Also add a test to make sure the reopen issue pointed by Jann Horn [1] is fixed. [1] https://lore.kernel.org/lkml/CAG48ez1h=v-JYnDw81HaYJzOfrNhwYksxmc2r=cJvdQVgYM+NA@mail.gmail.com/ Cc: Jann Horn Signed-off-by: Joel Fernandes (Google) Signed-off-by: Joel Fernandes (Google) --- tools/testing/selftests/memfd/memfd_test.c | 88 +++++++++++----------- 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c index 32b207ca7372..c67d32eeb668 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -54,6 +54,22 @@ static int mfd_assert_new(const char *name, loff_t sz, unsigned int flags) return fd; } +static int mfd_assert_reopen_fd(int fd_in) +{ + int r, fd; + char path[100]; + + sprintf(path, "/proc/self/fd/%d", fd_in); + + fd = open(path, O_RDWR); + if (fd < 0) { + printf("re-open of existing fd %d failed\n", fd_in); + abort(); + } + + return fd; +} + static void mfd_fail_new(const char *name, unsigned int flags) { int r; @@ -255,6 +271,25 @@ static void mfd_assert_read(int fd) munmap(p, mfd_def_size); } +/* Test that PROT_READ + MAP_SHARED mappings work. */ +static void mfd_assert_read_shared(int fd) +{ + void *p; + + /* verify PROT_READ and MAP_SHARED *is* allowed */ + p = mmap(NULL, + mfd_def_size, + PROT_READ, + MAP_SHARED, + fd, + 0); + if (p == MAP_FAILED) { + printf("mmap() failed: %m\n"); + abort(); + } + munmap(p, mfd_def_size); +} + static void mfd_assert_write(int fd) { ssize_t l; @@ -698,7 +733,7 @@ static void test_seal_write(void) */ static void test_seal_future_write(void) { - int fd; + int fd, fd2; void *p; printf("%s SEAL-FUTURE-WRITE\n", memfd_str); @@ -710,58 +745,23 @@ static void test_seal_future_write(void) p = mfd_assert_mmap_shared(fd); mfd_assert_has_seals(fd, 0); - /* Not adding grow/shrink seals makes the future write - * seal fail to get added - */ - mfd_fail_add_seals(fd, F_SEAL_FUTURE_WRITE); - - mfd_assert_add_seals(fd, F_SEAL_GROW); - mfd_assert_has_seals(fd, F_SEAL_GROW); - - /* Should still fail since shrink seal has - * not yet been added - */ - mfd_fail_add_seals(fd, F_SEAL_FUTURE_WRITE); - - mfd_assert_add_seals(fd, F_SEAL_SHRINK); - mfd_assert_has_seals(fd, F_SEAL_GROW | - F_SEAL_SHRINK); - /* Now should succeed, also verifies that the seal - * could be added with an existing writable mmap - */ mfd_assert_add_seals(fd, F_SEAL_FUTURE_WRITE); - mfd_assert_has_seals(fd, F_SEAL_SHRINK | - F_SEAL_GROW | - F_SEAL_FUTURE_WRITE); + mfd_assert_has_seals(fd, F_SEAL_FUTURE_WRITE); /* read should pass, writes should fail */ mfd_assert_read(fd); + mfd_assert_read_shared(fd); mfd_fail_write(fd); - munmap(p, mfd_def_size); - close(fd); - - /* Test adding all seals (grow, shrink, future write) at once */ - fd = mfd_assert_new("kern_memfd_seal_future_write2", - mfd_def_size, - MFD_CLOEXEC | MFD_ALLOW_SEALING); - - p = mfd_assert_mmap_shared(fd); - - mfd_assert_has_seals(fd, 0); - mfd_assert_add_seals(fd, F_SEAL_SHRINK | - F_SEAL_GROW | - F_SEAL_FUTURE_WRITE); - mfd_assert_has_seals(fd, F_SEAL_SHRINK | - F_SEAL_GROW | - F_SEAL_FUTURE_WRITE); - - /* read should pass, writes should fail */ - mfd_assert_read(fd); - mfd_fail_write(fd); + fd2 = mfd_assert_reopen_fd(fd); + /* read should pass, writes should still fail */ + mfd_assert_read(fd2); + mfd_assert_read_shared(fd2); + mfd_fail_write(fd2); munmap(p, mfd_def_size); + close(fd2); close(fd); }