From patchwork Fri Aug 5 22:21:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 12937865 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A9E6C00140 for ; Fri, 5 Aug 2022 22:21:50 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0B5306B0071; Fri, 5 Aug 2022 18:21:50 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 065338E0003; Fri, 5 Aug 2022 18:21:50 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E6FB98E0002; Fri, 5 Aug 2022 18:21:49 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id D8AC76B0071 for ; Fri, 5 Aug 2022 18:21:49 -0400 (EDT) Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 9A0F11C2D04 for ; Fri, 5 Aug 2022 22:21:49 +0000 (UTC) X-FDA: 79766962338.22.921923B Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) by imf19.hostedemail.com (Postfix) with ESMTP id 43BC71A0114 for ; Fri, 5 Aug 2022 22:21:49 +0000 (UTC) Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-31f63772b89so31623417b3.6 for ; Fri, 05 Aug 2022 15:21:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=mbnTnCyzBrPsZ2cIyy/polFSFcHi5iA+y2wZHy5S50g=; b=O1tv2Chuzvi0NDU6zf4N/Fshq6yGCqiuDTuun/edjoU5VnoWU6HlwRqRq214Cym4mz noFPwUsXvo0SYNfeNEjWoXIVZcign3gEgsFpITz4QnZrbGOtKfeY+cDS9TK5falMgCNI DJ6xcL5LbkGOVjDMSML6SM3jRDsvX6GsPMXFLvFKSYD1BtYOfgnhaOBaYbe12JSlISWh zKPVACct5OHq40PuoLQGZTx+YFMcXX1RgsGmCiYPiEbumgKzZ847z4pJf7UeYvrXqLcR FAIEKIHGSOX0P4KPT7WoPV95vsdEH3BO4vgVQ2JI3EeE9rV4Ph0MSuemj+SCfQWNltzS 3OGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=mbnTnCyzBrPsZ2cIyy/polFSFcHi5iA+y2wZHy5S50g=; b=fUPE52xPB9q2x7zqGb7S1X+M07plVaWo3Z0vWB/jYM7sePatURKZEZxAW9BxYjDlDU oVcCyJEUxGPUezMIlnlIcglf0e7uWAmur3QpNO49vk8iB8+keYtUZmA/cQ3n9tPsIagI 9rh7q4GBgXeQswA/jxhdfLzyY9dQCKkio/NLlW+HCqZDUpb80+3fbwAsLWROMXZlY2AK EouSkAiawUptT/EynEl9nFLsTzDf06xtcz8gytg1fcw8y/CMVmLH7YmfCRHvlDhqIwjm 7ePcritBvdATXQzKAWpxZjuwX7H9xETFKbeI3nxpn1dMZMIFjAlxiWeIgq87EhEv3zcF 14uA== X-Gm-Message-State: ACgBeo256QtOFmUL9T2Kpu+/A8j3B6ZviTZ5v+JbZyCEK+ZYL1mwcXh1 0sW4YdueOLcOqKWhe4QIDfAEupHN+HI= X-Google-Smtp-Source: AA6agR6sCneuMkIn8ODRd5RHoaPnFVjTcuaTHnQMf3gsH0n2vQfppBnVbsN+vr+g2fHjPeLdvPi2NkEA0yQ= X-Received: from jeffxud.c.googlers.com ([fda3:e722:ac3:cc00:20:ed76:c0a8:e37]) (user=jeffxu job=sendgmr) by 2002:a05:6902:723:b0:677:115b:553c with SMTP id l3-20020a056902072300b00677115b553cmr7776175ybt.214.1659738108553; Fri, 05 Aug 2022 15:21:48 -0700 (PDT) Date: Fri, 5 Aug 2022 22:21:22 +0000 In-Reply-To: <20220805222126.142525-1-jeffxu@google.com> Message-Id: <20220805222126.142525-2-jeffxu@google.com> Mime-Version: 1.0 References: <20220805222126.142525-1-jeffxu@google.com> X-Mailer: git-send-email 2.37.1.559.g78731f0fdb-goog Subject: [PATCH v2 1/5] mm/memfd: add F_SEAL_EXEC From: To: skhan@linuxfoundation.org Cc: akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, mnissler@chromium.org, jannh@google.com, Jeff Xu ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1659738109; a=rsa-sha256; cv=none; b=JIP1OlItHNLwJDhI+daRLJM6wTZphZZoAS43YT9GzwlsahReF6DvqU0yglKmc3ph6U8s4o SosRWaw5uGP8m2LH+RqR+uyKrW/J4u6wGIv8hEyRYOeE2ivjhJE3vmmuvN/fLfOqJyJLLB XuTpUAV+i/wl3LGP8heKI+Ks140d/mE= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=O1tv2Chu; spf=pass (imf19.hostedemail.com: domain of 3_JftYgYKCAEkfggyvhpphmf.dpnmjovy-nnlwbdl.psh@flex--jeffxu.bounces.google.com designates 209.85.128.202 as permitted sender) smtp.mailfrom=3_JftYgYKCAEkfggyvhpphmf.dpnmjovy-nnlwbdl.psh@flex--jeffxu.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1659738109; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=mbnTnCyzBrPsZ2cIyy/polFSFcHi5iA+y2wZHy5S50g=; b=iXLD7LRfLDLQRoJYQIdJU0aWqR4EJ2YU+p2p+qeD/O3t82P2Bp6WaqRkbu2hGUs+ifYCGe pu50chuji+XFxmv8L7L+mv7eU8k0XWMUQ+oB135zNIxvYxmCFNBlH8cI+48NFWbIX6j8NZ gOZ824GWkY4kL63rbn56NvqTNzkKv20= X-Stat-Signature: 9zs3wqndjzwmf9xihr1pusx6kx6bch3n X-Rspamd-Queue-Id: 43BC71A0114 Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=O1tv2Chu; spf=pass (imf19.hostedemail.com: domain of 3_JftYgYKCAEkfggyvhpphmf.dpnmjovy-nnlwbdl.psh@flex--jeffxu.bounces.google.com designates 209.85.128.202 as permitted sender) smtp.mailfrom=3_JftYgYKCAEkfggyvhpphmf.dpnmjovy-nnlwbdl.psh@flex--jeffxu.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com X-Rspam-User: X-Rspamd-Server: rspam05 X-HE-Tag: 1659738109-38086 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Daniel Verkamp The new F_SEAL_EXEC flag will prevent modification of the exec bits: written as traditional octal mask, 0111, or as named flags, S_IXUSR | S_IXGRP | S_IXOTH. Any chmod(2) or similar call that attempts to modify any of these bits after the seal is applied will fail with errno EPERM. This will preserve the execute bits as they are at the time of sealing, so the memfd will become either permanently executable or permanently un-executable. Co-developed-by: Jeff Xu Signed-off-by: Jeff Xu Signed-off-by: Daniel Verkamp --- include/uapi/linux/fcntl.h | 1 + mm/memfd.c | 2 ++ mm/shmem.c | 6 ++++++ 3 files changed, 9 insertions(+) diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h index 2f86b2ad6d7e..a472ba69596c 100644 --- a/include/uapi/linux/fcntl.h +++ b/include/uapi/linux/fcntl.h @@ -43,6 +43,7 @@ #define F_SEAL_GROW 0x0004 /* prevent file from growing */ #define F_SEAL_WRITE 0x0008 /* prevent writes */ #define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */ +#define F_SEAL_EXEC 0x0020 /* prevent chmod modifying exec bits */ /* (1U << 31) is reserved for signed error codes */ /* diff --git a/mm/memfd.c b/mm/memfd.c index 08f5f8304746..4ebeab94aa74 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -147,6 +147,7 @@ static unsigned int *memfd_file_seals_ptr(struct file *file) } #define F_ALL_SEALS (F_SEAL_SEAL | \ + F_SEAL_EXEC | \ F_SEAL_SHRINK | \ F_SEAL_GROW | \ F_SEAL_WRITE | \ @@ -175,6 +176,7 @@ static int memfd_add_seals(struct file *file, unsigned int seals) * SEAL_SHRINK: Prevent the file from shrinking * SEAL_GROW: Prevent the file from growing * SEAL_WRITE: Prevent write access to the file + * SEAL_EXEC: Prevent modification of the exec bits in the file mode * * As we don't require any trust relationship between two parties, we * must prevent seals from being removed. Therefore, sealing a file diff --git a/mm/shmem.c b/mm/shmem.c index e5e43b990fdc..bb530f562bdd 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -1082,6 +1082,12 @@ static int shmem_setattr(struct user_namespace *mnt_userns, if (error) return error; + if ((info->seals & F_SEAL_EXEC) && (attr->ia_valid & ATTR_MODE)) { + if ((inode->i_mode ^ attr->ia_mode) & 0111) { + return -EPERM; + } + } + if (S_ISREG(inode->i_mode) && (attr->ia_valid & ATTR_SIZE)) { loff_t oldsize = inode->i_size; loff_t newsize = attr->ia_size; From patchwork Fri Aug 5 22:21:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 12937866 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A0D3C25B08 for ; Fri, 5 Aug 2022 22:21:52 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 151A18E0002; Fri, 5 Aug 2022 18:21:52 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 0DAE86B0073; Fri, 5 Aug 2022 18:21:52 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id EBE768E0002; Fri, 5 Aug 2022 18:21:51 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id DEC196B0072 for ; Fri, 5 Aug 2022 18:21:51 -0400 (EDT) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id B872CABA54 for ; Fri, 5 Aug 2022 22:21:51 +0000 (UTC) X-FDA: 79766962422.03.5E9C500 Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) by imf16.hostedemail.com (Postfix) with ESMTP id 6BD1D180132 for ; Fri, 5 Aug 2022 22:21:51 +0000 (UTC) Received: by mail-yb1-f202.google.com with SMTP id bu13-20020a056902090d00b00671743601f1so3133793ybb.0 for ; Fri, 05 Aug 2022 15:21:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=5E4PGAWMReAFHkj0eA7xzWpJk8N5M4FgV4LT8CvMVPA=; b=TDuzZmP48qciezv1MXsf3LVuEa0sxCTwiXmz3GaFb6bY9Qtk1DrEr4hk/hgSUCSU9D AfNdO6ggJ2vgmMWeMOlX/leMgSXGcQVjNK0zYR0phfm+32xYcPAHGvQSYoqPiNbxudnk HvE2bkCtTLZ4+b3Ay+j53c5ejYOvr0jzKdc8h62ng9xyA/YGHmq7HQjrLzA1ZaYH+BV9 0FZ6JoFGedju30kgJTOIXqXWVdCHFjQ55uchR5QBZO9lhMl46oSxaKE6Z0a+P78bLdDl tNj+/17Hexg7tUbRBM+OCbb+sqB6gZJt9lxBqysd3REOSfOgCXMUXOEiZd1Awo0K8DSt 9wmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=5E4PGAWMReAFHkj0eA7xzWpJk8N5M4FgV4LT8CvMVPA=; b=K0eBoTEd30JSEJQGhsxCM9Nw/E2aaHo5uq70oJp/gKwoMFEf37pPpDFeIOwsC+ojHI Lz/Nm2gz5kBjKG2NXqLz6XesBSIl1S3BVtKcGP9k3MPd7W711oGcMUVPl69VxWa7dHBk yJ9+ZBOz1iOfuQJ2qwcj7tViVFxJu6/7Urb1DrXFNcQTSd13186JPo7nNOl2D0q7TWIs s1i7SFG7qgop7+e4ViUqDQtvuvstXXKNqI4zQo/ZeifxM5aeFLmvigSwjfBsQtzVBa0O egrEQbhiQmxdzM6x3O0Mk3xFHnOsLY5+nIg6AKp861NrME8OznQciLbTlbXhAl/pnQDw G+1w== X-Gm-Message-State: ACgBeo3M014Axm8TSDOk4pIAPCSyROmSGU6nPViVQGrYW48EhsDXdB42 TYdR3ivMqF53nsbhf0+jSyBWpqqTYp8= X-Google-Smtp-Source: AA6agR55Nd+GF+Zicb9UzLXVsBAJG/nkDrQRMgHX77YRUR2vsXmmAEpB7Hc955x1MuY3F3Ah7dc0fEbCssM= X-Received: from jeffxud.c.googlers.com ([fda3:e722:ac3:cc00:20:ed76:c0a8:e37]) (user=jeffxu job=sendgmr) by 2002:a25:9c87:0:b0:671:82fd:9106 with SMTP id y7-20020a259c87000000b0067182fd9106mr7167620ybo.546.1659738110679; Fri, 05 Aug 2022 15:21:50 -0700 (PDT) Date: Fri, 5 Aug 2022 22:21:23 +0000 In-Reply-To: <20220805222126.142525-1-jeffxu@google.com> Message-Id: <20220805222126.142525-3-jeffxu@google.com> Mime-Version: 1.0 References: <20220805222126.142525-1-jeffxu@google.com> X-Mailer: git-send-email 2.37.1.559.g78731f0fdb-goog Subject: [PATCH v2 2/5] mm/memfd: add MFD_NOEXEC flag to memfd_create From: To: skhan@linuxfoundation.org Cc: akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, mnissler@chromium.org, jannh@google.com, Jeff Xu ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=TDuzZmP4; spf=pass (imf16.hostedemail.com: domain of 3_pftYgYKCAMmhii0xjrrjoh.frpolqx0-ppnydfn.ruj@flex--jeffxu.bounces.google.com designates 209.85.219.202 as permitted sender) smtp.mailfrom=3_pftYgYKCAMmhii0xjrrjoh.frpolqx0-ppnydfn.ruj@flex--jeffxu.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1659738111; a=rsa-sha256; cv=none; b=Y3WXT5Zz+AXz44AcEfOxnfiiPT5kWfZhhEdI5k8VMVPyvAhtzOHcDSb3k5dKLO/iCK5EEP dgaFQKLJcpjbyrpUjsO8bS1UbPJsd7QBAPtHmylgUTD0Iscd6iCobQzc0ZSeIGV8lp1Wdm DKHE7VZY0Jxd0aNfWQupKTvXPEiGEzs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1659738111; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=5E4PGAWMReAFHkj0eA7xzWpJk8N5M4FgV4LT8CvMVPA=; b=gc3ygqukHqrL1LhQQN8De9JlZJWJj6xpqx3piCyNBEPIsjsh15WljniDuM6px02M8sQkd/ 2tP1n1ta5SbLFslOZ/yAHfsfcqJ+KN4UHv+V15+YFsUxWK+t2IsOzTjVYJNS3/bJHYgJTI VGMGsfs5DGoH841d/CjikQp0xpYN0kQ= X-Stat-Signature: eqokawu5uuar41oa9s6k8mxyys81n3nx X-Rspamd-Queue-Id: 6BD1D180132 Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=TDuzZmP4; spf=pass (imf16.hostedemail.com: domain of 3_pftYgYKCAMmhii0xjrrjoh.frpolqx0-ppnydfn.ruj@flex--jeffxu.bounces.google.com designates 209.85.219.202 as permitted sender) smtp.mailfrom=3_pftYgYKCAMmhii0xjrrjoh.frpolqx0-ppnydfn.ruj@flex--jeffxu.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com X-Rspam-User: X-Rspamd-Server: rspam12 X-HE-Tag: 1659738111-909836 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Daniel Verkamp The new MFD_NOEXEC flag allows the creation of a permanently non-executable memfd. This is accomplished by creating it with a different set of file mode bits (0666) than the default (0777) and applying the F_SEAL_EXEC seal at creation time, so there is no window between memfd creation and seal application. Unfortunately, the default for memfd must remain executable, since changing this would be an API break, and some programs depend on being able to exec code from a memfd directly. However, this new flag will allow programs to create non-executable memfds, and a distribution may choose to enforce use of this flag in memfd_create calls via other security mechanisms. Co-developed-by: Jeff Xu Signed-off-by: Jeff Xu Signed-off-by: Daniel Verkamp --- include/uapi/linux/memfd.h | 1 + mm/memfd.c | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/memfd.h b/include/uapi/linux/memfd.h index 7a8a26751c23..140e125c9f65 100644 --- a/include/uapi/linux/memfd.h +++ b/include/uapi/linux/memfd.h @@ -8,6 +8,7 @@ #define MFD_CLOEXEC 0x0001U #define MFD_ALLOW_SEALING 0x0002U #define MFD_HUGETLB 0x0004U +#define MFD_NOEXEC 0x0008U /* * Huge page size encoding when MFD_HUGETLB is specified, and a huge page diff --git a/mm/memfd.c b/mm/memfd.c index 4ebeab94aa74..b841514eb0fd 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -263,7 +263,7 @@ long memfd_fcntl(struct file *file, unsigned int cmd, unsigned long arg) #define MFD_NAME_PREFIX_LEN (sizeof(MFD_NAME_PREFIX) - 1) #define MFD_NAME_MAX_LEN (NAME_MAX - MFD_NAME_PREFIX_LEN) -#define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_HUGETLB) +#define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_HUGETLB | MFD_NOEXEC) SYSCALL_DEFINE2(memfd_create, const char __user *, uname, @@ -333,6 +333,14 @@ SYSCALL_DEFINE2(memfd_create, *file_seals &= ~F_SEAL_SEAL; } + if (flags & MFD_NOEXEC) { + struct inode *inode = file_inode(file); + + inode->i_mode &= ~0111; + file_seals = memfd_file_seals_ptr(file); + *file_seals |= F_SEAL_EXEC; + } + fd_install(fd, file); kfree(name); return fd; From patchwork Fri Aug 5 22:21:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 12937867 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B93F9C00140 for ; Fri, 5 Aug 2022 22:21:54 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 45EF46B0072; Fri, 5 Aug 2022 18:21:54 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 40E148E0003; Fri, 5 Aug 2022 18:21:54 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2B0076B0074; Fri, 5 Aug 2022 18:21:54 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 161AF6B0072 for ; Fri, 5 Aug 2022 18:21:54 -0400 (EDT) Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id E03D2AB99D for ; Fri, 5 Aug 2022 22:21:53 +0000 (UTC) X-FDA: 79766962506.19.DF62F36 Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) by imf24.hostedemail.com (Postfix) with ESMTP id 7DD86180030 for ; Fri, 5 Aug 2022 22:21:53 +0000 (UTC) Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-31f4b76446aso31561017b3.7 for ; Fri, 05 Aug 2022 15:21:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=8AvsEq4SstPGeW7QF9LLj/CM82M+f11wZB7WzW/AmUg=; b=mMb+PeyF4VQkekJjv1Q+X2LF/3kKZ0J2TCbHkTTU/n5K6SxiBoS32IjQbd7vR1JBuY KK5mNxKRvJhbNpXkBgLNsjozyQGZZykaqk9VJaar90tvBTvpEwaJWc/oPcu8lkQsledi CfI3NYgAM5qa/N6/BrSW4XoQzQJwhjQqwzUAlLdH+uaizI1Yde5jEVhQMh4/W4ts0DRC nTZKmQYKwiV5MoJ69N1hpt8b+LYHYMNfd2Tl2jK9YjWAMNbaO4NhjiFuji/3ZwNy8TCO iFrzR+jYcS+CMSO5r4DA1Bvpyvedk6yb/v6haitjoDbX9YF4zss9+D/gTqEGtTKwy5vd 1RBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=8AvsEq4SstPGeW7QF9LLj/CM82M+f11wZB7WzW/AmUg=; b=OaiuXN01ffE2oh5pcVGPrawpsf6k8LbeZTKV0Lw8NKXlNtO+LE86MZ28kW8EkjnZZj NTlpOxbx+a9R2/E0mAUC3jGxB50KTwk7tNXMz7D76wRI4pvLqeG2HRiP/XLZT+kf0f4V QTYZfkROuNv4a0gVzNgmNXWShWkMr5RthJE3NSkahiZVE8XE/OIEyN2Xg75/Tt+h5wWL UmYQkdSPvSZ5usOAEm8XmA6ZDiGZ059bhyMIFyj6VwHqReElCc2ySF8+vAaFHh2GLJXH gY3qxdzpO4UpNcSUX2tQT7XNSKWqa5n2HcAitbMAsFVCPfRtDLYY48rKW1aimEf4d9+R s9BQ== X-Gm-Message-State: ACgBeo32DImfOIarxXuka4KXLpSYa0sTD8bBO9B8UUrSvQV9vMvOG/uZ aFU2C8l5dVzm065L7ItX1VEEMOKJeKo= X-Google-Smtp-Source: AA6agR7MhJWGNuJekXT5wplu+5rroD6wgWIQKDgy1c8mBYuUwU+BizAsUUXtqWQTJ2dbcZa+Q1JevcSWC98= X-Received: from jeffxud.c.googlers.com ([fda3:e722:ac3:cc00:20:ed76:c0a8:e37]) (user=jeffxu job=sendgmr) by 2002:a81:7b85:0:b0:321:119:5a0d with SMTP id w127-20020a817b85000000b0032101195a0dmr8242026ywc.55.1659738112795; Fri, 05 Aug 2022 15:21:52 -0700 (PDT) Date: Fri, 5 Aug 2022 22:21:24 +0000 In-Reply-To: <20220805222126.142525-1-jeffxu@google.com> Message-Id: <20220805222126.142525-4-jeffxu@google.com> Mime-Version: 1.0 References: <20220805222126.142525-1-jeffxu@google.com> X-Mailer: git-send-email 2.37.1.559.g78731f0fdb-goog Subject: [PATCH v2 3/5] selftests/memfd: add tests for F_SEAL_EXEC From: To: skhan@linuxfoundation.org Cc: akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, mnissler@chromium.org, jannh@google.com, Jeff Xu ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1659738113; a=rsa-sha256; cv=none; b=JNxC/7ZBDXMuS0Qj+Fei4FL5aMHAsTJDx+flCihBijtA6Rpn3tw30Y924K+9dH2vrh1mg/ nn1rW4hulzRAjZh83e1UxC7ZMSizOTIQGhm0q5WSyUgRHEn93cFaWG467uhwD6dYEdvEAK mNIzssG5xi245rjrihektW/8V3aUzVU= ARC-Authentication-Results: i=1; imf24.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=mMb+PeyF; spf=pass (imf24.hostedemail.com: domain of 3AJjtYgYKCAUojkk2zlttlqj.htrqnsz2-rrp0fhp.twl@flex--jeffxu.bounces.google.com designates 209.85.128.201 as permitted sender) smtp.mailfrom=3AJjtYgYKCAUojkk2zlttlqj.htrqnsz2-rrp0fhp.twl@flex--jeffxu.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1659738113; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=8AvsEq4SstPGeW7QF9LLj/CM82M+f11wZB7WzW/AmUg=; b=hbHDOx+92+6TRXbcUAvq1Gy+/tgPlq6GuTQ91FV+xik06M5w2TKQmocwQHbUpwehlP3Vee OoyU2gpCXDhFfsHjKOUwI9Q3iD/DVwC4pW47KQKwM9IVYFKuFSB5byOfr07dfnZZ90jdmw MUchDAyym8cj2h9fYa2F5IB2qpXmJhE= X-Rspam-User: X-Stat-Signature: 5poxjff678kbx4fqetgxzcfrd7fwhew5 X-Rspamd-Queue-Id: 7DD86180030 Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=mMb+PeyF; spf=pass (imf24.hostedemail.com: domain of 3AJjtYgYKCAUojkk2zlttlqj.htrqnsz2-rrp0fhp.twl@flex--jeffxu.bounces.google.com designates 209.85.128.201 as permitted sender) smtp.mailfrom=3AJjtYgYKCAUojkk2zlttlqj.htrqnsz2-rrp0fhp.twl@flex--jeffxu.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com X-Rspamd-Server: rspam02 X-HE-Tag: 1659738113-382019 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Daniel Verkamp Basic tests to ensure that user/group/other execute bits cannot be changed after applying F_SEAL_EXEC to a memfd. Co-developed-by: Jeff Xu Signed-off-by: Jeff Xu Signed-off-by: Daniel Verkamp --- tools/testing/selftests/memfd/memfd_test.c | 129 ++++++++++++++++++++- 1 file changed, 128 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c index 94df2692e6e4..1d7e7b36bbdd 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -28,12 +28,44 @@ #define MFD_DEF_SIZE 8192 #define STACK_SIZE 65536 +#ifndef F_SEAL_EXEC +#define F_SEAL_EXEC 0x0020 +#endif + +#ifndef MAX_PATH +#define MAX_PATH 256 +#endif + /* * Default is not to test hugetlbfs */ static size_t mfd_def_size = MFD_DEF_SIZE; static const char *memfd_str = MEMFD_STR; +static ssize_t fd2name(int fd, char *buf, size_t bufsize) +{ + char buf1[MAX_PATH]; + int size; + ssize_t nbytes; + + size = snprintf(buf1, MAX_PATH, "/proc/self/fd/%d", fd); + if (size < 0) { + printf("snprintf(%d) failed on %m\n", fd); + abort(); + } + + /* + * reserver one byte for string termination. + */ + nbytes = readlink(buf1, buf, bufsize-1); + if (nbytes == -1) { + printf("readlink(%s) failed %m\n", buf1); + abort(); + } + buf[nbytes] = '\0'; + return nbytes; +} + static int mfd_assert_new(const char *name, loff_t sz, unsigned int flags) { int r, fd; @@ -98,11 +130,14 @@ static unsigned int mfd_assert_get_seals(int fd) static void mfd_assert_has_seals(int fd, unsigned int seals) { + char buf[MAX_PATH]; + int nbytes; unsigned int s; + fd2name(fd, buf, MAX_PATH); s = mfd_assert_get_seals(fd); if (s != seals) { - printf("%u != %u = GET_SEALS(%d)\n", seals, s, fd); + printf("%u != %u = GET_SEALS(%s)\n", seals, s, buf); abort(); } } @@ -594,6 +629,64 @@ static void mfd_fail_grow_write(int fd) } } +static void mfd_assert_mode(int fd, int mode) +{ + struct stat st; + char buf[MAX_PATH]; + int nbytes; + + fd2name(fd, buf, MAX_PATH); + + if (fstat(fd, &st) < 0) { + printf("fstat(%s) failed: %m\n", buf); + abort(); + } + + if ((st.st_mode & 07777) != mode) { + printf("fstat(%s) wrong file mode 0%04o, but expected 0%04o\n", + buf, (int)st.st_mode & 07777, mode); + abort(); + } +} + +static void mfd_assert_chmod(int fd, int mode) +{ + char buf[MAX_PATH]; + int nbytes; + + fd2name(fd, buf, MAX_PATH); + + if (fchmod(fd, mode) < 0) { + printf("fchmod(%s, 0%04o) failed: %m\n", buf, mode); + abort(); + } + + mfd_assert_mode(fd, mode); +} + +static void mfd_fail_chmod(int fd, int mode) +{ + struct stat st; + char buf[MAX_PATH]; + int nbytes; + + fd2name(fd, buf, MAX_PATH); + + if (fstat(fd, &st) < 0) { + printf("fstat(%s) failed: %m\n", buf); + abort(); + } + + if (fchmod(fd, mode) == 0) { + printf("fchmod(%s, 0%04o) didn't fail as expected\n", + buf, mode); + abort(); + } + + /* verify that file mode bits did not change */ + mfd_assert_mode(fd, st.st_mode & 07777); +} + static int idle_thread_fn(void *arg) { sigset_t set; @@ -880,6 +973,39 @@ static void test_seal_resize(void) close(fd); } +/* + * Test SEAL_EXEC + * Test that chmod() cannot change x bits after sealing + */ +static void test_seal_exec(void) +{ + int fd; + + printf("%s SEAL-EXEC\n", memfd_str); + + fd = mfd_assert_new("kern_memfd_seal_exec", + mfd_def_size, + MFD_CLOEXEC | MFD_ALLOW_SEALING); + + mfd_assert_mode(fd, 0777); + + mfd_assert_chmod(fd, 0644); + + mfd_assert_has_seals(fd, 0); + mfd_assert_add_seals(fd, F_SEAL_EXEC); + mfd_assert_has_seals(fd, F_SEAL_EXEC); + + mfd_assert_chmod(fd, 0600); + mfd_fail_chmod(fd, 0777); + mfd_fail_chmod(fd, 0670); + mfd_fail_chmod(fd, 0605); + mfd_fail_chmod(fd, 0700); + mfd_fail_chmod(fd, 0100); + mfd_assert_chmod(fd, 0666); + + close(fd); +} + /* * Test sharing via dup() * Test that seals are shared between dupped FDs and they're all equal. @@ -1059,6 +1185,7 @@ int main(int argc, char **argv) test_seal_shrink(); test_seal_grow(); test_seal_resize(); + test_seal_exec(); test_share_dup("SHARE-DUP", ""); test_share_mmap("SHARE-MMAP", ""); From patchwork Fri Aug 5 22:21:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 12937868 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 901A9C00140 for ; Fri, 5 Aug 2022 22:21:57 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2B15F8E0005; Fri, 5 Aug 2022 18:21:57 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 262298E0003; Fri, 5 Aug 2022 18:21:57 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 101FD8E0005; Fri, 5 Aug 2022 18:21:57 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 009638E0003 for ; Fri, 5 Aug 2022 18:21:56 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id D7D1E1A1913 for ; Fri, 5 Aug 2022 22:21:56 +0000 (UTC) X-FDA: 79766962632.24.0988553 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) by imf08.hostedemail.com (Postfix) with ESMTP id BDD28160143 for ; Fri, 5 Aug 2022 22:21:54 +0000 (UTC) Received: by mail-pl1-f202.google.com with SMTP id f13-20020a170902ce8d00b0016eebfe70fcso2270458plg.7 for ; Fri, 05 Aug 2022 15:21:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=18f+8YL6aOvEHaZ2GuJdUMnF89FwCoTjUmHERMQZXDE=; b=FsK4U64sZVq+y1SyuqOQStvSBS7X8QECCn6LIsVMr2xn0nkzLI8+c5D4j5EMd+AUhk j3t/30i3HkCUWA8GRrEV/n5la5QXWMAMmnEib1Gi4341JdPl8J5TfnHLWNa+y5fVP+eV oJ9bBE123va/TwKlbkn1J19gX+WOPS5lk3FwZlPtz0EcE3ZPCeaSKNYq9YOdEzFcDRFj lzgI8luSNRGb7P0bwY+aM7gsZ7WkQblht0scSjo8RmMJapESKs0qw+DFJAb+seJ/d+fa mzUs1GKxmI0hZowF1OygbHCwUgPDBmTWHAd9Z5XtwUGQJ2j7xvAyT0Qa4igHULcSRtrM vWkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=18f+8YL6aOvEHaZ2GuJdUMnF89FwCoTjUmHERMQZXDE=; b=3bUyl5ZfpwXuIiwiOHfthc8xa9NTsUDi3aTinpa20daWJcb178p7ToNo5YeP0p2HIq 9Q54GHj4FVKsLgjAbNK56mK/BCG5m7emMO++nG0Z2oXHIzCvgoFKYifWaawgxQa+oZXA 1DXmboReVFqbsHLDijsDcm7BjZhZKVOcLCSjHfJL6koDScklAPpqjmmLIEx3Md0dsNMW h9Xj0s/OuOXev58rz9voBVfI7z6IRNeApSkmXcWAv3J9aTQyUfmTD18EXvXQ43nw9300 QfVwug+xWJD5QNDj+9t9XJjCNAUgYUT7w9k2KWCzf5hM+nZXoBqKrS/5kajp6gEk/DH0 vQhg== X-Gm-Message-State: ACgBeo0/zJ+47eG/bLVMICu/aRXTjDLNbV6O0nVtxnuNyjBTr4oUOwV/ 0/nuWqVq8ZGplMm4YRj6PcYObf3whn4= X-Google-Smtp-Source: AA6agR5SYNgjRPD70HCAO4QbLAX75hHQo60LfWD/m1Gc2TjfjizdokqQLPw4iq40ChDMtnBNielltDU4BD0= X-Received: from jeffxud.c.googlers.com ([fda3:e722:ac3:cc00:20:ed76:c0a8:e37]) (user=jeffxu job=sendgmr) by 2002:a05:6a00:22d0:b0:52e:49f3:3f52 with SMTP id f16-20020a056a0022d000b0052e49f33f52mr8783529pfj.54.1659738115213; Fri, 05 Aug 2022 15:21:55 -0700 (PDT) Date: Fri, 5 Aug 2022 22:21:25 +0000 In-Reply-To: <20220805222126.142525-1-jeffxu@google.com> Message-Id: <20220805222126.142525-5-jeffxu@google.com> Mime-Version: 1.0 References: <20220805222126.142525-1-jeffxu@google.com> X-Mailer: git-send-email 2.37.1.559.g78731f0fdb-goog Subject: [PATCH v2 4/5] selftests/memfd: add tests for MFD_NOEXEC From: To: skhan@linuxfoundation.org Cc: akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, mnissler@chromium.org, jannh@google.com, Jeff Xu ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1659738116; a=rsa-sha256; cv=none; b=oz5nn16t0oduYh5iNahjaKzNstVZNftzvmF0JwFDhIrRNwRZBAeHEurRb/8guRvjJaYazK IcgjkP0yM+H4o/CsmP4pgHcavNvMatIFa5M0xJUrp/ZsHnoaR2B0sOMFTA16Ae1KDH6XWv aZHjkS11if5DoWWXyyRAkuml9vBCkl8= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=FsK4U64s; spf=pass (imf08.hostedemail.com: domain of 3A5jtYgYKCAgrmnn52owwotm.kwutqv25-uus3iks.wzo@flex--jeffxu.bounces.google.com designates 209.85.214.202 as permitted sender) smtp.mailfrom=3A5jtYgYKCAgrmnn52owwotm.kwutqv25-uus3iks.wzo@flex--jeffxu.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1659738116; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=18f+8YL6aOvEHaZ2GuJdUMnF89FwCoTjUmHERMQZXDE=; b=VbuzzfezCEb3rLiiLAwiWR/e2MW0sdP7UVNkabk5sNFYYc1k4IasO8CybieSb+KW/bRnNA mymnFqGt3eQd5ITT/gA0uLV6Jc0DYEyVrQfC1NnofISIV9iXQ8ED8Ii9caY4BmEK71yQXY mU8cDw1NKjcRpybqkwWhAR8Wm/YBWWQ= X-Stat-Signature: pkmw4sgq3n3c75d914ex3m45xhe9p9oy X-Rspamd-Queue-Id: BDD28160143 Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=FsK4U64s; spf=pass (imf08.hostedemail.com: domain of 3A5jtYgYKCAgrmnn52owwotm.kwutqv25-uus3iks.wzo@flex--jeffxu.bounces.google.com designates 209.85.214.202 as permitted sender) smtp.mailfrom=3A5jtYgYKCAgrmnn52owwotm.kwutqv25-uus3iks.wzo@flex--jeffxu.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com X-Rspam-User: X-Rspamd-Server: rspam01 X-HE-Tag: 1659738114-449982 X-Bogosity: Ham, tests=bogofilter, spamicity=0.007551, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Daniel Verkamp Tests that ensure MFD_NOEXEC memfds have the appropriate mode bits and cannot be chmod-ed into being executable. Co-developed-by: Jeff Xu Signed-off-by: Jeff Xu Signed-off-by: Daniel Verkamp --- tools/testing/selftests/memfd/memfd_test.c | 34 ++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c index 1d7e7b36bbdd..4906f778564e 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -36,6 +36,10 @@ #define MAX_PATH 256 #endif +#ifndef MFD_NOEXEC +#define MFD_NOEXEC 0x0008U +#endif + /* * Default is not to test hugetlbfs */ @@ -1006,6 +1010,35 @@ static void test_seal_exec(void) close(fd); } +/* + * Test memfd_create with MFD_NOEXEC flag + * Test that MFD_NOEXEC applies F_SEAL_EXEC and prevents change of exec bits + */ +static void test_noexec(void) +{ + int fd; + + printf("%s NOEXEC\n", memfd_str); + + /* Create with NOEXEC and ALLOW_SEALING */ + fd = mfd_assert_new("kern_memfd_noexec", + mfd_def_size, + MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_NOEXEC); + mfd_assert_mode(fd, 0666); + mfd_assert_has_seals(fd, F_SEAL_EXEC); + mfd_fail_chmod(fd, 0777); + close(fd); + + /* Create with NOEXEC but without ALLOW_SEALING */ + fd = mfd_assert_new("kern_memfd_noexec", + mfd_def_size, + MFD_CLOEXEC | MFD_NOEXEC); + mfd_assert_mode(fd, 0666); + mfd_assert_has_seals(fd, F_SEAL_EXEC | F_SEAL_SEAL); + mfd_fail_chmod(fd, 0777); + close(fd); +} + /* * Test sharing via dup() * Test that seals are shared between dupped FDs and they're all equal. @@ -1179,6 +1212,7 @@ int main(int argc, char **argv) test_create(); test_basic(); + test_noexec(); test_seal_write(); test_seal_future_write(); From patchwork Fri Aug 5 22:21:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 12937869 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3EC72C25B0C for ; Fri, 5 Aug 2022 22:21:59 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id CC3948E0006; Fri, 5 Aug 2022 18:21:58 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C732F8E0003; Fri, 5 Aug 2022 18:21:58 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B15698E0006; Fri, 5 Aug 2022 18:21:58 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id A170C8E0003 for ; Fri, 5 Aug 2022 18:21:58 -0400 (EDT) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 8303AABA8E for ; Fri, 5 Aug 2022 22:21:58 +0000 (UTC) X-FDA: 79766962716.08.0A89E6A Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) by imf12.hostedemail.com (Postfix) with ESMTP id BD55C4013C for ; Fri, 5 Aug 2022 22:21:57 +0000 (UTC) Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-3230031a80fso31644387b3.5 for ; Fri, 05 Aug 2022 15:21:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=p3xudRLR9dNuWUK9U/ylm6O3b8FVaNLRrb9pQqFzR0w=; b=tEC+w7ZCMSi41gOV32xpW1cs0vFZd0pjxoK1AeJyyH01noSX4dLvRhywvBcccI9kdU JKFh83XKg1Si8IMewvVtmvDTWjRKjw3vuzZtx6w3xA2KeuXUxoU/6vRz//098kabUzjE eFwl26ps6MG+nYqCcCI1foMbFHepHOTyrxI0z85iwM8dIVVGbzs366K/ASaVu+V0zPT/ uJ/lsElcVWzYS8YYewDpoOAwFTi+w1gRSdsGaOWMYHEI+AEzCyag0hQVzUs3cU93g+T8 p0Ut/ZVPUs8LdBcNe3+7UfinveQxYxEtWF7YFesMt+DabZUIKwIYMEaR3aoNOvIbKV0C 8E5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=p3xudRLR9dNuWUK9U/ylm6O3b8FVaNLRrb9pQqFzR0w=; b=dDUNXCSY3sw41nLC6QvnEAvAXkgAMAfrLch8zonpu0KNrD3exn4RpBxxgNMmjVmUZS 7S2Tkrm1SrtYOIS3TE16/dSLRx40DOjSe4JrSHCUwCImbtOGkc0I1zUGfoFCOH0TNHun 1wmFv3xBrdCUq73zJnow4k+zI7Sgt4L17f0Zn1KjJDuk0xhw1vB3e42lxV2TRKdW4tLh a53VYcxe3q3n35ltAzdSpSveyxKt2UFeSasWEfxMOYCCj18OVUDM8ZgY8YvMmwsTZYV+ guCrXG+SFZMltLklnnk1goEvP1+aW0wUOWYjti5ZIHlhlSS0zhj/FwaYXd/dvHgmd6Kf MM1g== X-Gm-Message-State: ACgBeo37VqxOXTZc17J4koD8ozwgsRaPo5yxxO9Bq9xGcx4OaFOMCuw+ 3ypm86vBPPD0f7aVZSAlcSFiLELGhD8= X-Google-Smtp-Source: AA6agR7Pdt67CAVIWF/fYp+P3xXpceR93JSbt9+i7cJEfvpa+CoelR+6dqwVhJxpBe3viA/07hQjowUu1E0= X-Received: from jeffxud.c.googlers.com ([fda3:e722:ac3:cc00:20:ed76:c0a8:e37]) (user=jeffxu job=sendgmr) by 2002:a25:33c5:0:b0:67a:6950:c188 with SMTP id z188-20020a2533c5000000b0067a6950c188mr7334020ybz.175.1659738117501; Fri, 05 Aug 2022 15:21:57 -0700 (PDT) Date: Fri, 5 Aug 2022 22:21:26 +0000 In-Reply-To: <20220805222126.142525-1-jeffxu@google.com> Message-Id: <20220805222126.142525-6-jeffxu@google.com> Mime-Version: 1.0 References: <20220805222126.142525-1-jeffxu@google.com> X-Mailer: git-send-email 2.37.1.559.g78731f0fdb-goog Subject: [PATCH v2 5/5] sysctl: add support for mfd_noexec From: To: skhan@linuxfoundation.org Cc: akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, mnissler@chromium.org, jannh@google.com, Jeff Xu ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1659738118; a=rsa-sha256; cv=none; b=JtLqy+6pz39TL4MhiAzlslxTG5CAtZWk+LE3eMl1Mf6xztAOVunPM9xch6JeTvoUz26rJJ JrTnAU2g7js2PEw/iwwMBy1ldDoxewOFRG//wK9+WqhH2FawxS8u/wS/8jlJn2vPNFlpGR vsZs5VJ3+mvI5RRLVIF1pwUGSQt+TAQ= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=tEC+w7ZC; spf=pass (imf12.hostedemail.com: domain of 3BZjtYgYKCAotopp74qyyqvo.mywvsx47-wwu5kmu.y1q@flex--jeffxu.bounces.google.com designates 209.85.128.202 as permitted sender) smtp.mailfrom=3BZjtYgYKCAotopp74qyyqvo.mywvsx47-wwu5kmu.y1q@flex--jeffxu.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1659738118; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=p3xudRLR9dNuWUK9U/ylm6O3b8FVaNLRrb9pQqFzR0w=; b=p+jGJeIIdVqpqXDzKOZ83wTmP0FRAc8UyquHSs3wWe8f7XhqyHyFa21RUQrwPiudpg0U3W Yos5YlGifHHhC/8AquBS6OpGsfK29lOaJPd58XzUYf0oPRuDcErTz/HEX1wP2Qa7vbkUDl wCyJCguB8h4QijqWgyL6dmjTZe767qQ= X-Stat-Signature: u3rud8npp47x86phe7w8pnsefffn5u1x X-Rspamd-Queue-Id: BD55C4013C Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=tEC+w7ZC; spf=pass (imf12.hostedemail.com: domain of 3BZjtYgYKCAotopp74qyyqvo.mywvsx47-wwu5kmu.y1q@flex--jeffxu.bounces.google.com designates 209.85.128.202 as permitted sender) smtp.mailfrom=3BZjtYgYKCAotopp74qyyqvo.mywvsx47-wwu5kmu.y1q@flex--jeffxu.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com X-Rspam-User: X-Rspamd-Server: rspam05 X-HE-Tag: 1659738117-118109 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Jeff Xu Add vm.mfd_noexec. When the value is 1 (enabled), memfd_create syscall will created non-executable memfd. The default value is 0 (disabled), admin can change the setting from 0 => 1, however 1 => 0 is not allowed, unless reboot. Signed-off-by: Jeff Xu Reported-by: kernel test robot Reported-by: kernel test robot --- include/linux/mm.h | 4 ++++ kernel/sysctl.c | 9 +++++++++ mm/memfd.c | 27 +++++++++++++++++++++++++++ 3 files changed, 40 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index 7898e29bcfb5..1c66cf4aca11 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -203,6 +203,10 @@ extern int sysctl_overcommit_memory; extern int sysctl_overcommit_ratio; extern unsigned long sysctl_overcommit_kbytes; +extern int sysctl_mfd_noexec_scope; +extern int mfd_noexec_dointvec_minmax(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos); + int overcommit_ratio_handler(struct ctl_table *, int, void *, size_t *, loff_t *); int overcommit_kbytes_handler(struct ctl_table *, int, void *, size_t *, diff --git a/kernel/sysctl.c b/kernel/sysctl.c index b233714a1c78..54510da007ff 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -2362,6 +2362,15 @@ static struct ctl_table vm_table[] = { .mode = 0644, .proc_handler = mmap_min_addr_handler, }, + { + .procname = "mfd_noexec", + .data = &sysctl_mfd_noexec_scope, + .maxlen = sizeof(sysctl_mfd_noexec_scope), + .mode = 0644, + .proc_handler = mfd_noexec_dointvec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, #endif #ifdef CONFIG_NUMA { diff --git a/mm/memfd.c b/mm/memfd.c index b841514eb0fd..c6ccb8481ed2 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -20,6 +20,11 @@ #include #include +#define MFD_NOEXEC_SCOPE_DISABLED 0 +#define MFD_NOEXEC_SCOPE_ENABLED 1 + +int sysctl_mfd_noexec_scope __read_mostly = MFD_NOEXEC_SCOPE_DISABLED; + /* * We need a tag: a new tag would expand every xa_node by 8 bytes, * so reuse a tag which we firmly believe is never set or cleared on tmpfs @@ -275,6 +280,10 @@ SYSCALL_DEFINE2(memfd_create, char *name; long len; + if (sysctl_mfd_noexec_scope == MFD_NOEXEC_SCOPE_ENABLED) { + flags |= MFD_NOEXEC; + } + if (!(flags & MFD_HUGETLB)) { if (flags & ~(unsigned int)MFD_ALL_FLAGS) return -EINVAL; @@ -351,3 +360,21 @@ SYSCALL_DEFINE2(memfd_create, kfree(name); return error; } + +#ifdef CONFIG_SYSCTL +int mfd_noexec_dointvec_minmax(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) +{ + struct ctl_table table_copy; + + if (write && !capable(CAP_SYS_ADMIN)) + return -EPERM; + + /* Lock the max value if it ever gets set. */ + table_copy = *table; + if (*(int *)table_copy.data == *(int *)table_copy.extra2) + table_copy.extra1 = table_copy.extra2; + + return proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos); +} +#endif