From patchwork Thu Jul 13 14:33:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aleksa Sarai X-Patchwork-Id: 13312298 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86F54C0015E for ; Thu, 13 Jul 2023 14:34:46 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2758C90002D; Thu, 13 Jul 2023 10:34:46 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2261390001C; Thu, 13 Jul 2023 10:34:46 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0EDC590002D; Thu, 13 Jul 2023 10:34:46 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id F31EB90001C for ; Thu, 13 Jul 2023 10:34:45 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id B4912402E3 for ; Thu, 13 Jul 2023 14:34:45 +0000 (UTC) X-FDA: 81006834930.05.9CB4DAF Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org [80.241.56.151]) by imf23.hostedemail.com (Postfix) with ESMTP id E1700140010 for ; Thu, 13 Jul 2023 14:34:42 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=cyphar.com header.s=MBO0001 header.b=HjK2VS5Q; spf=pass (imf23.hostedemail.com: domain of cyphar@cyphar.com designates 80.241.56.151 as permitted sender) smtp.mailfrom=cyphar@cyphar.com; dmarc=pass (policy=reject) header.from=cyphar.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1689258883; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=U7odY7HDZPKzVimeFHgPRDdKv16odgPLE3AW6I05q6w=; b=XHQWBBxSJuWdOA9+8OUQn27RnZwII/TI11BkfVSjUlvRZe67XbKTeGiFJNNOV449Y8m3Z1 Kx0UtX3Nrhhyj2AIejS8k8SmAqY5aFjRXRm/128A8iFhkd1p6S3mJccJSABcKDfe2XbcpV pnthF0Bmoarmp1JQv2mZUwcahaMFUX8= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=cyphar.com header.s=MBO0001 header.b=HjK2VS5Q; spf=pass (imf23.hostedemail.com: domain of cyphar@cyphar.com designates 80.241.56.151 as permitted sender) smtp.mailfrom=cyphar@cyphar.com; dmarc=pass (policy=reject) header.from=cyphar.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1689258883; a=rsa-sha256; cv=none; b=KgB5wFGIzcQZHm0M6r6Yi/h6X0/4cNpsppQHBk5gxugsAmN4n0VXNwbLWaizSBXY1g+DcC i0wfuwuGVKtKtLp/LNg+RdoiEVXKOYAftwQeEj0EtH+iZIx2Nw89O5od8AymsB/W+mm3RY fTHWV7CDsHN0bMIyKEEQJtQi6cQN9eg= Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4R1xvf1qtFz9srM; Thu, 13 Jul 2023 16:34:38 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cyphar.com; s=MBO0001; t=1689258878; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=U7odY7HDZPKzVimeFHgPRDdKv16odgPLE3AW6I05q6w=; b=HjK2VS5QGszcVCpAQswe06oAYmkCH8W+Y4jvTjcKvszbcPG7PeM8Uz/9Cnqa1kBhueLd67 98f++zez56dcGzXdqWNg31IH6sMr8WVFEiRRDTD34NdjtZzMuKftA4OLu6iNQjCBKD/cTZ 7ZcXVhM7cTnhK7g4w7J6VH1Of3KF0sh1yrk/sB+9yM8hnr+N7so3IizQqEQGd+EUUhohlm 4cquNE32lwbjdHoo7ExC5r39ZHLRYZXu/X5+fCG09tNzlU1fXoslMPH2zC6FiJJwVWCnjv txxDC2rVCGXe4b1AtJO6uoCAUzwhWt80tTnMdooOSUBpodZOgvhJcOwU3BRMzQ== From: Aleksa Sarai To: Andrew Morton , Shuah Khan , Kees Cook , Aleksa Sarai , Jeff Xu , Daniel Verkamp Cc: linux-mm@kvack.org, Dominique Martinet , Christian Brauner , stable@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: [RFC PATCH 1/3] memfd: cleanups for vm.memfd_noexec handling Date: Fri, 14 Jul 2023 00:33:46 +1000 Message-ID: <20230713143406.14342-2-cyphar@cyphar.com> In-Reply-To: <20230713143406.14342-1-cyphar@cyphar.com> References: <20230713143406.14342-1-cyphar@cyphar.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: E1700140010 X-Rspam-User: X-Stat-Signature: guy9nihfyxsf5xjc3txswdr1w6suo1g4 X-Rspamd-Server: rspam01 X-HE-Tag: 1689258882-604513 X-HE-Meta: U2FsdGVkX1+NddHf0NJMaoOY4K07PF9Pd93Y3dmZF7E/a21iRwDuAFOe/ikWirkQnjyS4gWT9p4tqtQWesV6tzmY7yjq973rZWWA0lgT50/m9djxGDljtsKqd10qRHhvX56cAcbIsXy1yL9ogVfwPG4GreipQUzS3xpmTpdXg0dqcfe+8OwD0unHs0NIYiKregFx6ghkHZ/gx9AGnDCHJaQ/vL7i+0X1bNW3aLcn2VMzMOOghpWOXcDj2gTu9KWp9kApx+Eha9Ww33E4SHY3NSbdk22B7UX0JOxc+rv0HBcC+wnHG1mmRJKXcUPMgE6fdrZ6bCbVA6sDea06SQXxtswZObVifnrztrQV0WibF3Q70RqTkmXp4WR9SKzQKgI3WloVdQEu9tNogpjXcuKsjFTNAG6951R2dKmOKfS82S8+zGRg9knnC4qfodLGGn/1yBvrLFDFuZOH7NBNFiiojHOErHh0FvsO8o76Q3o8ZnRNsNKpmzSVbdKPp+10xKFgHlmvHMlLYlbtQu3DuTE2yozNpVB+ctvPyJVwg2U89vg5cowwoNL+uAemKmpF/pb/ajD3ZImh1xX5m0Ng6WVmob2KFzRAm435XJMysty+SG3JaQbOuVV+ZJBEb8Hd7vFal4oa1tEgCOI9zaYiGEBxJ5ioxkfHnDQiblH5crub9amL5pO6yCx9SgeN3NYPPg+dDyYwgboE/sE0NeyU7ilViqG3Nvn5iz1VJ4WOl2w8JmgoExVBtjN41VvuYeZtB9nVEF+Q2rS4tCAQJBk8MqlRuo6AhuiXGcrTNQquVWy5wUzDkmZgYrCyE9ltOriPhXqh947CcMbVyqJPHPG+hoRP/R12dKU+8wqTKgIpLtBO08tCha0S7c49jhjIt2oLGvOalUCkyg+iwrW7LxHRI0lzfCKi/003iRtwKkFKTsXH1h+LhhVQ0nju1bCz+E5wZopvaHs4yS080bDSpvfix0O sWZncsyO U9/Hxf6ZbxMZJA5qW+gbNV3qgvDIvwbRek5W21qoqD2TcaXP0+jI6vTNQVN4nL6gJxRgvj6eiMMPlfGu+L3gv94o3K1DUDsk+OSwexhXPJC1dLE8T+VSnVw48X/VsR28aO9ELtZiaihFNyc/2kRtM2h0h+eGCRLc08tFPBsdUQYS5phv6Ez66g6duApcpvaw/WMMeUKyAerdU7+vi3YRD/cEYpCXnnvzoqyckvLlZ5HnFN4l+MiW91n4gV4M/M/BWoyzlqzqj2nTggxq8e70ib/MBD0a0fcNPSPUDikJ2CwbUU+bGVQ00TW2ZXfJY6NvYhwsHXI/zN7No8lRof0pwAmuL14xC94Ccy8fDTQeMlTEho8Q= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The previous implementation of vm.memfd_noexec=2 did not actually enforce the usage of MFD_NOEXEC_SEAL, as any program that set MFD_EXEC would not be affected by the "enforcement" mechanism. This was fixed in in Andrew's tree recently, but there were still some things that could be cleaned up. On the topic of older programs, it seems far less disruptive to have vm.memfd_noexec=2 have the same behaviour as vm.memfd_noexec=1 (default to MFD_NOEXEC_SEAL if unspecified) to avoid breaking older programs that didn't actually care about the exec bits -- which includes the vast majority of programs that use memfd_create(2), thus allowing users to be able to enable this sysctl without all older programs needlessly breaking. Otherwise vm.memfd_noexec=2 would be unusable on most general-purpose systems as it would require an audit of all of userspace. While we're at it, fix the warnings emitted by memfd_create() to use pr_warn_ratelimited(). If the intention of the warning is to get developers to switch to explicitly specifying if they want exec bits or not, you need to warn them whenever they use it. The systemd version on my box doesn't pass MFD_EXEC, making the warning useless for most userspace developers because it was already emitted during boot. Commit 105ff5339f49 ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC") mentions that this was switched to pr_warn_once "as per review" but I couldn't find the discussion anywhere, and the obvious issue (the ability for unprivileged userspace to spam the kernel log) should be handled by pr_warn_ratelimited. If the issue is that this is too spammy, we could tie it to using vm.memfd_noexec=1 or higher. This is a user-visible API change, but as it allows programs to do something that would be blocked before, and the sysctl itself was broken and recently released, it seems unlikely this will cause any issues. Cc: Dominique Martinet Cc: Christian Brauner Cc: stable@vger.kernel.org # v6.3+ Fixes: 105ff5339f49 ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC") Signed-off-by: Aleksa Sarai --- include/linux/pid_namespace.h | 16 +++-------- mm/memfd.c | 32 ++++++++-------------- tools/testing/selftests/memfd/memfd_test.c | 22 +++++++++++---- 3 files changed, 33 insertions(+), 37 deletions(-) diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h index c758809d5bcf..53974d79d98e 100644 --- a/include/linux/pid_namespace.h +++ b/include/linux/pid_namespace.h @@ -17,18 +17,10 @@ struct fs_pin; #if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) -/* - * sysctl for vm.memfd_noexec - * 0: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL - * acts like MFD_EXEC was set. - * 1: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL - * acts like MFD_NOEXEC_SEAL was set. - * 2: memfd_create() without MFD_NOEXEC_SEAL will be - * rejected. - */ -#define MEMFD_NOEXEC_SCOPE_EXEC 0 -#define MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL 1 -#define MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED 2 +/* modes for vm.memfd_noexec sysctl */ +#define MEMFD_NOEXEC_SCOPE_EXEC 0 /* MFD_EXEC implied if unset */ +#define MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL 1 /* MFD_NOEXEC_SEAL implied if unset */ +#define MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED 2 /* same as 1, except MFD_EXEC rejected */ #endif struct pid_namespace { diff --git a/mm/memfd.c b/mm/memfd.c index 0bdbd2335af7..4f1f841ae39d 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -271,30 +271,22 @@ long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg) static int check_sysctl_memfd_noexec(unsigned int *flags) { #ifdef CONFIG_SYSCTL - char comm[TASK_COMM_LEN]; - int sysctl = MEMFD_NOEXEC_SCOPE_EXEC; - struct pid_namespace *ns; - - ns = task_active_pid_ns(current); - if (ns) - sysctl = ns->memfd_noexec_scope; + int sysctl = task_active_pid_ns(current)->memfd_noexec_scope; if (!(*flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) { - if (sysctl == MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL) + if (sysctl >= MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL) *flags |= MFD_NOEXEC_SEAL; else *flags |= MFD_EXEC; } - if (*flags & MFD_EXEC && sysctl >= MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED) { - pr_warn_once( - "memfd_create(): MFD_NOEXEC_SEAL is enforced, pid=%d '%s'\n", - task_pid_nr(current), get_task_comm(comm, current)); - + if (!(*flags & MFD_NOEXEC_SEAL) && sysctl >= MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED) { + pr_warn_ratelimited( + "%s[%d]: memfd_create() requires MFD_NOEXEC_SEAL with vm.memfd_noexec=%d\n", + current->comm, task_pid_nr(current), sysctl); return -EACCES; } #endif - return 0; } @@ -302,7 +294,6 @@ SYSCALL_DEFINE2(memfd_create, const char __user *, uname, unsigned int, flags) { - char comm[TASK_COMM_LEN]; unsigned int *file_seals; struct file *file; int fd, error; @@ -324,13 +315,14 @@ SYSCALL_DEFINE2(memfd_create, return -EINVAL; if (!(flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) { - pr_warn_once( - "memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=%d '%s'\n", - task_pid_nr(current), get_task_comm(comm, current)); + pr_warn_ratelimited( + "%s[%d]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set\n", + current->comm, task_pid_nr(current)); } - if (check_sysctl_memfd_noexec(&flags) < 0) - return -EACCES; + error = check_sysctl_memfd_noexec(&flags); + if (error < 0) + return error; /* length includes terminating zero */ len = strnlen_user(uname, MFD_NAME_MAX_LEN + 1); diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c index dbdd9ec5e397..d8342989c547 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -1145,11 +1145,23 @@ static void test_sysctl_child(void) printf("%s sysctl 2\n", memfd_str); sysctl_assert_write("2"); - mfd_fail_new("kern_memfd_sysctl_2", - MFD_CLOEXEC | MFD_ALLOW_SEALING); - mfd_fail_new("kern_memfd_sysctl_2_MFD_EXEC", - MFD_CLOEXEC | MFD_EXEC); - fd = mfd_assert_new("", 0, MFD_NOEXEC_SEAL); + mfd_fail_new("kern_memfd_sysctl_2_exec", + MFD_EXEC | MFD_CLOEXEC | MFD_ALLOW_SEALING); + + fd = mfd_assert_new("kern_memfd_sysctl_2_dfl", + mfd_def_size, + MFD_CLOEXEC | MFD_ALLOW_SEALING); + mfd_assert_mode(fd, 0666); + mfd_assert_has_seals(fd, F_SEAL_EXEC); + mfd_fail_chmod(fd, 0777); + close(fd); + + fd = mfd_assert_new("kern_memfd_sysctl_2_noexec_seal", + mfd_def_size, + MFD_NOEXEC_SEAL | MFD_CLOEXEC | MFD_ALLOW_SEALING); + mfd_assert_mode(fd, 0666); + mfd_assert_has_seals(fd, F_SEAL_EXEC); + mfd_fail_chmod(fd, 0777); close(fd); sysctl_fail_write("0"); From patchwork Thu Jul 13 14:33:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aleksa Sarai X-Patchwork-Id: 13312299 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6CC84C001DE for ; Thu, 13 Jul 2023 14:34:54 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0C85F90002E; Thu, 13 Jul 2023 10:34:54 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 078CC90001C; Thu, 13 Jul 2023 10:34:54 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E82CF90002E; Thu, 13 Jul 2023 10:34:53 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id D8CFD90001C for ; Thu, 13 Jul 2023 10:34:53 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id AE04EB038C for ; Thu, 13 Jul 2023 14:34:53 +0000 (UTC) X-FDA: 81006835266.24.598ADD0 Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org [80.241.56.151]) by imf14.hostedemail.com (Postfix) with ESMTP id 53359100014 for ; Thu, 13 Jul 2023 14:34:49 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=cyphar.com header.s=MBO0001 header.b=ZX0Frhby; dmarc=pass (policy=reject) header.from=cyphar.com; spf=pass (imf14.hostedemail.com: domain of cyphar@cyphar.com designates 80.241.56.151 as permitted sender) smtp.mailfrom=cyphar@cyphar.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1689258890; a=rsa-sha256; cv=none; b=g3KC8wfw7OAZ97juQa/9BvZ1RXtwFaTpRHBhqFRaW9D4HmGvdA+VFMFktDL0EkWfUceYux Tx2W08S0VJ2x8ebPbyGhKELH6JiodchsCgVlieCzI3MDPlJqKL+xOJzaHuI0W+OvqbK8oj /bPMIyrnFHKg2d1vnr/uKXDlMX05RDw= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=cyphar.com header.s=MBO0001 header.b=ZX0Frhby; dmarc=pass (policy=reject) header.from=cyphar.com; spf=pass (imf14.hostedemail.com: domain of cyphar@cyphar.com designates 80.241.56.151 as permitted sender) smtp.mailfrom=cyphar@cyphar.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1689258890; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=eOgLl0t5X3JmCAjENFRIGMn7YQO04jybNACbXkaCXBI=; b=m/aOz3k/lz6f3ri4PI9jIXXUSXM7J1Munr+D0XN+L/uQqWGhnCwQufD6SsKul0nWAyF6Hb uKK6jcfX/VMqfjEsivWno9igEw5TAePtFI5qEN+0U94bs4T0TTVW5tqtOaDyWMrJd1PWXT yUJIh9BgohKxUpMtRnZw7Qq0C+WUmfo= Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4R1xvp0ry7z9ss7; Thu, 13 Jul 2023 16:34:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cyphar.com; s=MBO0001; t=1689258886; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eOgLl0t5X3JmCAjENFRIGMn7YQO04jybNACbXkaCXBI=; b=ZX0FrhbyjxOcpR/ogupcfZZez3Csj5uMZjBQwaoPVVOXSnOYLNd/bntd4dRoGklJZEU5kK PW8vmvLTIt1z7I8aSLzFqj5jLJOXEpS+zaUGhhU3T2NCUEQDn4vhuubgwN1BWXzL5aIM0E 8Qf2Rb6z8j+i/li/B+UrBWinLdMwdjE530baaub1LgxaQAFSwdBvxB1IQcWdukJyB7vyvT D1W6RYN2Uj1F2gAsa6XfYVlAP9CUdUVsHKohEA59w0bZwLVTpC8FuBOgtebO1xH5ld8RfV ABy/DwAHv54WUzp5auRVPzPzFZTmdq+7hjUauXLk3WzPfN4mRNDUn18j9fu1hA== From: Aleksa Sarai To: Andrew Morton , Jeff Xu , Aleksa Sarai , YueHaibing , Luis Chamberlain , Kees Cook , Daniel Verkamp Cc: linux-mm@kvack.org, Dominique Martinet , Christian Brauner , stable@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH 2/3] memfd: remove racheting feature from vm.memfd_noexec Date: Fri, 14 Jul 2023 00:33:47 +1000 Message-ID: <20230713143406.14342-3-cyphar@cyphar.com> In-Reply-To: <20230713143406.14342-1-cyphar@cyphar.com> References: <20230713143406.14342-1-cyphar@cyphar.com> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 53359100014 X-Stat-Signature: 4iph94rtfb1bc5qghud3pbhegijpmwfe X-HE-Tag: 1689258889-744465 X-HE-Meta: U2FsdGVkX1//TIkkswQQkAt+CaIVt7wQaWr8UkefyDteEuvN/d20PgxUsfkkGZ0eCbVNAlb7lQ3BxtaXQh3Dkz+O0CkdnqpAasTZ5DMeTvPbKUQ+sJrOPvj64bgOIdfSn8vjYqtnd9KDcaLAP2+PKw938e59rCA8YjCopJg+exXy3bmhLddzGVy1C5uZ0vnDhJwsAH/gGkkv3CkiLFem0gEKDWXhI3K1LjSrz7fP2BJ+31EvuaslmevqhZWH8uPxJT7SEtvejRldIl9h3rbJyQbd6VMRreVZF/ioa5pyV8lZ+ZJIeipfmpqcj8Zf/5zS2Kwx/ns39C1tmG5grgslQI3ZJmCDD5sOhERLNuRD0BDdot4a0O1MYcKdNYEdrNvoGtr5AL5pjJ5bGZKe+h3RMSN2wh/DWv5b9aR50xfwF3TndiWUedKHNXgzZc9qHg5zn9xpxlBUhjSta0/qbLqwj+gtF/XOIBouNn2W7me4rY+hT7/Tazz3pJoL6I4oF1+Mx0RmiLCFl9o3wKRbQqmnQS4EbeMiTua1pXxf1esRvFRCW13GO9D3hbk+4lLWvEzRVF0m+sB02mnVOmS0P/NLRzeo3pVbW280zr5IFWNthRmXrExmk5R2JQVJ/bSkpZGp1BaTno4+kvdcruCWpVGr22cU35DMlvrPHnsRagSItFmU5El2Lrv7CNOOirozuZu7jqjK6lD4OlcnfgEfHBA7/XyIFYiFH8K+kf3bMqsoLUWZ7jV0BzEz2+1e/RAUBbcXoKYvJq0kZF/9Hn1LD8nYi1dORlUwFoKk2H4ni/sRurvvDtPvD7rExq644vjhkzRG2qrp7WViNUArOQMXwHDnqELaEa0GZT7JorV3hANhgqfaFOkzfSb3Dah4EWYH3Xb9i7CrMLnOiJqieVXJ4kzr3P0PiXpoa6lfE3TM2dj96yXLPY/mHWWBq1Hg/jZMndYU9qRqvXGKpLfUd2HbrPv 5WClShdE ob3YmYxd1t1MkIk4eqbqJdamMLTcpskNw/M2llM5KemsndxghF5tuXzBAM7cAHaHGJNBCjQT2MiuGhrYdmqmPMmCJ8SGBI1EZ6N0TG2plcF+a/rYCycnHCL4aEcaOLLADFcnEoUGrfNIGY6XDjO8dOrzCTYQoQeU8RXfoZMLYHh8xN/7jRcBg02BgF7EvTT0KlEfCF04Hg0r+MKUsF61D2PhfgGulZ7l9xb9T6BdSUqXurxJNnGdDOuY/snQ5z75kMBM7Oty8XWscdkGtKD6DvvHrWghepxc++Rliv7ZYHtmTs2ZQbx4pDqSE//QSpAFuoCiylVwsxfKxfwSYbzndFV4Vb9jKBe+yhCfmXb1lDf9WgANuJNqem+jHPi2jI/873vAjCVaIO5ste9Qcnz8FlftPkIeFP8xuuu3C X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: This sysctl has the very unusal behaviour of not allowing any user (even CAP_SYS_ADMIN) to reduce the restriction setting, meaning that if you were to set this sysctl to a more restrictive option in the host pidns you would need to reboot your machine in order to reset it. The justification given in [1] is that this is a security feature and thus it should not be possible to disable. Aside from the fact that we have plenty of security-related sysctls that can be disabled after being enabled (fs.protected_symlinks for instance), the protection provided by the sysctl is to stop users from being able to create a binary and then execute it. A user with CAP_SYS_ADMIN can trivially do this without memfd_create(2): % cat mount-memfd.c #include #include #include #include #include #include #define SHELLCODE "#!/bin/echo this file was executed from this totally private tmpfs:" int main(void) { int fsfd = fsopen("tmpfs", FSOPEN_CLOEXEC); assert(fsfd >= 0); assert(!fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 2)); int dfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0); assert(dfd >= 0); int execfd = openat(dfd, "exe", O_CREAT | O_RDWR | O_CLOEXEC, 0782); assert(execfd >= 0); assert(write(execfd, SHELLCODE, strlen(SHELLCODE)) == strlen(SHELLCODE)); assert(!close(execfd)); char *execpath = NULL; char *argv[] = { "bad-exe", NULL }, *envp[] = { NULL }; execfd = openat(dfd, "exe", O_PATH | O_CLOEXEC); assert(execfd >= 0); assert(asprintf(&execpath, "/proc/self/fd/%d", execfd) > 0); assert(!execve(execpath, argv, envp)); } % ./mount-memfd this file was executed from this totally private tmpfs: /proc/self/fd/5 % Given that it is possible for CAP_SYS_ADMIN users to create executable binaries without memfd_create(2) and without touching the host filesystem (not to mention the many other things a CAP_SYS_ADMIN process would be able to do that would be equivalent or worse), it seems strange to cause a fair amount of headache to admins when there doesn't appear to be an actual security benefit to blocking this. It should be noted that with this change, programs that can do an unprivileged unshare(CLONE_NEWUSER) would be able to create an executable memfd even if their current pidns didn't allow it. However, the same sample program above can also be used in this scenario, meaning that even with this consideration, blocking CAP_SYS_ADMIN makes little sense: % unshare -rm ./mount-memfd this file was executed from this totally private tmpfs: /proc/self/fd/5 This simply further reinforces that locked-down environments need to disallow CLONE_NEWUSER for unprivileged users (as is already the case in most container environments). [1]: https://lore.kernel.org/all/CABi2SkWnAgHK1i6iqSqPMYuNEhtHBkO8jUuCvmG3RmUB5TKHJw@mail.gmail.com/ Cc: Dominique Martinet Cc: Christian Brauner Cc: stable@vger.kernel.org # v6.3+ Fixes: 105ff5339f49 ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC") Signed-off-by: Aleksa Sarai --- kernel/pid_sysctl.h | 7 ------- 1 file changed, 7 deletions(-) diff --git a/kernel/pid_sysctl.h b/kernel/pid_sysctl.h index b26e027fc9cd..8a22bc29ebb4 100644 --- a/kernel/pid_sysctl.h +++ b/kernel/pid_sysctl.h @@ -24,13 +24,6 @@ static int pid_mfd_noexec_dointvec_minmax(struct ctl_table *table, if (ns != &init_pid_ns) table_copy.data = &ns->memfd_noexec_scope; - /* - * set minimum to current value, the effect is only bigger - * value is accepted. - */ - if (*(int *)table_copy.data > *(int *)table_copy.extra1) - table_copy.extra1 = table_copy.data; - return proc_dointvec_minmax(&table_copy, write, buf, lenp, ppos); } From patchwork Thu Jul 13 14:33:48 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aleksa Sarai X-Patchwork-Id: 13312300 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7EEBBC001DD for ; Thu, 13 Jul 2023 14:34:58 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1D9F990002F; Thu, 13 Jul 2023 10:34:58 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 1896390001C; Thu, 13 Jul 2023 10:34:58 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0521690002F; Thu, 13 Jul 2023 10:34:58 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id E9E7690001C for ; Thu, 13 Jul 2023 10:34:57 -0400 (EDT) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id B6F6CC0236 for ; Thu, 13 Jul 2023 14:34:57 +0000 (UTC) X-FDA: 81006835434.28.476CD31 Received: from mout-p-103.mailbox.org (mout-p-103.mailbox.org [80.241.56.161]) by imf21.hostedemail.com (Postfix) with ESMTP id 58C0E1C000A for ; Thu, 13 Jul 2023 14:34:55 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=cyphar.com header.s=MBO0001 header.b=oUPbMSvF; dmarc=pass (policy=reject) header.from=cyphar.com; spf=pass (imf21.hostedemail.com: domain of cyphar@cyphar.com designates 80.241.56.161 as permitted sender) smtp.mailfrom=cyphar@cyphar.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1689258895; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=AjkT2Rw0tr8TGJD0iIqzpuuYdLQQeUx5R46ODfk76ks=; b=aOwz+NO1JvXOJy9UDD0VZ8hsVKdn8mA9hAxfuCCrXTLiNYUqTZx9KjoVasyJtvO/8ckUcy VruvcxCQGNRVPy7UINLZuXTvq/4S8DTE0fzfDc/ibXdnzfGmmsd7QiCWC5XcyXWntBF0GT GpuGJv4WSrLW/ts5n0a6Hf2mTK6OgFg= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=cyphar.com header.s=MBO0001 header.b=oUPbMSvF; dmarc=pass (policy=reject) header.from=cyphar.com; spf=pass (imf21.hostedemail.com: domain of cyphar@cyphar.com designates 80.241.56.161 as permitted sender) smtp.mailfrom=cyphar@cyphar.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1689258895; a=rsa-sha256; cv=none; b=NLiJQt3nhLpDFr8XGDzK0F7v+R3Y+RCjomJsbDufLPLCKbigdFqx1YDdANkT0thbZ2uGRz x2fsfGn3z2RASbln0dkNy6dnoFapOQyTAWEg/QKBd18a/iJjyBYCNecJTqvdTdNIOy+1U5 FxXBQsZBg8Nb1GbG4vvsK2rpgUdmUgs= Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4R1xvv49w8z9smK; Thu, 13 Jul 2023 16:34:51 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cyphar.com; s=MBO0001; t=1689258891; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AjkT2Rw0tr8TGJD0iIqzpuuYdLQQeUx5R46ODfk76ks=; b=oUPbMSvFRXiwqcHE7ijt/I2Po5hVe412fH7+Zw7UUG7G1C9CpYODK0GqEDq3rt0TFrkkhL 1tNmFOUhIxW+8niTHneU0GlIQIKTb6E/qvqpI4k2QGWSPUcblzv8Kr+3MQujKeJeipq92o fyUVU28INwU+8/j7kGpG9X88cGqLp//9GbxWyx0E8JzQ83j5jLqKPC2JSe0dm8W4DkpVib qOwiJzm6/m2A2CIHNt5W/m2DHigJTLnOhqLukSiyYW7RmmbCp91YhXYJTYRZLlvzdJKTiJ yz60SgIfQxO38akH874sgDryFay5VgDPdiEMraS/27HTPOqYmlXvXpc36qYndg== From: Aleksa Sarai To: Shuah Khan , Jeff Xu , Andrew Morton , Daniel Verkamp , Aleksa Sarai , Kees Cook Cc: linux-mm@kvack.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH 3/3] selftests: memfd: error out test process when child test fails Date: Fri, 14 Jul 2023 00:33:48 +1000 Message-ID: <20230713143406.14342-4-cyphar@cyphar.com> In-Reply-To: <20230713143406.14342-1-cyphar@cyphar.com> References: <20230713143406.14342-1-cyphar@cyphar.com> MIME-Version: 1.0 X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 58C0E1C000A X-Stat-Signature: ptfqfkou6mu1w5u9taxi877x8srgqpxw X-Rspam-User: X-HE-Tag: 1689258895-687630 X-HE-Meta: U2FsdGVkX18oNhyOZpS4/HQ/8kJWYozVMb0cUdhwdlcsOgIxG6N/rx06JLuAI47vvAypzP37ODF1zj/biB1adOg/1AiVKFyhQTDyGOD+bSls9kDyuV979BVdiEvwmfTOwS/Z8UrWI+tKPO3u/esMuthGMZmZpux/PBD2lqVfNJM7CmiN6hKu1BN4NZ2uc/OIfe0TboR2vtwWR1Qy73IIfnY1zxcbs+zomE8u5rNU84hdIdt9nwWo5l+s311ndtTwSKDwQIn8Z5ah4Jt7Uedwkh0fbz/lmIH/HvSYBfVzQZ/+63YP/rrqhId0+NDLAYtN53ePGmcV9HNF4iiJeYsW9gIMuBl+cUqfDT35Kf+A2mSMcW5UDgLlqhnx9WoI37pmZxHWjei+6ZuDauvjagmJfPQH4qZTjYcZKgp1hIblaAsKrMyuZBah++aK52VqGeHqMHomZg4aaH24YsXYX8iN33NyH7gegwNg0b9lj72pxSjtKZ5zzTZIkWQxEOtauEUkNEjaOWR+/HJ7WamWIoqRo5QB+IVv6jlDUCwVjWCyzCtw102OX85GgBdfISlP8a8VZQ4OcMCFsoRQZbaAVLHL499jisWDtcdsI/crDS7NvhlHGKm3RRWo3Cv9kwzHEca06MLfrD45SW4Ci7vrYblawdrNjJABctmvfS8s1jF1Tr1l88Pmwwsw6/0bhq2xdn6KzfVbBMCa7YAY//VXuBMs/JymnVKg7yAyAW5GbsjId8kY19FJM7fs9aEo3ZX1pK3w6azqeYF/kvGoRIWPwhcWGu5qZfYt98hm6a3u90LxOTgIs7OzneLFmDuiT7eDgtnJo+hgZhpP3WU+a9bWmOrAvqLZH6F3UzBjTzsSLN8B5pPjiujTZJKvHmylws0YGz5xWvB79jKAr/JLaMMHuGdG9ccX+TGlk5p7X6C/Fkhx8fUMkUkALoYYL9Pvjgk/0d7VzUz4K6MVBgkGueiK8wC MT81S54X /Pbm/hBzGmo+2UmBxe1S9KLYwUq2010DopWfTlNOp2w7bU27iCc+e15zjjml7C8awBHec/EYr9VrL3mjJwlMZ8viJZzjzFJWk9gAzMIwI/EGqC3F2GnSahzy+0VOpfw9DUir2PXOLxuuytoHNRo4+pFCQd3lZRi+n1Dt4JVsNDQEWf7c1FmYbpd1clEJgKx3YM0uzXN+7EoGjE9WO/LsOr2fCfg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Before this change, a test runner using this self test would see a return code of 0 when the tests using a child process (namely the MFD_NOEXEC_SEAL and MFD_EXEC tests) failed, masking test failures. Fixes: 11f75a01448f ("selftests/memfd: add tests for MFD_NOEXEC_SEAL MFD_EXEC") Signed-off-by: Aleksa Sarai Signed-off-by: Jeff Xu Reviewed-by: Jeff Xu --- tools/testing/selftests/memfd/memfd_test.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c index d8342989c547..8b7390ad81d1 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -1219,7 +1219,24 @@ static pid_t spawn_newpid_thread(unsigned int flags, int (*fn)(void *)) static void join_newpid_thread(pid_t pid) { - waitpid(pid, NULL, 0); + int wstatus; + + if (waitpid(pid, &wstatus, 0) < 0) { + printf("newpid thread: waitpid() failed: %m\n"); + abort(); + } + + if (WIFEXITED(wstatus) && WEXITSTATUS(wstatus) != 0) { + printf("newpid thread: exited with non-zero error code %d\n", + WEXITSTATUS(wstatus)); + abort(); + } + + if (WIFSIGNALED(wstatus)) { + printf("newpid thread: killed by signal %d\n", + WTERMSIG(wstatus)); + abort(); + } } /*