From patchwork Tue Jun 11 23:14:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 13694287 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 900F7C27C7B for ; Tue, 11 Jun 2024 23:14:19 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2B86D6B0114; Tue, 11 Jun 2024 19:14:19 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 266816B0115; Tue, 11 Jun 2024 19:14:19 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1082A6B0116; Tue, 11 Jun 2024 19:14:19 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id DC7936B0114 for ; Tue, 11 Jun 2024 19:14:18 -0400 (EDT) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 8CD13A2CBE for ; Tue, 11 Jun 2024 23:14:18 +0000 (UTC) X-FDA: 82220163396.06.9F4E6B7 Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by imf29.hostedemail.com (Postfix) with ESMTP id B4D68120003 for ; Tue, 11 Jun 2024 23:14:16 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Uf9XatVg; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf29.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.214.174 as permitted sender) smtp.mailfrom=jeffxu@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1718147656; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=G4NKRSzRUO9zxmE7CyGeus+0BBDnvcGxcOkVTXBxNh4=; b=weeYsxsIR1aOOXyedv7IUhHM11ujpaxQOYG9Wm1+Rm0y+FudJsuP7kKEwusA6eNAfvFVDB f9pG0La4XAAfvmYBJzZUXZnmwRBlLkVPynNB4Z4C/Tr10G5FObLhzo2q29K1ZEAR4z9PGX H/PtAUk/6j8SHmtTcXFKqEYRnil0Wsc= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Uf9XatVg; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf29.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.214.174 as permitted sender) smtp.mailfrom=jeffxu@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1718147656; a=rsa-sha256; cv=none; b=QC0RnqE72KBS4WBTGxA/bQk7YzfouRlzo9JNVacV7mHBtQ24iKfh4UvwHBD+0h7XsomtXW BTRi8HHMvNDP1jjHJqOkCK477XwRJYGsp7MzoQN/y1epVVgbpBDAQ4qgVVzI5R5woDb0WB rq7NqkphNNZRX55wRkeagshNLxFaAew= Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-1f4a5344ec7so3104785ad.1 for ; Tue, 11 Jun 2024 16:14:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1718147655; x=1718752455; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=G4NKRSzRUO9zxmE7CyGeus+0BBDnvcGxcOkVTXBxNh4=; b=Uf9XatVg+waQhMR5xpTsLPXdRCQZ11+hM/YXMLqbZEZLy7X6V/XTagOTzG0oMmuPFS 5Ug0ciqlaqCChs9x//CfbMNpnZf7dnICqx/0b/ImGstViTYRV/63mO+mupPsR8VOphCV 409T0flqLAiCxgQHgA7LwlGl2G0Cv6PsagFyQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718147655; x=1718752455; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=G4NKRSzRUO9zxmE7CyGeus+0BBDnvcGxcOkVTXBxNh4=; b=jcWkuwOktsjdtjxUg5ZQKnmXedXZyrFIjmAYO3FXNoHflbHsY86g7MQdTI5Vctvt+j 0/9xp6a8j8edXqLlQOJWICUYd7zbQ2oUbn38slKFiyWQrDUSrmeH8l+LAE5jjsmCJxjo UrL6e7EnFQ/Dxuh2J4alHP4UeDgJs5w9Ctk8W8FdOx/pZOIGVuVV+eo74alUQ7SpNQDp VNE5nOYP50hX1AfjL/uuwcnOImlo27+NvC3zdfjKKwpIvFmfTv6e0SD83uG1yMyKMGsT zOJ8troYGoqeHx3j7+sCBvkF9+Q3b/UQRxZtZc6KL1m3vrQBkrFHqd4UWJjvawM2967W +TNA== X-Forwarded-Encrypted: i=1; AJvYcCVIwGFA9ph1oRTjyh6aveajucFOl48livIroiUjT8VfLpcg7/1llLq0KQjQXn6U7hT1ETfKjQTNE3/TicAv1rSmk1w= X-Gm-Message-State: AOJu0YxT4HzJWsgDiXQOUVgrvckOby1s9Tw0K9zK+zEWvDNPehK2cTkz WAEWPhHsMn+JJ+Y83++PYlS6VUv9C0/aT18Icd1wF2/uPFN05rv1ugYQ42uiGg== X-Google-Smtp-Source: AGHT+IGdNDtP3xIWxdgEuCn8jEyOCrtFBh2iITQjh4/VkBiUCRHSlUbcVmBovHOf4FNPsfqHXh+PRA== X-Received: by 2002:a17:902:dace:b0:1f7:126:5bb7 with SMTP id d9443c01a7336-1f83b19c2d2mr5260145ad.21.1718147655552; Tue, 11 Jun 2024 16:14:15 -0700 (PDT) Received: from localhost (213.126.145.34.bc.googleusercontent.com. [34.145.126.213]) by smtp.gmail.com with UTF8SMTPSA id d9443c01a7336-1f6e1ba23c7sm85924185ad.29.2024.06.11.16.14.15 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 11 Jun 2024 16:14:15 -0700 (PDT) From: jeffxu@chromium.org To: rdunlap@infradead.org Cc: akpm@linux-foundation.org, cyphar@cyphar.com, david@readahead.eu, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@chromium.org, jeffxu@google.com, jorgelo@chromium.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pobrn@protonmail.com, skhan@linuxfoundation.org, stable@vger.kernel.org Subject: [PATCH v3 1/1] mm/memfd: add documentation for MFD_NOEXEC_SEAL MFD_EXEC Date: Tue, 11 Jun 2024 23:14:08 +0000 Message-ID: <20240611231409.3899809-2-jeffxu@chromium.org> X-Mailer: git-send-email 2.45.2.505.gda0bf45e8d-goog In-Reply-To: <20240611231409.3899809-1-jeffxu@chromium.org> References: <20240611231409.3899809-1-jeffxu@chromium.org> MIME-Version: 1.0 X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: B4D68120003 X-Stat-Signature: 6czc9jhfnj87gcaj8qaxpm3abbeo1zaq X-Rspam-User: X-HE-Tag: 1718147656-746189 X-HE-Meta: U2FsdGVkX19WFf9nOH40ofiSj8mEbLdMB8j++BxZSgQyTSHLgqSOMYukya761OsgWi7F7hKHbiLXEXKy3Ms3uMlcOK9kYsJKTDUA+jT4OF63O/XdZGs9UMY6YKPzDI5xQrsMlm/TqSnU3VFpb1/OyFZaIq3iY7Rs7pWN0uqyj1bauFg0Vn1UNOXDUIgTEufcXKw5FGLigEjVo4oSay9btczSuv47k7H2LyDYRXsENOXCPWEnYVPYPdjL/coR7L3Eogj5j5w5iijbgUMN9B4pWkKGI3aBfQwA7PEMmjf/gbaLYfJgpnwsqnwF4i7KdG4h039rLdMLOTJ6pIjt5U353FgX507qpoJOQsoyloFjUXGUpt6X1R+Isw5Yf4sBzrYuEh5aQc5wwavdu3PPpzvyAOFEgK08BCTL4QXIqH41ZPvLm5z52q56IzhVjKnCXvs1S7n7MGH8vGHHvuRNugkDix2WAugYgVnZE/MAMRlIWZ671yoI9gXqOeKpNwC1cObjK1EsOX50KFFlWUtIUp5+CBMUUI02Y6Z0VEFLiW6ZKa0UDHHOZsIDlDnKEWeflY7V4sLm5I2kj7hdXhKMmgmw84fgIuhsNi/mv92kz2IMTTN3ECKSUU/uQ5Lbj7SG7Ok/n3hJ+vGKY8s4nhWMV909U+pHicM4FPYapko1qYdsa+iTlb2GB0yxTfrPmujE6Ue7Fub0OP4OuEGSTv87C6qCO73Ay4WiEL/x/KfSd5DVkrsQXcTtowUim3xmweX+AH2duBfuPRPALUzRwyTa0zvgvtSdqcSU9rRn9ZpQTXDYTsbLk6BvorIhKxyKufO11n7pqwWXIgE3pNBaMKwmQi37ke75YVgqi91EKuq36IfZ0XgvtvQ1OrDD3kGu1umzSavg4lq4MrbJcW2UPgr2EbZyEHBo1qn58r+XAhhcH9hK4oUQ45nGetQLbU8EWyZtXsVol5Ntk36v0TZm9xacGWZ NZxjsfAS ZJLjErj4DpI1rUJxH8R8ntVC/hZTx7ASVpLzfRLDgDA/7EgGti972hx9Xi3wd4VWnp2llaSmvwOoRPmP3bNXVFTOOu9ady1NOSAzsjUgVqJe0CpgMn2GYqcfeOHhk/sgttwVkwMhqou55LjCII5WZrrVfBDC/LYHSpVm7BOJRyP/keXAFWRGjdugdiEBEjDPJZcM3pb/4x0M64LzvJkDQ32i0I/EJwZvJN+v0pl7S3IlJwoFbIGAuQNt9YosFgpTEHJN1kfJnSBgMuNS3GYSpE0xtTWqx/aSKquJTKyJhZ6OMLpr0BGwuhhkcIBTD6uZgKWzufwcbygul9JDnl4rHY4LQpHHMBod6UJuw8hfT6Gu4D0b7yFH+QMDkjZ5Q2DKtUdQ9gCPbDDHWoi1UPyeQM4/2U5HmRj6/kULNZ1D8G2bb5H3KLZiCGgViuBvqDUdm6PgCKyLM0mg+hx3KMbIV6w6iA5GpUcBC3KRsmPLqt91s7pJH96ICs4ExgpFBJrRRC02R//Qq98CxNI4aNFLpwSMfJVW/NmtGnEG0YxrGbvCN+isyDiJPgfEgEhtyTAQQAO4eKTnxjzqutd93hv1Atq+o12LYt6NQLbOzP2FDkEd5IqmsQA0ryTars+t+/jPOqMNA+zQEgHwY7SA+YEFdZ5OQHgrsk/lfZk6qfzNOHayhKPG8KXWr6w62vE3fFXlXbSDcS8nT7+N6vKjqWnZcEc9//g== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Jeff Xu Add documentation for memfd_create flags: MFD_NOEXEC_SEAL and MFD_EXEC Cc: stable@vger.kernel.org Signed-off-by: Jeff Xu Reviewed-by: Randy Dunlap --- Documentation/userspace-api/index.rst | 1 + Documentation/userspace-api/mfd_noexec.rst | 86 ++++++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 Documentation/userspace-api/mfd_noexec.rst diff --git a/Documentation/userspace-api/index.rst b/Documentation/userspace-api/index.rst index 5926115ec0ed..8a251d71fa6e 100644 --- a/Documentation/userspace-api/index.rst +++ b/Documentation/userspace-api/index.rst @@ -32,6 +32,7 @@ Security-related interfaces seccomp_filter landlock lsm + mfd_noexec spec_ctrl tee diff --git a/Documentation/userspace-api/mfd_noexec.rst b/Documentation/userspace-api/mfd_noexec.rst new file mode 100644 index 000000000000..7afcc480e38f --- /dev/null +++ b/Documentation/userspace-api/mfd_noexec.rst @@ -0,0 +1,86 @@ +.. SPDX-License-Identifier: GPL-2.0 + +================================== +Introduction of non-executable mfd +================================== +:Author: + Daniel Verkamp + Jeff Xu + +:Contributor: + Aleksa Sarai + +Since Linux introduced the memfd feature, memfds have always had their +execute bit set, and the memfd_create() syscall doesn't allow setting +it differently. + +However, in a secure-by-default system, such as ChromeOS, (where all +executables should come from the rootfs, which is protected by verified +boot), this executable nature of memfd opens a door for NoExec bypass +and enables “confused deputy attack”. E.g, in VRP bug [1]: cros_vm +process created a memfd to share the content with an external process, +however the memfd is overwritten and used for executing arbitrary code +and root escalation. [2] lists more VRP of this kind. + +On the other hand, executable memfd has its legit use: runc uses memfd’s +seal and executable feature to copy the contents of the binary then +execute them. For such a system, we need a solution to differentiate runc's +use of executable memfds and an attacker's [3]. + +To address those above: + - Let memfd_create() set X bit at creation time. + - Let memfd be sealed for modifying X bit when NX is set. + - Add a new pid namespace sysctl: vm.memfd_noexec to help applications in + migrating and enforcing non-executable MFD. + +User API +======== +``int memfd_create(const char *name, unsigned int flags)`` + +``MFD_NOEXEC_SEAL`` + When MFD_NOEXEC_SEAL bit is set in the ``flags``, memfd is created + with NX. F_SEAL_EXEC is set and the memfd can't be modified to + add X later. MFD_ALLOW_SEALING is also implied. + This is the most common case for the application to use memfd. + +``MFD_EXEC`` + When MFD_EXEC bit is set in the ``flags``, memfd is created with X. + +Note: + ``MFD_NOEXEC_SEAL`` implies ``MFD_ALLOW_SEALING``. In case that + an app doesn't want sealing, it can add F_SEAL_SEAL after creation. + + +Sysctl: +======== +``pid namespaced sysctl vm.memfd_noexec`` + +The new pid namespaced sysctl vm.memfd_noexec has 3 values: + + - 0: MEMFD_NOEXEC_SCOPE_EXEC + memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL acts like + MFD_EXEC was set. + + - 1: MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL + memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL acts like + MFD_NOEXEC_SEAL was set. + + - 2: MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED + memfd_create() without MFD_NOEXEC_SEAL will be rejected. + +The sysctl allows finer control of memfd_create for old software that +doesn't set the executable bit; for example, a container with +vm.memfd_noexec=1 means the old software will create non-executable memfd +by default while new software can create executable memfd by setting +MFD_EXEC. + +The value of vm.memfd_noexec is passed to child namespace at creation +time. In addition, the setting is hierarchical, i.e. during memfd_create, +we will search from current ns to root ns and use the most restrictive +setting. + +[1] https://crbug.com/1305267 + +[2] https://bugs.chromium.org/p/chromium/issues/list?q=type%3Dbug-security%20memfd%20escalation&can=1 + +[3] https://lwn.net/Articles/781013/