From patchwork Fri Dec 6 01:09:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Isaac Manjarres X-Patchwork-Id: 13896199 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6409E77170 for ; Fri, 6 Dec 2024 01:09:42 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4A55D6B0141; Thu, 5 Dec 2024 20:09:42 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 453FB6B0142; Thu, 5 Dec 2024 20:09:42 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2F5216B0145; Thu, 5 Dec 2024 20:09:42 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 0E24B6B0141 for ; Thu, 5 Dec 2024 20:09:42 -0500 (EST) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id C29B142CEA for ; Fri, 6 Dec 2024 01:09:41 +0000 (UTC) X-FDA: 82862751258.21.D9FF278 Received: from mail-ot1-f73.google.com (mail-ot1-f73.google.com [209.85.210.73]) by imf04.hostedemail.com (Postfix) with ESMTP id 42B9C40003 for ; Fri, 6 Dec 2024 01:09:22 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=QY3ZGOJC; spf=pass (imf04.hostedemail.com: domain of 30k5SZw4KCPkjtbbdnbokbssfthpphmf.dpnmjovy-nnlwbdl.psh@flex--isaacmanjarres.bounces.google.com designates 209.85.210.73 as permitted sender) smtp.mailfrom=30k5SZw4KCPkjtbbdnbokbssfthpphmf.dpnmjovy-nnlwbdl.psh@flex--isaacmanjarres.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1733447372; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=ZVe1l78oGg6d6XLgPQZsewnpRSOEBU8Pjn8H7vlg4Dw=; b=NiOKDB3fFO0b1DALM275fLh5fv/m5KzCbAJGD7i2N+jWYLXvyo/EVUWuBIHtXaxQ5y+tCM cftWJwexZ+bzqN6qE/lem6XIH5Azg+B3jAS2o0TvvFGXVQJn22qGpZGwaFtCQqiCH8TySZ QiF7SE0AY3pgBBXCdiIV8+Kd2xehsKY= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=QY3ZGOJC; spf=pass (imf04.hostedemail.com: domain of 30k5SZw4KCPkjtbbdnbokbssfthpphmf.dpnmjovy-nnlwbdl.psh@flex--isaacmanjarres.bounces.google.com designates 209.85.210.73 as permitted sender) smtp.mailfrom=30k5SZw4KCPkjtbbdnbokbssfthpphmf.dpnmjovy-nnlwbdl.psh@flex--isaacmanjarres.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1733447372; a=rsa-sha256; cv=none; b=SxlNUE5C2P9/fSu/OYsrfy5h8AtubpGhMu5tMsBtsKBjxzczaNpcweth2dBCoaz9V07aGn ZKJBJOGqsL5yaQPDhyRtNM/1BZtJ5b48ZGRW5WpQvRgjOqMdgrQhId29xEAjSxuEze009B T92r/LMx61gB8qAoejCbjzZigjzHNh8= Received: by mail-ot1-f73.google.com with SMTP id 46e09a7af769-71d418d1977so1274178a34.0 for ; Thu, 05 Dec 2024 17:09:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1733447379; x=1734052179; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=ZVe1l78oGg6d6XLgPQZsewnpRSOEBU8Pjn8H7vlg4Dw=; b=QY3ZGOJCVb5Gb1hv2lolqVnCpbm6Q8JgQjIKddE+roz/xBr+punzCwHeVL+43Vk4+b 821qLV8HvjwBY8VnX/AIu/LGpVmHziEbhoea17opXx2dhwy46wcLDkzDkOteQiExivkW lz6ij5PHyhp5Yk11t+ROTL2Xz4em48dwBo9yYVPMqJpfUo6b4Pzsm4BfuiXfIt2Uv7TI ou/Ey4kMhscOxlYAvDgOfuR1r08qmfDKeAXKci2KDi2GIXBmt+a7d3M4TGLAfYxveJOX C9nJCvuA/5qQafRDFylDJ+Hgh2x8wH1QcKe5PrxWNp3DMVXhLNA7I+zEbzOUu52Wh3lk PQ7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733447379; x=1734052179; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ZVe1l78oGg6d6XLgPQZsewnpRSOEBU8Pjn8H7vlg4Dw=; b=WERC6Ak/GBYo6jESPHj8PpWHejwGgq1KMVxDlJZxYMtab3j0da8t85UPEdDkE+pQSy ITLxswLVlPqf4hLMudDZAV+9DHjuRM6RUEOp/46jcUcDzyDvhs6RCMnClxFoiT329k1d 66PUgDhBuzBPqVJH39mnFAmibUm/u97cI3VQop5cXlDgQPrrHhP/5/RxnjZPa46zQ6Mc boB5opxJ/vfp4vE+Vk26GYW/701cBTuAQjgvyVoWa/UX6o41fqBtq7ZQ/hyUkEjWAs5p NRZXEL4yC47Cp4sBKrzCI7nSHTUGztEevKR/XLd0NPgGtw0TH03XaVAB1YnBw6ipwc0i fDHQ== X-Forwarded-Encrypted: i=1; AJvYcCU3HlL/AlFNRfYpvuDqWCaydVPbR1uXKn1J7RMG7g6LJ8CVVrfnL0na80LGVQepFazJFRcs90aKlw==@kvack.org X-Gm-Message-State: AOJu0YwybMwUv4NQM/ekm+o2hhlQIMDejNXYwyqV9hEliPgh8YueFhuR 2Rqkg06kOxYbSCoILXwMYXCX/VdGux3jbz6IOCNbFG3c09BWa0FFUId5yu+ZYY6+d+e2cE3gLi5 A7io0U6XXzJR58wG5WawuU4zkRB2qi9dPHQ== X-Google-Smtp-Source: AGHT+IEYpYAtNlzlC2hTmD5R4FH3FX1Gz1pWaXrJ2tHU6HF+bn7elD4ZxjnSK9HqdAVOAhJ2PH3MkkjOxrNoW9K1dfDvHQ== X-Received: from pgct14.prod.google.com ([2002:a05:6a02:528e:b0:7fd:113b:ea62]) (user=isaacmanjarres job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6830:2710:b0:71d:4624:3f2b with SMTP id 46e09a7af769-71dcf546d9fmr1201933a34.19.1733447378840; Thu, 05 Dec 2024 17:09:38 -0800 (PST) Date: Thu, 5 Dec 2024 17:09:22 -0800 In-Reply-To: <20241206010930.3871336-1-isaacmanjarres@google.com> Mime-Version: 1.0 References: <20241206010930.3871336-1-isaacmanjarres@google.com> X-Mailer: git-send-email 2.47.0.338.g60cca15819-goog Message-ID: <20241206010930.3871336-2-isaacmanjarres@google.com> Subject: [RFC PATCH v1 1/2] mm/memfd: Add support for F_SEAL_FUTURE_EXEC to memfd From: "Isaac J. Manjarres" To: Andrew Morton , Jeff Layton , Chuck Lever , Alexander Aring , "Liam R. Howlett" , Lorenzo Stoakes , Vlastimil Babka , Jann Horn , Shuah Khan Cc: "Isaac J. Manjarres" , kernel-team@android.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org, Suren Baghdasaryan , Kalesh Singh , John Stultz X-Rspamd-Queue-Id: 42B9C40003 X-Stat-Signature: f96xn4qt6cbntre6igz18um1pdc7j3bi X-Rspam-User: X-Rspamd-Server: rspam11 X-HE-Tag: 1733447362-808261 X-HE-Meta: U2FsdGVkX1+KV1WcYDLGIAlp7p357OZABYkEgA0vxiAytoJSidS6jOBn3Ri6tNeyLU6vkij907uRWaU/Ie+Et2WYFQmc09J3byBp9UV9EOU6x6nfRR4g9H/G7PGqw1gSvcyjtikytDWIPcbFW4gYEI0T/8hMoo/5H8BRZ3UZZcPBaWl91ab9TFF8wn6T4z1iZsBfiiVG/r278GErN+RLguzpGxlug/y6kmMJdPaujI/KjstA+QWfDBt4uLLyzz7aR9lswkCzLjEGDB8Etbz7kJO5c3zKU4KoJxuFJb2F68wqLWD0aJ37XuhfZvauyUQEnX0jsQ37c9lj59bvMpiHvuAIbTvGYSem87iN9qduKiZqJEMsISQfAraEC59Ig0v2nLKFhP1XF92E27rlvP/s2Ge6t6f8dvi0ZxOONkUJAFKkYtSsXHs22J2EJKGrv1sNXft9B2yVnLIVnwdF0EzDX4rCU8j51JuBVeZiWedFGm3lFY4/djEz1bnOiC3fRJv1mQrxjUDtOT6vvUUAvGUU5S4/o99KsYfpchDI/uxPH4g81VSNZ0Il7k7Ah8H20c+4WhTZYFK7LmMZptYDKHM0GJwkWLargQytiC5zN0C2wV50Tfrj0pCYmalyGohzuUIMQgfferBPindUM7Av6+DxnHn0Ji5OSC6cyXMHflO2YrrOtl2fZljnH553sjFP13ougx/1+IuTZmhgfyf051QATcgSTq0IPn7TyvheU1EP/hr3YmX4vrsxCHneoqRrQZJ1baRx3FOpl/B42ZNoZTvJ1lkLh0JyPu+tdgGrHsAXWlVaZ/QDQA/I4GpliPMYM4Ik47z7XThrch7LyyjmC6ZR0ct+ASLbkYcfVDL/MqHeDJTd7aa174iSK+i5gfTyDyYUUiAihRH8uZPXG4ogBOM9oJk569Ot6O7pvpviY5pHuD4FQxbgGa7cssnsQnvb+TW74K5lTHyWEWYb+AglqOW Wtmr5odT yPM8OFWsSOy8Cv/jzICbbNDhFHJbxDNl/c0mAjEk2sL801V665ZlxGha3TnpsAjg3QOo/ydpAyAoPyod92FtNJn7aqrBkTEYn7OA1CzYmqNCrSQzW1fW6KQ5bLpCcp9O4GNACvcT2imfnLrrEOezJ5quOpb9o5FKNCy1Tjef7GwETdNqWlFueyWqyyNhGrX3HDY0SBt3l9Ze4TlCvF3XxddeIWGr0lAUlHicesqcHrzzOr7QfPM0WZHWtTzrvyGO9yP59UhB6G9HE9SFRz5TnLcm7WpVXKoe6aBw9jgay87qMZpjij2tJTxJ34H9DQEs2l3SPSPtCZH9WYOFGbUxft9mcT/1A2P8mvY+hD5FIhRLTd8uikvvJhr9wYGbm+9K5IrLiQIcrqJKt7VIbqyQN80XqHIBDmSXgYK+QKVCUJ+RGLoTAdANvMjXw8nvWlOfLy0EPlXtn2QD4XR/Af/pyxoZvbMYwqHL5OoIwndklXQe0SyiywhvHL3xomfXuH67ud0Cw2RhmHU4lS1Gsemg6SOgo/QHbqy14ETdOnXFQ/qGM8r7MIwHWtEf1YIjm0vLj7h5epRUTP2GYVQWj3pHRtPUtPbrqGI3qMSMF0lGn1Wq1YQv0ttmQ9W4RSAmO9+pIjDNvq1cCwP4AO29eEAtTwopwb5lUzkyE4d9JWrcC398+poIkEKWhSBd/NRV61hYjhu04wGiBdL6S7g5YOn5sapHX+ufOoM8oewB80m6BGown95wmRqhU59MjJQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Android currently uses the ashmem driver [1] for creating shared memory regions between processes. Ashmem buffers can initially be mapped with PROT_READ, PROT_WRITE, and PROT_EXEC. Processes can then use the ASHMEM_SET_PROT_MASK ioctl command to restrict--never add--the permissions that the buffer can be mapped with. Processes can remove the ability to map ashmem buffers as executable to ensure that those buffers cannot be exploited to run unintended code. We are currently trying to replace ashmem with memfd. However, memfd does not have a provision to permanently remove the ability to map a buffer as executable. Although, this should be something that can be achieved via a new file seal. There are known usecases (e.g. CursorWindow [2]) where a process maps a buffer with read/write permissions before restricting the buffer to being mapped as read-only for future mappings. The resulting VMA from the writable mapping has VM_MAYEXEC set, meaning that mprotect() can change the mapping to be executable. Therefore, implementing the seal similar to F_SEAL_WRITE would not be appropriate, since it would not work with the CursorWindow usecase. This is because the CursorWindow process restricts the mapping permissions to read-only after the writable mapping is created. So, adding a file seal for executable mappings that operates like F_SEAL_WRITE would fail. Therefore, add support for F_SEAL_FUTURE_EXEC, which is handled similarly to F_SEAL_FUTURE_WRITE. This ensures that CursorWindow can continue to create a writable mapping initially, and then restrict the permissions on the buffer to be mappable as read-only by using both F_SEAL_FUTURE_WRITE and F_SEAL_FUTURE_EXEC. After the seal is applied, any calls to mmap() with PROT_EXEC will fail. [1] https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/drivers/staging/android/ashmem.c [2] https://developer.android.com/reference/android/database/CursorWindow Cc: Suren Baghdasaryan Cc: Kalesh Singh Cc: John Stultz Signed-off-by: Isaac J. Manjarres --- include/linux/mm.h | 5 +++++ include/uapi/linux/fcntl.h | 1 + mm/memfd.c | 1 + mm/mmap.c | 11 +++++++++++ 4 files changed, 18 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index 4eb8e62d5c67..40c03a491e45 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -4096,6 +4096,11 @@ static inline bool is_write_sealed(int seals) return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE); } +static inline bool is_exec_sealed(int seals) +{ + return seals & F_SEAL_FUTURE_EXEC; +} + /** * is_readonly_sealed - Checks whether write-sealed but mapped read-only, * in which case writes should be disallowing moving diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h index 6e6907e63bfc..ef066e524777 100644 --- a/include/uapi/linux/fcntl.h +++ b/include/uapi/linux/fcntl.h @@ -49,6 +49,7 @@ #define F_SEAL_WRITE 0x0008 /* prevent writes */ #define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */ #define F_SEAL_EXEC 0x0020 /* prevent chmod modifying exec bits */ +#define F_SEAL_FUTURE_EXEC 0x0040 /* prevent future executable mappings */ /* (1U << 31) is reserved for signed error codes */ /* diff --git a/mm/memfd.c b/mm/memfd.c index 35a370d75c9a..77b49995a044 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -184,6 +184,7 @@ unsigned int *memfd_file_seals_ptr(struct file *file) } #define F_ALL_SEALS (F_SEAL_SEAL | \ + F_SEAL_FUTURE_EXEC |\ F_SEAL_EXEC | \ F_SEAL_SHRINK | \ F_SEAL_GROW | \ diff --git a/mm/mmap.c b/mm/mmap.c index b1b2a24ef82e..c7b96b057fda 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -375,6 +375,17 @@ unsigned long do_mmap(struct file *file, unsigned long addr, if (!file_mmap_ok(file, inode, pgoff, len)) return -EOVERFLOW; + if (is_exec_sealed(seals)) { + /* No new executable mappings if the file is exec sealed. */ + if (prot & PROT_EXEC) + return -EACCES; + /* + * Prevent an initially non-executable mapping from + * later becoming executable via mprotect(). + */ + vm_flags &= ~VM_MAYEXEC; + } + flags_mask = LEGACY_MAP_MASK; if (file->f_op->fop_flags & FOP_MMAP_SYNC) flags_mask |= MAP_SYNC; From patchwork Fri Dec 6 01:09:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Isaac Manjarres X-Patchwork-Id: 13896200 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D27F8E77171 for ; Fri, 6 Dec 2024 01:09:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5DD996B0092; Thu, 5 Dec 2024 20:09:47 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 566D16B0145; Thu, 5 Dec 2024 20:09:47 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3B9EF6B00FC; Thu, 5 Dec 2024 20:09:47 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 1B33B6B0145 for ; Thu, 5 Dec 2024 20:09:47 -0500 (EST) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id B802F14196D for ; Fri, 6 Dec 2024 01:09:46 +0000 (UTC) X-FDA: 82862751258.03.6F0FF49 Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com [209.85.210.202]) by imf30.hostedemail.com (Postfix) with ESMTP id E430180004 for ; Fri, 6 Dec 2024 01:09:13 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=IE8eg+KA; spf=pass (imf30.hostedemail.com: domain of 3105SZw4KCP4oyggisgtpgxxkymuumrk.iusrot03-ssq1giq.uxm@flex--isaacmanjarres.bounces.google.com designates 209.85.210.202 as permitted sender) smtp.mailfrom=3105SZw4KCP4oyggisgtpgxxkymuumrk.iusrot03-ssq1giq.uxm@flex--isaacmanjarres.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1733447368; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=+0EsM99SG3hihzaaNKgE6hFc9Vf2sd6rRNj6I2ZBeAU=; b=FF+Azk6Kfk271mJcAtCHzxqHyKYaqMO7YNjDEliZkPZXojSO7q73nFiTYB0fkoLtwgSW3v ldF4bDOeZjzVH3AORxmrxOJTEfitM6qdUaWPe30BAoZO8mmTC9AgMSCZ9M3aVfKWNBT15s AX4owVl6FCo2C9ogw2jTxgQaAa8Z47s= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1733447368; a=rsa-sha256; cv=none; b=CZQQZZT60ZcsbeOEvv9qKSHbSRjdhobtI4LJxXybnBRDR/tcdvYLFJEpf3b/NxWK3kSzAq PW7uOWlJ4+Wr/7EvccSuXiwkUFkqsIC+G93+Uo6gBdEduiwyxWbIo98Euun531/d3cRu3n XOFKDhfobOaZpxoBz7KtDoKQ8NdYXIs= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=IE8eg+KA; spf=pass (imf30.hostedemail.com: domain of 3105SZw4KCP4oyggisgtpgxxkymuumrk.iusrot03-ssq1giq.uxm@flex--isaacmanjarres.bounces.google.com designates 209.85.210.202 as permitted sender) smtp.mailfrom=3105SZw4KCP4oyggisgtpgxxkymuumrk.iusrot03-ssq1giq.uxm@flex--isaacmanjarres.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-pf1-f202.google.com with SMTP id d2e1a72fcca58-724d6a812b6so1415603b3a.3 for ; Thu, 05 Dec 2024 17:09:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1733447383; x=1734052183; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=+0EsM99SG3hihzaaNKgE6hFc9Vf2sd6rRNj6I2ZBeAU=; b=IE8eg+KARFmwcnWVYygkCwd6+4LNavosCY8isHh2epjl85s5C2yYv+wmqKmlhl+mv+ zBixO32e8H9aqb0M3A9NKOWEKz1WM8AbpeSZ9Aap8PxNey+lPt5BDeM/nsYxHBOKnGti g6I8LTVL+qzbPV6WPKt/f3CE3Nhkv1lu8jG6cDIKTfrbsY9ze5g5PKLpKpgbbN3JbYbu VMfm012AU/64drwdCQ0W4rzi7A1SWueFct8pS+KdaFmmTHwiXbCVs6JAlQu0fbpO+0lS QZjnlVuVDjG65HzyWm17eGv7ietk1BwKKyI0aqEP65Qj2V990Iq+eloMDOcjsuFIA+MU YXAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733447383; x=1734052183; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+0EsM99SG3hihzaaNKgE6hFc9Vf2sd6rRNj6I2ZBeAU=; b=Eo3QQBLUh0s8//jwgr2Pf9Ejrv0US9oRlEOFe7fvN8C1trGWtiNdxHMYwlAsjUGgK2 OGVTW2HzHtvoUlDXV/hqWD2iC3YcVvqjERN/zRwLjqVEOhsYAdcehfcwg5OdkLlDEK5l PTgMOY159zECFExD3JDBzIxo0uXCxV830GJJI7FEH2h/nZRHRqlLN33BACPj7b2i1ldY VT6QTnAJPdDGVxpVD910jSH5SaskcIslutB0rojJgDoF1HmycSnEsyrNKTV2sLt6TG7z hjW/gwqAEL8pWqQX45iX0Jf87dNDnn8P34jvWtOw77ca/Jm0MifpvviITE+ZTPWY8GT+ Ts+A== X-Forwarded-Encrypted: i=1; AJvYcCUnO0YTcNIkYTbXBY2OQNIJwJdSat/sQSNwrlHJejfa1bWDbeeWvGMwG28/+/6wtILvF8eSffc3Yw==@kvack.org X-Gm-Message-State: AOJu0Yx4dWZvmjhiVsHeqm2Frl8Ar0o4HII5fvdOmvesKu4x8zPUX2wB 0rAnZXgFkU7fHZB9Bbh3QyO5fsOq1BOPcf0yxUEHRU1Uj4KLo0g2sIk82djwXpGwXss9I8sUy06 XYuAnrpHJoYJRGwdi3KayYSLaJq54d3IUHw== X-Google-Smtp-Source: AGHT+IE+lZFMJ73v6jAW7BqzJ/0k/ho2hBMCiLFRGaWMMqnKpTaEahh/l5AmKSSMZElIcLOMWDH9HUGgB92p8rghNCEnXw== X-Received: from pfbca23.prod.google.com ([2002:a05:6a00:4197:b0:725:20c8:96dc]) (user=isaacmanjarres job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a00:140d:b0:720:9a03:b6dc with SMTP id d2e1a72fcca58-725b81f2d4cmr2040786b3a.18.1733447383706; Thu, 05 Dec 2024 17:09:43 -0800 (PST) Date: Thu, 5 Dec 2024 17:09:23 -0800 In-Reply-To: <20241206010930.3871336-1-isaacmanjarres@google.com> Mime-Version: 1.0 References: <20241206010930.3871336-1-isaacmanjarres@google.com> X-Mailer: git-send-email 2.47.0.338.g60cca15819-goog Message-ID: <20241206010930.3871336-3-isaacmanjarres@google.com> Subject: [RFC PATCH v1 2/2] selftests/memfd: Add tests for F_SEAL_FUTURE_EXEC From: "Isaac J. Manjarres" To: Andrew Morton , Jeff Layton , Chuck Lever , Alexander Aring , "Liam R. Howlett" , Lorenzo Stoakes , Vlastimil Babka , Jann Horn , Shuah Khan Cc: "Isaac J. Manjarres" , kernel-team@android.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org, Suren Baghdasaryan , Kalesh Singh , John Stultz X-Rspamd-Queue-Id: E430180004 X-Rspam-User: X-Rspamd-Server: rspam07 X-Stat-Signature: 4acmmrg59gkepzsz737bt16zqtz5k1wb X-HE-Tag: 1733447353-742528 X-HE-Meta: U2FsdGVkX1+mHgMMhOJQQxdLjpu3pwCZPF4CUL2lYLink6RhqCWcs5DFnrRLLXk9K8uCv96qH4mtHellM4b1crieq7kvih1V910w01fAqcIBQ6xfYpj8Pph1P0476+3BXC6OIwRGj2vUwzgKrGP17dtfxM8I8rPs/D0hKzvHKbHvcRiPleoDnYpcQupkmV/GCM/1tfM4Tl8gBUh8bjGGkOsE+I+Cw2cPyF/fzN5qGdlU3AsqBn4HPp0SEYqTO5iktz2Oy9edmRb+M8kCB3YjflCRNJueF3ZcZaooEN978B0SvVQnZ1VLUFbUVw2I3MOnQiUFjDhHFxxZivSu6W5eWXFakVNNi9JiPMZ9nll9xNKpyKzeYry2w80OqNyUHaAwQtqHsl9yM5MMcBIvydImg8p8DUEOl7yxnDoFi8wrW713C8/+E/TuZMvjh7hykyJJcbaT422mBTXqTA0+Gd4iQ1Zjkh4HkPrFDGZ7pLcSppHsZ+yGtlYoDv+RsQYs5w7etxWp+XKbU68aWv8zHIsgc+UirHS6W7v/bHcVmKBO6WwnWdnCmNyxxJ8FkG4urO0yYIdOdzNkgMYVfiAhkIa11BftnMJuaDxQLYqkVxJEp8wzPt8ZjFqHA1WBWWI110Eg1Vg0LKB1tK0l37ctFS9F//MqHpfGGjJOwhBF8Bm3OisltSd4G+5JtKLGQ67YDTnOWKPFeRtorJKwCpmU3fnUZXq1IFwVsBlsrX8bzkVm5+LlG1qWnipVbHl3R+KrKTXPZSwamYSX6sFLirPTJCYzzUmQnkU2MCYFgdl8E12dYfCqxPHhWZsed+GXmsQIn8G8GNwYYJMhJksTWLscXO5y9HGbqk2MF1XTS0X5W1jg9Jh0Xbf107P/OmP+VM6CRA5InM+0OVdHY9C7RyJ4lUb1AV2ipd9y3frcxl+Ir+K2PYlge7rWA1nNDhtEWpWxW1D4kAAXu1LCZrnlifE6i9Q kZPuPUXU e1EZVwQHfFRC5kGyCExlJUvI0G9GtRnhKr9a7qLm5XD7EM/UzX76ixlHf3x/TfkURFr16oIPpl7AILnmP8oRY5W1VqOsMbfWY3TzoY+vNDPiglEAmG+alqduPYhyK0Lab7TXPA9eWx+9/6lcqQSJ7CsE3iCnsq/VPZ6IXkGTYZbM7QuhJcA2uNUcdEopMzAvO40DKult9it4Kxsg0PuT0MqRtcuZJKGO/IQIq9+fLgxkCVz6e09f+iUXAt1wHQXOZO7wi6+xQH6v+Q0ShAyWk8o2ma0BAuPvgYn+uJLMUMcvKmCZNt0pMnDCwxAnpPcUVzbJfVEBgxZGuO/xTOee87f/N80eVf1w/H6k/VAPrZVDKdtsSorz76MdpyBAYNowGTZ5A9qk7DWSGfsFgaWoQfbmmsnvRZ5O4yoY4zO1/Nh/q21+JppoCp+j5DGYrzssVfTOyFnJnB0pGkKxlrpP946UzppOLufjJvTIr0N5vhu9bjRi+NCcfAGoEWgeYs6admhF6+Nu+t2HftH0zNCEZ3t4JsQwErIzyOQKYKAy/gilePMpgwpONB6uVD1fGm4/Z8eZL2E3WJg+e+vriFL4SiT39+CkrCWRK7xHMQCBdB+QFn0USXSmMLDcjXl2lnRk5SwimbokKQkitl8oM3pq4ENYrbiQSBa7P09mnTJL3/cu/YeWdb4ZHpfQRM5yIeLFXfdmv+KuwwJek/qHoaadD91GVSHtTg41zHz9nvgZGl3OcUQiEZmfDxLt2Ey3W9duzar9m X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Add tests to ensure that F_SEAL_FUTURE_EXEC behaves as expected. Cc: Suren Baghdasaryan Cc: Kalesh Singh Cc: John Stultz Signed-off-by: Isaac J. Manjarres --- tools/testing/selftests/memfd/memfd_test.c | 79 ++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c index 46027c889e74..12c82af406b3 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -30,6 +30,7 @@ #define STACK_SIZE 65536 #define F_SEAL_EXEC 0x0020 +#define F_SEAL_FUTURE_EXEC 0x0040 #define F_WX_SEALS (F_SEAL_SHRINK | \ F_SEAL_GROW | \ @@ -317,6 +318,37 @@ static void *mfd_assert_mmap_private(int fd) return p; } +static void *mfd_fail_mmap_exec(int fd) +{ + void *p; + + p = mmap(NULL, + mfd_def_size, + PROT_EXEC, + MAP_SHARED, + fd, + 0); + if (p != MAP_FAILED) { + printf("mmap() didn't fail as expected\n"); + abort(); + } + + return p; +} + +static void mfd_fail_mprotect_exec(void *p) +{ + int ret; + + ret = mprotect(p, + mfd_def_size, + PROT_EXEC); + if (!ret) { + printf("mprotect didn't fail as expected\n"); + abort(); + } +} + static int mfd_assert_open(int fd, int flags, mode_t mode) { char buf[512]; @@ -997,6 +1029,52 @@ static void test_seal_future_write(void) close(fd); } +/* + * Test SEAL_FUTURE_EXEC_MAPPING + * Test whether SEAL_FUTURE_EXEC_MAPPING actually prevents executable mappings. + */ +static void test_seal_future_exec_mapping(void) +{ + int fd; + void *p; + + + printf("%s SEAL-FUTURE-EXEC-MAPPING\n", memfd_str); + + fd = mfd_assert_new("kern_memfd_seal_future_exec_mapping", + mfd_def_size, + MFD_CLOEXEC | MFD_ALLOW_SEALING); + + /* + * PROT_READ | PROT_WRITE mappings create VMAs with VM_MAYEXEC set. + * However, F_SEAL_FUTURE_EXEC applies to subsequent mappings, + * so it should still succeed even if this mapping is active when the + * seal is applied. + */ + p = mfd_assert_mmap_shared(fd); + + mfd_assert_has_seals(fd, 0); + + mfd_assert_add_seals(fd, F_SEAL_FUTURE_EXEC); + mfd_assert_has_seals(fd, F_SEAL_FUTURE_EXEC); + + mfd_fail_mmap_exec(fd); + + munmap(p, mfd_def_size); + + /* Ensure that new mappings without PROT_EXEC work. */ + p = mfd_assert_mmap_shared(fd); + + /* + * Ensure that mappings created after the seal was applied cannot be + * made executable via mprotect(). + */ + mfd_fail_mprotect_exec(p); + + munmap(p, mfd_def_size); + close(fd); +} + static void test_seal_write_map_read_shared(void) { int fd; @@ -1633,6 +1711,7 @@ int main(int argc, char **argv) test_seal_shrink(); test_seal_grow(); test_seal_resize(); + test_seal_future_exec_mapping(); test_sysctl_simple(); test_sysctl_nested();