From patchwork Fri Dec 27 01:51:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Isaac J. Manjarres" X-Patchwork-Id: 13921503 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4DDFE77188 for ; Fri, 27 Dec 2024 01:52:13 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 131666B0083; Thu, 26 Dec 2024 20:52:13 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 0E0C46B0085; Thu, 26 Dec 2024 20:52:13 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id EE9E76B0088; Thu, 26 Dec 2024 20:52:12 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id D0B6B6B0083 for ; Thu, 26 Dec 2024 20:52:12 -0500 (EST) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 70B1E812C0 for ; Fri, 27 Dec 2024 01:52:12 +0000 (UTC) X-FDA: 82939062024.06.24D391B Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) by imf18.hostedemail.com (Postfix) with ESMTP id 7164C1C0007 for ; Fri, 27 Dec 2024 01:51:51 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=u5F0PepU; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf18.hostedemail.com: domain of 3SQhuZw4KCFQ4Ewwy8w95wDD0E2AA270.yA8749GJ-886Hwy6.AD2@flex--isaacmanjarres.bounces.google.com designates 209.85.216.73 as permitted sender) smtp.mailfrom=3SQhuZw4KCFQ4Ewwy8w95wDD0E2AA270.yA8749GJ-886Hwy6.AD2@flex--isaacmanjarres.bounces.google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1735264291; a=rsa-sha256; cv=none; b=glhowwAxXvuaVq/EF2VEteaVK3nSJPR4BgpvnWtUuOOv19ZQpgZKreSQTjy8VDjXBCwS6J YcqI4KZZi4kQcO9w2amgxPqWJTJggKS6KszYfwYqvLumH+crx6mkiR4EwBfUFZzKFnmmQO Q08CR55KKpBsyxkYireK0OHGPuDw25I= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=u5F0PepU; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf18.hostedemail.com: domain of 3SQhuZw4KCFQ4Ewwy8w95wDD0E2AA270.yA8749GJ-886Hwy6.AD2@flex--isaacmanjarres.bounces.google.com designates 209.85.216.73 as permitted sender) smtp.mailfrom=3SQhuZw4KCFQ4Ewwy8w95wDD0E2AA270.yA8749GJ-886Hwy6.AD2@flex--isaacmanjarres.bounces.google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1735264291; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=BF8+fyz9Apz0jWTN+ibPUE67TAfznRJEkUbbncSLIn0=; b=FkRWHwuDMK1Ppu4/UJyIBUEUdM06kFMeYR5caw1iYDZ6BWDCxm0SC7XDnRRSfN728DKYZD riDsi4WbrcWw36Cbyzbwj/0LP7Lr3QozTesdWZqiPC8EFqcfLh2bX1Oiz6eidWyPmLNiIk UxqcQVe1u03odqF8gN70UNmll/mzEz8= Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-2ee9f66cb12so8901597a91.1 for ; Thu, 26 Dec 2024 17:52:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1735264329; x=1735869129; darn=kvack.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=BF8+fyz9Apz0jWTN+ibPUE67TAfznRJEkUbbncSLIn0=; b=u5F0PepUxxAIbU4rIYbLWI2GSNovLEmEXr7zYaruH6/GPMUQtwbx7RuQcx5FkAWKYo Vg/ow9yfN1EfrrfN14hrYEzN9pjwOi69YahDMk6MtRH3wOIGz0Q4dAEjgzCMm9oxirly /SYAPq/21FjCojtqjuYpTk1uh8kN0F8wZehksZzsiV/BYYcYqNvaT0mLlkyGN/IHaJMo GUY1lHcEaoSbSQxiaCg/Mb+3jSWStVwbGJa9tu7ByxBDgvy1enFaGIiR81wlfeUfHcvU Qz4rK6baq0hHAxYl+maTBWTpXCEMx4sNysBYeGCqBSprmTrySZkJT/vxItLsoPCAoSt+ lBIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735264329; x=1735869129; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=BF8+fyz9Apz0jWTN+ibPUE67TAfznRJEkUbbncSLIn0=; b=cQgi9wlF3pcHLy3S93aF+nY25b3BuZFFj1W9m/ibGxtUB0+Vrp/HNV8M1iZyY9Fzyh z2TVu2601FmZZNIU0RN4DarFLJleP+0CqOywr5APtUpoXrhiKBokfA+QvmRltePSumkR RFykywFrhtAYwePvwG/Fln/OVMlV83couKd/L45+EAKvhClwe3vjyAv7UKZfh844jUx2 b7/VG/P1JMqOeC/UEiiNiVEaCy9gPk6PD7F8qy3GhePwCWaFsN2TBmIICSu7cHFOWs2P Jqq2Ir/Bx0ajXhwUA/vdfmEsnKLqw2rEL4trRynSVkRT/0AGCosubJnwz+WjPMwdhf6u 54aA== X-Forwarded-Encrypted: i=1; AJvYcCXbK9P2uG4rZVbSFOkxA822zknXpl6KcdmQQbTepI0goh0rdO5g+cDW4TfzHpckKuUSQAi0neVw1w==@kvack.org X-Gm-Message-State: AOJu0YxeO/PG7dKazf/lpwpezTQ09Y7gXydYaGmOxYkKnqeHpVBUmltm zByFwi8IazGb7N7MTv6BoCn2A6ArEqHzzFh6LMtrKSzt/FgzhxsyvQ5QNldSiaqKnI7JYPyuIDl 9Te8L1A4RiUh/0QPcA1aoWeqcN2pjBK2P7A== X-Google-Smtp-Source: AGHT+IGuX+zCZe9XINQ2OHBvFsAHYmtq8kFvhZSqusND653YtJ/1Ql8aLRlwnglyZbf88PFhlsVSjKKaqK3wMSlvU8sKiA== X-Received: from pjbtb7.prod.google.com ([2002:a17:90b:53c7:b0:2ea:4139:e72d]) (user=isaacmanjarres job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:524b:b0:2ee:d797:408b with SMTP id 98e67ed59e1d1-2f452dfcd74mr35605744a91.2.1735264329304; Thu, 26 Dec 2024 17:52:09 -0800 (PST) Date: Thu, 26 Dec 2024 17:51:58 -0800 Mime-Version: 1.0 X-Mailer: git-send-email 2.47.1.613.gc27f4b7a9f-goog Message-ID: <20241227015205.1375680-1-isaacmanjarres@google.com> Subject: [RFC PATCH v2 0/2] Add file seal to prevent future exec mappings From: "Isaac J. Manjarres" To: Jeff Layton , Chuck Lever , Alexander Aring , Andrew Morton , Shuah Khan Cc: surenb@google.com, kaleshsingh@google.com, jstultz@google.com, aliceryhl@google.com, jeffxu@google.com, kees@kernel.org, "Isaac J. Manjarres" , kernel-team@android.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 7164C1C0007 X-Stat-Signature: nntegh3qajxhtzyqd1y6qmt8zaxktjo9 X-Rspam-User: X-HE-Tag: 1735264311-944546 X-HE-Meta: U2FsdGVkX1/Y65G/3L0JgXa110HVLfDHa+wUFIQO/s8QFvoRr9OTXlVEIY3C15OgIlVBkbUeB+HVxt4wnRealUW94D+tor30SY04x+s/zXB1vcP2hTU8kP7MVuANft+D1SuQ2cB188SJPipulfbJ+UYr2lPLSTE33+miVli9Pp70zZVQAKJaUSqNl8x/BRFvdkvCXevkK0US0RrgAkl7TKUC+kD5Ua5S33UNPzKglytfxjKKPtB0AwYzk+UxGXPb+XEQi7xbzqKwY85bstlLya2P5xmTR8PLXBJ3QywqF1Kl4Of1Ej+jmLHIG54HDrNX7FcmihuQ/+LRBUJul8FDeQo7mzJ1bIkKh1AnIoLx4YhFsdHfDEQT7BXh0RXbMZbxv4+p6pio7KwD3IwD5FuqTTqzWQGCrH90ah/k1FKw4j+dOaZOpNHU+5ads/MSoh4HAzdpKkux6e8fWDqqnT4sWPMiYPyQgYA37lgX1t0D77Gmdnz6JqLszanAWNhOGDKo2p12cEvRTnUlUpgr2K+McaQDzJ8tK4P/4SoGfAaIdVAMVEsYpCgmZDxTDn985BO7GR5wYVoI9NmOCfC+xXbkxObQSCmnYkftwHlBBriZCBmUNz+d3PH3z61aqIkjOrBfDqe/L78HrKALCILP8Ms/fNLFlW2BmSIRfXg7fckGsoIj4d+oASssZur3tAK/SQSWZTupWCwrWrmbXmRRxWkHWTzsgmJODxWSin0xtRrj+n6b8SCxbG7JUvgRVYeUrJVn17b2neWREpDLqWt68B2GF0ETqHk+Y08RDVGl+A4mPDpWh+1+xyDGwx1GAIZbyN/QpRoiUEwLcDT9Xxzmd4jHfkh2Xg7NwrjyBYj5j7vAKWKs4qOstwzia/5+Lw55plnXJPyVeToC2lEH0Rv+VcmmYD+kZdYwuCkbrDJi7E3dAjuEewxmy4HLiLj8QJ+Rj5wGgZyHpsNoIXAaL/5rSQB xM7UA+II wFnR+7Hi/e8YRnmqSPlda1jP6e9NtCIpQqBbJWgnNZN5e7s9dFgKHylH2gaeIjiffYUukb0KXnFbFo1P0mRDxSQFLwvT2VEYQvqezQO2FOxb2DRctxqFfhfQeci2tBIyAQ9X0SiN4uJwHCw5Bfyr7a+gmSnAzRaMcBy7RnPCNxUSA2kxRmQPSOLQ/khQ4klsiTyilTqDjyBkEPm12fGJKVE6iw71sqpdMlEQNSuSKQsm+WvwSicjbjmj0s6q1RSNSFfoypCqv49EWSE1hD7JSsF0kPooGeOFGLvng7dPVCAfycySYpB4usel5pN0zZaxLL6BLrdNaCG3eIL8LM3yYvOTQ8w2wKPHJLWAZ1u89iNNFQhdN+WS3wuJbSCqtq6xRbQzzk7yzID4bk9xClCrhEev+MIm0Mf5HCb4bohM0s43FUdlLvyIP8ApTg8x/VhsY6DELlqBoZLzRnlTS2gIO6fH+hJ7yzl+bqCZ+Rdid+HmKIFizgFgkIHDuJ0AhMd2GjyDTJJTpQAO8I6beodlsx95TKmaW0fOWHJWmWwxJNHPRw3bLKztJOFyvOmbg4qR0bFNzgXxpN6kduFSxdQ51vPHYEx8Zxf0A4Z8G64YF92IXrdg6efpO9RBfOgQfi7EXZA7SqcYwopX95Gz/rBNvanFbzFF96DmUjnB1dICowBqEQvgXW+tOGiGaDNyiy4OWN5kn2bfhK4yf4WPZVgP6Dnyr1KSVEb4rjKxtr89602yyuVeB93ivyUeLGQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000235, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Android uses the ashmem driver [1] for creating shared memory regions between processes. The ashmem driver exposes an ioctl command for processes to restrict the permissions an ashmem buffer can be mapped with. Buffers are created with the ability to be mapped as readable, writable, and executable. Processes remove the ability to map some ashmem buffers as executable to ensure that those buffers cannot be used to inject malicious code for another process to run. Other buffers retain their ability to be mapped as executable, as these buffers can be used for just-in-time (JIT) compilation. So there is a need to be able to remove the ability to map a buffer as executable on a per-buffer basis. Android is currently trying to migrate towards replacing its ashmem driver usage with memfd. Part of the transition involved introducing a library that serves to abstract away how shared memory regions are allocated (i.e. ashmem vs memfd). This allows clients to use a single interface for restricting how a buffer can be mapped without having to worry about how it is handled for ashmem (through the ioctl command mentioned earlier) or memfd (through file seals). While memfd has support for preventing buffers from being mapped as writable beyond a certain point in time (thanks to F_SEAL_FUTURE_WRITE), it does not have a similar interface to prevent buffers from being mapped as executable beyond a certain point. However, that could be implemented as a file seal (F_SEAL_FUTURE_EXEC) which works similarly to F_SEAL_FUTURE_WRITE. F_SEAL_FUTURE_WRITE was chosen as a template for how this new seal should behave, instead of F_SEAL_WRITE, for the following reasons: 1. Having the new seal behave like F_SEAL_FUTURE_WRITE matches the behavior that was present with ashmem. This aids in seamlessly transitioning clients away from ashmem to memfd. 2. Making the new seal behave like F_SEAL_WRITE would mean that no mappings that could become executable in the future (i.e. via mprotect()) can exist when the seal is applied. However, there are known cases (e.g. CursorWindow [2]) where restrictions are applied on how a buffer can be mapped after a mapping has already been made. That mapping may have VM_MAYEXEC set, which would not allow the seal to be applied successfully. Therefore, the F_SEAL_FUTURE_EXEC seal was designed to have the same semantics as F_SEAL_FUTURE_WRITE. Note: this series depends on Lorenzo's work [3], [4], [5] from Andrew Morton's mm-unstable branch [6], which reworks memfd's file seal checks, allowing for newer file seals to be implemented in a cleaner fashion. Changes from v1 ==> v2: - Changed the return code to be -EPERM instead of -EACCES when attempting to map an exec sealed file with PROT_EXEC to align to mmap()'s man page. Thank you Kalesh Singh for spotting this! - Rebased on top of Lorenzo's work to cleanup memfd file seal checks in mmap() ([3], [4], and [5]). Thank you for this Lorenzo! - Changed to deny PROT_EXEC mappings only if the mapping is shared, instead of for both shared and private mappings, after discussing this with Lorenzo. Opens: - Lorenzo brought up that this patch may negatively impact the usage of MFD_NOEXEC_SCOPE_NOEXEC_ENFORCED [7]. However, it is not clear to me why that is the case. At the moment, my intent is for the executable permissions of the file to be disjoint from the ability to create executable mappings. Links: [1] https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/drivers/staging/android/ashmem.c [2] https://developer.android.com/reference/android/database/CursorWindow [3] https://lore.kernel.org/all/cover.1732804776.git.lorenzo.stoakes@oracle.com/ [4] https://lkml.kernel.org/r/20241206212846.210835-1-lorenzo.stoakes@oracle.com [5] https://lkml.kernel.org/r/7dee6c5d-480b-4c24-b98e-6fa47dbd8a23@lucifer.local [6] https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git/tree/?h=mm-unstable [7] https://lore.kernel.org/all/3a53b154-1e46-45fb-a559-65afa7a8a788@lucifer.local/ Links to previous versions: v1: https://lore.kernel.org/all/20241206010930.3871336-1-isaacmanjarres@google.com/ Isaac J. Manjarres (2): mm/memfd: Add support for F_SEAL_FUTURE_EXEC to memfd selftests/memfd: Add tests for F_SEAL_FUTURE_EXEC include/uapi/linux/fcntl.h | 1 + mm/memfd.c | 39 ++++++++++- tools/testing/selftests/memfd/memfd_test.c | 79 ++++++++++++++++++++++ 3 files changed, 118 insertions(+), 1 deletion(-)