| Message ID | 20250224174513.3600914-1-jeffxu@google.com (mailing list archive) |
|---|---|
| Headers | show
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
by smtp.lore.kernel.org (Postfix) with ESMTP id 4E348C021A4
for <linux-mm@archiver.kernel.org>; Mon, 24 Feb 2025 17:45:19 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
id BAF5628000C; Mon, 24 Feb 2025 12:45:18 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
id B379228000A; Mon, 24 Feb 2025 12:45:18 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
id 9B03528000C; Mon, 24 Feb 2025 12:45:18 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com
[216.40.44.12])
by kanga.kvack.org (Postfix) with ESMTP id 77A6C28000A
for <linux-mm@kvack.org>; Mon, 24 Feb 2025 12:45:18 -0500 (EST)
Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1])
by unirelay09.hostedemail.com (Postfix) with ESMTP id 2010B81AE2
for <linux-mm@kvack.org>; Mon, 24 Feb 2025 17:45:18 +0000 (UTC)
X-FDA: 83155564716.05.3FB02FF
Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com
[209.85.214.177])
by imf29.hostedemail.com (Postfix) with ESMTP id 3A8EA12001D
for <linux-mm@kvack.org>; Mon, 24 Feb 2025 17:45:15 +0000 (UTC)
Authentication-Results: imf29.hostedemail.com;
dkim=pass header.d=chromium.org header.s=google header.b="Fif/JW3b";
spf=pass (imf29.hostedemail.com: domain of jeffxu@chromium.org designates
209.85.214.177 as permitted sender) smtp.mailfrom=jeffxu@chromium.org;
dmarc=pass (policy=none) header.from=chromium.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=hostedemail.com;
s=arc-20220608; t=1740419116;
h=from:from:sender:reply-to:subject:subject:date:date:
message-id:message-id:to:to:cc:cc:mime-version:mime-version:
content-type:content-transfer-encoding:content-transfer-encoding:
in-reply-to:references:dkim-signature;
bh=RcuzKtFPPtst6WZXsPXBZwCkXSRuweXNYzPclr2Anaw=;
b=siFE1AiipgZtJsF5ETH4BUj6LmP6zAVPYwCUPvKnxIn2BtPqP0nWFx+YAdLaWF6GWa/RFG
aKuliYJq3GVtZqS8TFCVrXvYRupIDgXIbvuSrWankjvHky5H5axlVkao6ZWMK3p7Jpf2xm
PRFpxjJc7F9AANNwJYrvCFhFPRgnjyU=
ARC-Authentication-Results: i=1;
imf29.hostedemail.com;
dkim=pass header.d=chromium.org header.s=google header.b="Fif/JW3b";
spf=pass (imf29.hostedemail.com: domain of jeffxu@chromium.org designates
209.85.214.177 as permitted sender) smtp.mailfrom=jeffxu@chromium.org;
dmarc=pass (policy=none) header.from=chromium.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1740419116; a=rsa-sha256;
cv=none;
b=ssYNNEUtUEfW5SSi97ql0O7/N0J4UIZIExEo76qx1PkoAS6Jj/Lg3r0tFfSxzHIaXSftA2
sXVwxffVPpxvpCZoYcAE/9ZIAchoVGniLYQ+knonliRc46RwQC3e6uhBLHveg4k3bMAflg
XKh1I4ThKjHHNsTuhtjkvsyKSqzkITw=
Received: by mail-pl1-f177.google.com with SMTP id
d9443c01a7336-220c895af63so12040585ad.0
for <linux-mm@kvack.org>; Mon, 24 Feb 2025 09:45:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=chromium.org; s=google; t=1740419115; x=1741023915; darn=kvack.org;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=RcuzKtFPPtst6WZXsPXBZwCkXSRuweXNYzPclr2Anaw=;
b=Fif/JW3bquds6j9OkE9P1ANE5E6JmWwzoqT8fk+Y6BMu7bB4YXKdye4tuYDf3D8xwW
mTEytFJGWTEbDp7h4+cpA/v7Gkwg4F5HLquD/E2q9HQ1i0shQOcZeG9U3nEXTg2+TyPL
OC6L1eXnkzCNtJ7Z7JrDztWk6wESeaKFyK7BE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1740419115; x=1741023915;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=RcuzKtFPPtst6WZXsPXBZwCkXSRuweXNYzPclr2Anaw=;
b=sqrwgPlCM+78qTXq0blyCxm1eoc3fci7pfqDGB261P2MojC0c2J7QYiCrIN2T4rBnk
BXcPQzyAMvlxlSoL2nyuHm9BSv61OzIhkEuGKs3PGZ3ybs5x+IAW7e617dkJR6Zym8Vr
30Hcm6pjpXF3lN7AoVGwhB2MVPDyS/OqwmDSwicgxZcjOuBeQYc3mT8B228vKzS8OTYW
Kasa4OgW/cF/t2y8F2XiKjuM+BtiNskjBCBp5C4MdyxtGlmR9QYe7U2vOnt4JjmwjZKQ
UzG7b/2R4nH3Ne17l78HRmVvdAjaO0R7VOevPdmHUXo0pz7qPYRF/CuV8l25lovjczLN
m/Pg==
X-Forwarded-Encrypted: i=1;
AJvYcCWAm/2/UWfSCR3/m3zS82wcBMjYzhgostSB2PJ9lQGhYLuQpg0alT54eeX8hHkZl8tGmIfkVf+FUg==@kvack.org
X-Gm-Message-State: AOJu0Yx9LSCzuRSIq4qLKJ/vNh82aZAYU7xF7Kt80dmX8ZZb42Pi9NzQ
hQjiwlbYcFziSHksuENR+m2AK1ZE2o2uWUoEKVIOHjlKm3OMZfCFsbqhPeUqjg==
X-Gm-Gg: ASbGncti4o7qR9tIFUYTzsSG2yIEye0Kd4HD+v3OTDg6xNrhIQc5QK+0o0DxeNlur8y
ABVhVQYC9vn/6RnyalolXBRm+srNIJVVlE+9j86pzW+ssJBoq5l00qUQBWkoN/HZGxrFGDx+l8D
aYp0P5gm1ptD1eOeYrE0oJPEkTziUzlj81HIWMaSx5TaM6eNoLO5qf5Rnm4+//lguYzBeL0hCmM
XigA2FEDN9oGwyPnmbKTpiP9KafT1Ic2nz7bde6EgjtoatyTgp1tIfYyDRILE3SxHtqp3Q6cwF5
mR2v1gH6p60E4R8L1lVPUbEB8zDtOYp8YiXzedYQh1TBDp2kdawYzQBdNnuH
X-Google-Smtp-Source:
AGHT+IFSLRh6SHQWvPSx2gIUkQXGWRiXe2mxqOjv3oqPRMC739LlRyLpyZpC4QGjTaVVt5mEnutt1A==
X-Received: by 2002:a05:6a00:987:b0:730:8526:5dbc with SMTP id
d2e1a72fcca58-73426d77d7bmr9320754b3a.3.1740419114668;
Mon, 24 Feb 2025 09:45:14 -0800 (PST)
Received: from localhost (201.59.83.34.bc.googleusercontent.com.
[34.83.59.201])
by smtp.gmail.com with UTF8SMTPSA id
d2e1a72fcca58-732771a01bbsm15361992b3a.78.2025.02.24.09.45.13
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Mon, 24 Feb 2025 09:45:14 -0800 (PST)
From: jeffxu@chromium.org
To: akpm@linux-foundation.org,
keescook@chromium.org,
jannh@google.com,
torvalds@linux-foundation.org,
vbabka@suse.cz,
lorenzo.stoakes@oracle.com,
Liam.Howlett@Oracle.com,
adhemerval.zanella@linaro.org,
oleg@redhat.com,
avagin@gmail.com,
benjamin@sipsolutions.net
Cc: linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org,
linux-mm@kvack.org,
jorgelo@chromium.org,
sroettger@google.com,
hch@lst.de,
ojeda@kernel.org,
thomas.weissschuh@linutronix.de,
adobriyan@gmail.com,
johannes@sipsolutions.net,
pedro.falcato@gmail.com,
hca@linux.ibm.com,
willy@infradead.org,
anna-maria@linutronix.de,
mark.rutland@arm.com,
linus.walleij@linaro.org,
Jason@zx2c4.com,
deller@gmx.de,
rdunlap@infradead.org,
davem@davemloft.net,
peterx@redhat.com,
f.fainelli@gmail.com,
gerg@kernel.org,
dave.hansen@linux.intel.com,
mingo@kernel.org,
ardb@kernel.org,
mhocko@suse.com,
42.hyeyoo@gmail.com,
peterz@infradead.org,
ardb@google.com,
enh@google.com,
rientjes@google.com,
groeck@chromium.org,
mpe@ellerman.id.au,
aleksandr.mikhalitsyn@canonical.com,
mike.rapoport@gmail.com,
Jeff Xu <jeffxu@chromium.org>
Subject: [PATCH v6 0/7] mseal system mappings
Date: Mon, 24 Feb 2025 17:45:06 +0000
Message-ID: <20250224174513.3600914-1-jeffxu@google.com>
X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Rspam-User:
X-Rspamd-Server: rspam09
X-Rspamd-Queue-Id: 3A8EA12001D
X-Stat-Signature: shp6xfh144qgehrq4rjkfj4ngs9q7p5h
X-HE-Tag: 1740419115-789233
X-HE-Meta:
U2FsdGVkX1+WROXxiUY4tVE41BiaZuIsJEd/oipcWlyLgf/UxCI4zSG84Q1ZvjwhELjSrfsOWc6cvcf3hh0A/NyXc5K9YksGkHaONgsSB6AaafAjgOU09bLjsy6kMRyFP0tDulc9ieyUtMlJ+/0QJfzRK3enPfJWeIaAnSrW7QZeLKGRfu+ApY5gheQ7zzbipVRyiu0/oeLy6fgP4nZvYD+BXRWqcIbetBOkWkBSbmZOM2nT1ota98gWYVTC8L1UBeeEhBqVb7PgLzC7p1uyyMedSJVEJ+J/vQRdgawJt34ZMxQbm69DZayBvgk+r0b4HoiSNvwj4NsIz5ZjIh0RLEVGNmtzdTGCBkIAL2LkhbfRUFCv3Ii229EmbiN34O345CD0TN/5S7xlbssAwmTJt30XVokgm64pd0EyX+21WMrZzTBfNaZxsp1GZgrbp3LY0Q9+rUKcnMv/fMywl7JiLwL/CoHxEuTpOAmlkjs/2aJWpmLE4Nk3r6Beo1LTxLh5RSIifElcvVp5y/LaJPwjf6SIere+y1SZVh00fw4WTd4xybQJqogSwDECEgxctauOWTnk6MEi0naL3ozpWfwA6qRWr3pvopLN3XW6zMaQTJywlW5q1KVMRumDsoFB/OcCYGhtrzcsJowHHZ3W5tA3WjjnQdC43tE4mSmE/kQizjMwb2/n81o2yoZfTzDX6ZkX/8axlPnO//BVS/D+T5toBJF/cdMP1T0d1tBsgJ6TW9+56cdj1cvEiTrPCVb4sGLq0wov0Gi0Cc7u++D5zcBYwDCFCbw+PvHe+nidjzEygpGgmpm4KmyRcX2XAXkI+1lafTBbraNh97AYpRfyxB08kGKA4sTMrKATQ9y0ZELnWwmQYY5qquBpRn7Gpp//0/VSEelynrYpz+6GaSyqiWTcZac/1qzqzwFXfLcIOVkvq9sDLKXIJO+7qHlGGKEI8hPFyCiWfcQuIbL+Jf0xle+
6L/Db1vC
yR+69PHVrzKoKuu/RfX/yNV24IBt8di5MBVwNx3LPY6ZWjhCm3LyCkEtc+YulW0lHcTXwUamaWPJYh9qcxPhgTfxrXxCpbhd1w6jSwLC78UhbtF5284ZXjPlqtlaDNZfcBDSRYjdrCmWkgvhkb7KrBa/Muj/HrRkMum57litq6LwACseZ66hC0qSHeGqc168zqMM+ElvwWdoqHeRjlnYu/X+xlXeCmlpujHLln8yrHVbI+TU7Pq7b3Oz+rYwdFlj5D5D3P3U2txTb85skc/pwvJi0DTkYvmfZg6zzwtSZ1MXrUQ1nJ+kB68lY73E6hr1/g2qE26Yky6MkeFibQQ7XQdbp0ie3sgiPvjlcr+iFOcvu2st8T55Y2Lz7uUNYJwmtCF8ZMJvdnJLyK2n700KOX+a83Q==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>
|
| Series |
mseal system mappings
|
expand
|
From: Jeff Xu <jeffxu@chromium.org> This is V6 version, addressing comments from V5, without code logic change. History: ------- V6: - mseal.rst: fix a typo (Randy Dunlap) - security/Kconfig: add rr into note (Liam R. Howlett) - remove mseal_system_mappings() and use macro instead (Liam R. Howlett) - mseal.rst: add incompatible userland software (Lorenzo Stoakes) - remove RFC from title (Kees Cook) V5 https://lore.kernel.org/all/20250212032155.1276806-1-jeffxu@google.com/ V4: https://lore.kernel.org/all/20241125202021.3684919-1-jeffxu@google.com/ V3: https://lore.kernel.org/all/20241113191602.3541870-1-jeffxu@google.com/ V2: https://lore.kernel.org/all/20241014215022.68530-1-jeffxu@google.com/ V1: https://lore.kernel.org/all/20241004163155.3493183-1-jeffxu@google.com/ ------------------------------------------------------------------------ Provide infrastructure to mseal system mappings. Establish two kernel configs (CONFIG_MSEAL_SYSTEM_MAPPINGS, ARCH_HAS_MSEAL_SYSTEM_MAPPINGS) and MSEAL_SYSTEM_MAPPINGS_VM_FLAG macro for future patches. As discussed during mseal() upstream process [1], mseal() protects the VMAs of a given virtual memory range against modifications, such as the read/write (RW) and no-execute (NX) bits. For complete descriptions of memory sealing, please see mseal.rst [2]. The mseal() is useful to mitigate memory corruption issues where a corrupted pointer is passed to a memory management system. For example, such an attacker primitive can break control-flow integrity guarantees since read-only memory that is supposed to be trusted can become writable or .text pages can get remapped. The system mappings are readonly only, memory sealing can protect them from ever changing to writable or unmmap/remapped as different attributes. System mappings such as vdso, vvar, and sigpage (arm), vectors (arm) are created by the kernel during program initialization, and could be sealed after creation. Unlike the aforementioned mappings, the uprobe mapping is not established during program startup. However, its lifetime is the same as the process's lifetime [3]. It could be sealed from creation. The vsyscall on x86-64 uses a special address (0xffffffffff600000), which is outside the mm managed range. This means mprotect, munmap, and mremap won't work on the vsyscall. Since sealing doesn't enhance the vsyscall's security, it is skipped in this patch. If we ever seal the vsyscall, it is probably only for decorative purpose, i.e. showing the 'sl' flag in the /proc/pid/smaps. For this patch, it is ignored. It is important to note that the CHECKPOINT_RESTORE feature (CRIU) may alter the system mappings during restore operations. UML(User Mode Linux) and gVisor, rr are also known to change the vdso/vvar mappings. Consequently, this feature cannot be universally enabled across all systems. As such, CONFIG_MSEAL_SYSTEM_MAPPINGS is disabled by default. To support mseal of system mappings, architectures must define CONFIG_ARCH_HAS_MSEAL_SYSTEM_MAPPINGS and update their special mappings calls to pass mseal flag. Additionally, architectures must confirm they do not unmap/remap system mappings during the process lifetime. In this version, we've improved the handling of system mapping sealing from previous versions, instead of modifying the _install_special_mapping function itself, which would affect all architectures, we now call _install_special_mapping with a sealing flag only within the specific architecture that requires it. This targeted approach offers two key advantages: 1) It limits the code change's impact to the necessary architectures, and 2) It aligns with the software architecture by keeping the core memory management within the mm layer, while delegating the decision of sealing system mappings to the individual architecture, which is particularly relevant since 32-bit architectures never require sealing. Prior to this patch series, we explored sealing special mappings from userspace using glibc's dynamic linker. This approach revealed several issues: - The PT_LOAD header may report an incorrect length for vdso, (smaller than its actual size). The dynamic linker, which relies on PT_LOAD information to determine mapping size, would then split and partially seal the vdso mapping. Since each architecture has its own vdso/vvar code, fixing this in the kernel would require going through each archiecture. Our initial goal was to enable sealing readonly mappings, e.g. .text, across all architectures, sealing vdso from kernel since creation appears to be simpler than sealing vdso at glibc. - The [vvar] mapping header only contains address information, not length information. Similar issues might exist for other special mappings. - Mappings like uprobe are not covered by the dynamic linker, and there is no effective solution for them. This feature's security enhancements will benefit ChromeOS, Android, and other high security systems. Testing: This feature was tested on ChromeOS and Android for both x86-64 and ARM64. - Enable sealing and verify vdso/vvar, sigpage, vector are sealed properly, i.e. "sl" shown in the smaps for those mappings, and mremap is blocked. - Passing various automation tests (e.g. pre-checkin) on ChromeOS and Android to ensure the sealing doesn't affect the functionality of Chromebook and Android phone. I also tested the feature on Ubuntu on x86-64: - With config disabled, vdso/vvar is not sealed, - with config enabled, vdso/vvar is sealed, and booting up Ubuntu is OK, normal operations such as browsing the web, open/edit doc are OK. In addition, Benjamin Berg tested this on UML. Link: https://lore.kernel.org/all/20240415163527.626541-1-jeffxu@chromium.org/ [1] Link: Documentation/userspace-api/mseal.rst [2] Link: https://lore.kernel.org/all/CABi2SkU9BRUnqf70-nksuMCQ+yyiWjo3fM4XkRkL-NrCZxYAyg@mail.gmail.com/ [3] Jeff Xu (7): mseal, system mappings: kernel config and header change selftests: x86: test_mremap_vdso: skip if vdso is msealed mseal, system mappings: enable x86-64 mseal, system mappings: enable arm64 mseal, system mappings: enable uml architecture mseal, system mappings: uprobe mapping mseal, system mappings: update mseal.rst Documentation/userspace-api/mseal.rst | 7 ++++ arch/arm64/Kconfig | 1 + arch/arm64/kernel/vdso.c | 22 +++++++---- arch/um/Kconfig | 1 + arch/x86/Kconfig | 1 + arch/x86/entry/vdso/vma.c | 16 +++++--- arch/x86/um/vdso/vma.c | 6 ++- include/linux/mm.h | 10 +++++ init/Kconfig | 18 +++++++++ kernel/events/uprobes.c | 5 ++- security/Kconfig | 18 +++++++++ .../testing/selftests/x86/test_mremap_vdso.c | 38 +++++++++++++++++++ 12 files changed, 127 insertions(+), 16 deletions(-)