From patchwork Fri Apr 1 22:08:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Verkamp X-Patchwork-Id: 12798819 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 897DFC433F5 for ; Fri, 1 Apr 2022 22:08:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353219AbiDAWKn (ORCPT ); Fri, 1 Apr 2022 18:10:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47962 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353230AbiDAWKm (ORCPT ); Fri, 1 Apr 2022 18:10:42 -0400 Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F408F33346 for ; Fri, 1 Apr 2022 15:08:50 -0700 (PDT) Received: by mail-pf1-x42d.google.com with SMTP id z16so3850789pfh.3 for ; Fri, 01 Apr 2022 15:08:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+DU/KAvneVMZvyUwbOBCXJHatvzCCAIN7Ytl6QwY8EU=; b=cqZTfaay5ukidSBjk5VJHj3uRfyXZLHu+6BwWg5igbNAypA7YFLzCM7eBGIELFcM41 TMpSn72s+uFhNhHvOAB5qYJ+5aFs9q6EzNHjfSH4UmWO2384Lw5KgI0KRaaf7mMmoWgG 0XsVQsuI9rNDYkg9VT4YJ+gREdqlf4ss9Jdkk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+DU/KAvneVMZvyUwbOBCXJHatvzCCAIN7Ytl6QwY8EU=; b=yBsc2/IR03Dc7fl4Zbr9h4JLi4sTN/4QE2oBpg+GmPjZJaBrGx4FUVqufGiL9QpuB1 u98dcFsUD5IoeD6rHzhU8L0xUzXSfv/wUSwlOSTHOBqCsCOnO9bueFz73N6DKVb9BPvJ BHDkzl4Q70bpkO/8TLUppsRDw6fzrZUTiw93Ed6kk0k98v7zqB+4s2BlA++LPq3np95v QCdEwL9mFX0+QREMghh6DfU/H9VFiW8MvuETVk5mJcwRwVrxDZE02mBsJBwgzHbyCkCw /pBBwUpooQrWabMfl0yRlN50Upc/RbrPcCfNXLkmTY0a5lJxAr3grPHT15HuzZyYxLv7 FQkg== X-Gm-Message-State: AOAM531SNYS2VCHngkSCpjuX2FvjVwybJy8Wxm7Yqm19jXaxOygyN/7I YxwRzzZMqoLmEp7H0Ps7x+n9+Q== X-Google-Smtp-Source: ABdhPJy2sy1C7CXcCxIY6R92ffiHpAxC/4GSwsnETPbbVJrLVIPp8s0futQO1QalpgQMGerY3kwZOw== X-Received: by 2002:a05:6a00:1702:b0:4fd:aae0:84a1 with SMTP id h2-20020a056a00170200b004fdaae084a1mr12964808pfc.12.1648850930427; Fri, 01 Apr 2022 15:08:50 -0700 (PDT) Received: from localhost ([2620:15c:202:201:72c9:527e:d936:c24b]) by smtp.gmail.com with UTF8SMTPSA id y3-20020a056a00190300b004fa2411bb92sm4331229pfi.93.2022.04.01.15.08.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 01 Apr 2022 15:08:50 -0700 (PDT) From: Daniel Verkamp To: linux-mm@kvack.org Cc: linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Andrew Morton , Hugh Dickins , Mattias Nissler , Dmitry Torokhov , Kees Cook , Daniel Verkamp Subject: [PATCH 1/4] mm/memfd: add F_SEAL_EXEC Date: Fri, 1 Apr 2022 15:08:31 -0700 Message-Id: <20220401220834.307660-2-dverkamp@chromium.org> X-Mailer: git-send-email 2.35.1.1094.g7c7d902a7c-goog In-Reply-To: <20220401220834.307660-1-dverkamp@chromium.org> References: <20220401220834.307660-1-dverkamp@chromium.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org The new F_SEAL_EXEC flag will prevent modification of the exec bits: written as traditional octal mask, 0111, or as named flags, S_IXUSR | S_IXGRP | S_IXOTH. Any chmod(2) or similar call that attempts to modify any of these bits after the seal is applied will fail with errno EPERM. This will preserve the execute bits as they are at the time of sealing, so the memfd will become either permanently executable or permanently un-executable. Signed-off-by: Daniel Verkamp --- include/uapi/linux/fcntl.h | 1 + mm/memfd.c | 2 ++ mm/shmem.c | 6 ++++++ 3 files changed, 9 insertions(+) diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h index 2f86b2ad6d7e..a472ba69596c 100644 --- a/include/uapi/linux/fcntl.h +++ b/include/uapi/linux/fcntl.h @@ -43,6 +43,7 @@ #define F_SEAL_GROW 0x0004 /* prevent file from growing */ #define F_SEAL_WRITE 0x0008 /* prevent writes */ #define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */ +#define F_SEAL_EXEC 0x0020 /* prevent chmod modifying exec bits */ /* (1U << 31) is reserved for signed error codes */ /* diff --git a/mm/memfd.c b/mm/memfd.c index 08f5f8304746..4ebeab94aa74 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -147,6 +147,7 @@ static unsigned int *memfd_file_seals_ptr(struct file *file) } #define F_ALL_SEALS (F_SEAL_SEAL | \ + F_SEAL_EXEC | \ F_SEAL_SHRINK | \ F_SEAL_GROW | \ F_SEAL_WRITE | \ @@ -175,6 +176,7 @@ static int memfd_add_seals(struct file *file, unsigned int seals) * SEAL_SHRINK: Prevent the file from shrinking * SEAL_GROW: Prevent the file from growing * SEAL_WRITE: Prevent write access to the file + * SEAL_EXEC: Prevent modification of the exec bits in the file mode * * As we don't require any trust relationship between two parties, we * must prevent seals from being removed. Therefore, sealing a file diff --git a/mm/shmem.c b/mm/shmem.c index 529c9ad3e926..a5ca9675fc29 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -1083,6 +1083,12 @@ static int shmem_setattr(struct user_namespace *mnt_userns, if (error) return error; + if ((info->seals & F_SEAL_EXEC) && (attr->ia_valid & ATTR_MODE)) { + if ((inode->i_mode ^ attr->ia_mode) & 0111) { + return -EPERM; + } + } + if (S_ISREG(inode->i_mode) && (attr->ia_valid & ATTR_SIZE)) { loff_t oldsize = inode->i_size; loff_t newsize = attr->ia_size; From patchwork Fri Apr 1 22:08:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Verkamp X-Patchwork-Id: 12798820 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F185C433EF for ; Fri, 1 Apr 2022 22:08:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353239AbiDAWKp (ORCPT ); Fri, 1 Apr 2022 18:10:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48054 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353231AbiDAWKo (ORCPT ); Fri, 1 Apr 2022 18:10:44 -0400 Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A244D36E07 for ; Fri, 1 Apr 2022 15:08:52 -0700 (PDT) Received: by mail-pj1-x102f.google.com with SMTP id gp15-20020a17090adf0f00b001c7cd11b0b3so6409243pjb.3 for ; Fri, 01 Apr 2022 15:08:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=GGy12Ftw4loYyE/TAP1mAYq+WnfJrqLYyR2nxuIM2Fs=; b=SL+SlsZQoHtn/QL8/tkQm0FjSPuHuOxWUbuUxvj8p1fi5KcysZoVhJslgdNUIpCfdx xMaLuCHkzzhLEtjWry6xZ18Kd8ePrZ0yDFhYQrDIwtgMlcC0xLi8wlA+UmB3/v01zVJM 6kkF19DbqpacsUKj/Tf9vROFF0KI1KSVapvFw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=GGy12Ftw4loYyE/TAP1mAYq+WnfJrqLYyR2nxuIM2Fs=; b=jRQO/4nyyKcRc0OkkozHi1r/DFdCjn8MAMU4jggQ6ASu3miLBHlqbnlq8F/gwYRJFh E73Wqsf7l0xIAzpj39FX39QwAqA5/zagCXtlYptLYg4csP81fdwlB30iS0ikCDCqZbf6 HUO6yG9yioRYE+2/djRrgY0d636jzB6U/Pg8QgXsf1Q2xWlEqXo7q2UVwS/AEgod4Z7P TjQ3lD7POY7mik+uRTYosSaI0+cloShtG/FMS82lX9l7e0yBqWDRTA2H/bM3QCNODVa7 Alx/tk7o2cQKT0m1zCSgnee6FECvrOkxWkIincheISc49kPXQ9kQWvPStBjhCATS+usU i2dg== X-Gm-Message-State: AOAM531H5mGhKFOkdifynjWZ/qJ3wUH4tftHPVC/qfxRTmoOocN9Ny9A P0GqTakhqoQZBCicZ/ea7SPkuQ== X-Google-Smtp-Source: ABdhPJxNkBtR9kNWdwRtqqtUAaRI/gzMa1PZ+fRs6SHZlkmeP7URvCbay+i9SC3t8N/U0ppDaev6ew== X-Received: by 2002:a17:902:db0f:b0:154:665e:af75 with SMTP id m15-20020a170902db0f00b00154665eaf75mr48318074plx.147.1648850932149; Fri, 01 Apr 2022 15:08:52 -0700 (PDT) Received: from localhost ([2620:15c:202:201:72c9:527e:d936:c24b]) by smtp.gmail.com with UTF8SMTPSA id k18-20020a056a00135200b004fb18fc6c78sm4219370pfu.31.2022.04.01.15.08.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 01 Apr 2022 15:08:51 -0700 (PDT) From: Daniel Verkamp To: linux-mm@kvack.org Cc: linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Andrew Morton , Hugh Dickins , Mattias Nissler , Dmitry Torokhov , Kees Cook , Daniel Verkamp Subject: [PATCH 2/4] mm/memfd: add MFD_NOEXEC flag to memfd_create Date: Fri, 1 Apr 2022 15:08:32 -0700 Message-Id: <20220401220834.307660-3-dverkamp@chromium.org> X-Mailer: git-send-email 2.35.1.1094.g7c7d902a7c-goog In-Reply-To: <20220401220834.307660-1-dverkamp@chromium.org> References: <20220401220834.307660-1-dverkamp@chromium.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org The new MFD_NOEXEC flag allows the creation of a permanently non-executable memfd. This is accomplished by creating it with a different set of file mode bits (0666) than the default (0777) and applying the F_SEAL_EXEC seal at creation time, so there is no window between memfd creation and seal application. Unfortunately, the default for memfd must remain executable, since changing this would be an API break, and some programs depend on being able to exec code from a memfd directly. However, this new flag will allow programs to create non-executable memfds, and a distribution may choose to enforce use of this flag in memfd_create calls via other security mechanisms. Signed-off-by: Daniel Verkamp --- include/uapi/linux/memfd.h | 1 + mm/memfd.c | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/memfd.h b/include/uapi/linux/memfd.h index 7a8a26751c23..140e125c9f65 100644 --- a/include/uapi/linux/memfd.h +++ b/include/uapi/linux/memfd.h @@ -8,6 +8,7 @@ #define MFD_CLOEXEC 0x0001U #define MFD_ALLOW_SEALING 0x0002U #define MFD_HUGETLB 0x0004U +#define MFD_NOEXEC 0x0008U /* * Huge page size encoding when MFD_HUGETLB is specified, and a huge page diff --git a/mm/memfd.c b/mm/memfd.c index 4ebeab94aa74..b841514eb0fd 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -263,7 +263,7 @@ long memfd_fcntl(struct file *file, unsigned int cmd, unsigned long arg) #define MFD_NAME_PREFIX_LEN (sizeof(MFD_NAME_PREFIX) - 1) #define MFD_NAME_MAX_LEN (NAME_MAX - MFD_NAME_PREFIX_LEN) -#define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_HUGETLB) +#define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_HUGETLB | MFD_NOEXEC) SYSCALL_DEFINE2(memfd_create, const char __user *, uname, @@ -333,6 +333,14 @@ SYSCALL_DEFINE2(memfd_create, *file_seals &= ~F_SEAL_SEAL; } + if (flags & MFD_NOEXEC) { + struct inode *inode = file_inode(file); + + inode->i_mode &= ~0111; + file_seals = memfd_file_seals_ptr(file); + *file_seals |= F_SEAL_EXEC; + } + fd_install(fd, file); kfree(name); return fd; From patchwork Fri Apr 1 22:08:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Verkamp X-Patchwork-Id: 12798821 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F1C99C433FE for ; Fri, 1 Apr 2022 22:08:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353231AbiDAWKq (ORCPT ); Fri, 1 Apr 2022 18:10:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48056 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353233AbiDAWKo (ORCPT ); Fri, 1 Apr 2022 18:10:44 -0400 Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC9AE3B54F for ; Fri, 1 Apr 2022 15:08:54 -0700 (PDT) Received: by mail-pf1-x42b.google.com with SMTP id h19so3846348pfv.1 for ; Fri, 01 Apr 2022 15:08:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=W2dIS9P9cYggnNka+4k4Gn63M8GjebQJazBSK4gQ59E=; b=Cr8pY9ZyZkOJCluc/iz4NzKGM5yjTCERCc07lJqJ64lxXC8WM7aZ3lRaioUTSrh1uP fnNA8gzv7T3fB/mIuXCSe/fDWMjiR+M9lYmcB1a56kj/OmmUyAJKjnV/XNb8nJ4v2hbZ upohpJPABZs86wqi/TJXNyrjsZ+clUnpfPNhU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=W2dIS9P9cYggnNka+4k4Gn63M8GjebQJazBSK4gQ59E=; b=hY+Ls7MC68QUOkKHFuoq6jTGbw35BZUjvEZ3SiOz5g3WFRPyai6Ld5PCX7Y0088rqQ iLWZg/Oigh3pPlkGgC5iaw4+XZD+Fv5862GwdAKmb70DsrL0wl+tDCFxbDG56UFBdilF xFT22syKb6oGVyy3gRaztZMEWktsqNc+C1I6Co7EmXimD/TpY0hA/DAld/71ZBJ5HNVd a9wbzb7EBjiVUEMnMLo74amYYzcKThuyM6BYWWKBsYZCG4tjvnwtN69Jg+bTEp117n+/ jDIGnsus+rcSWbMODtAGT5xSP9npqc1NsLX0Q2zc1NuoqFNwl57EocT6R3sNKdfkj7Mq Cuag== X-Gm-Message-State: AOAM530OYllfJOuxuKk4FJ2uD5hY+1GttFJUzJUulj6iMweerA5ZiVhz BcJgli+hrdXx+KDjQ2d6O6R8bA== X-Google-Smtp-Source: ABdhPJzxAVHoX6VACxIQgKkefSjLO46zf4cJLaQQXIcLa57xWR5jeIRu2USsxHabbOHOptJtDZDWeg== X-Received: by 2002:a05:6a00:1488:b0:4fa:ac61:8b11 with SMTP id v8-20020a056a00148800b004faac618b11mr13204273pfu.58.1648850934155; Fri, 01 Apr 2022 15:08:54 -0700 (PDT) Received: from localhost ([2620:15c:202:201:72c9:527e:d936:c24b]) by smtp.gmail.com with UTF8SMTPSA id oc10-20020a17090b1c0a00b001c7510ed0c8sm14841905pjb.49.2022.04.01.15.08.52 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 01 Apr 2022 15:08:53 -0700 (PDT) From: Daniel Verkamp To: linux-mm@kvack.org Cc: linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Andrew Morton , Hugh Dickins , Mattias Nissler , Dmitry Torokhov , Kees Cook , Daniel Verkamp Subject: [PATCH 3/4] selftests/memfd: add tests for F_SEAL_EXEC Date: Fri, 1 Apr 2022 15:08:33 -0700 Message-Id: <20220401220834.307660-4-dverkamp@chromium.org> X-Mailer: git-send-email 2.35.1.1094.g7c7d902a7c-goog In-Reply-To: <20220401220834.307660-1-dverkamp@chromium.org> References: <20220401220834.307660-1-dverkamp@chromium.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org Basic tests to ensure that user/group/other execute bits cannot be changed after applying F_SEAL_EXEC to a memfd. Signed-off-by: Daniel Verkamp --- tools/testing/selftests/memfd/memfd_test.c | 80 ++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c index 94df2692e6e4..fdb0e46e9df9 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -28,6 +28,10 @@ #define MFD_DEF_SIZE 8192 #define STACK_SIZE 65536 +#ifndef F_SEAL_EXEC +#define F_SEAL_EXEC 0x0020 +#endif + /* * Default is not to test hugetlbfs */ @@ -594,6 +598,48 @@ static void mfd_fail_grow_write(int fd) } } +static void mfd_assert_mode(int fd, int mode) +{ + struct stat st; + + if (fstat(fd, &st) < 0) { + printf("fstat(%d) failed: %m\n", fd); + abort(); + } else if ((st.st_mode & 07777) != mode) { + printf("wrong file mode 0%04o, but expected 0%04o\n", + (int)st.st_mode & 07777, mode); + abort(); + } +} + +static void mfd_assert_chmod(int fd, int mode) +{ + if (fchmod(fd, mode) < 0) { + printf("fchmod(0%04o) failed: %m\n", mode); + abort(); + } + + mfd_assert_mode(fd, mode); +} + +static void mfd_fail_chmod(int fd, int mode) +{ + struct stat st; + + if (fstat(fd, &st) < 0) { + printf("fstat(%d) failed: %m\n", fd); + abort(); + } + + if (fchmod(fd, mode) == 0) { + printf("fchmod(0%04o) didn't fail as expected\n"); + abort(); + } + + /* verify that file mode bits did not change */ + mfd_assert_mode(fd, st.st_mode & 07777); +} + static int idle_thread_fn(void *arg) { sigset_t set; @@ -880,6 +926,39 @@ static void test_seal_resize(void) close(fd); } +/* + * Test SEAL_EXEC + * Test that chmod() cannot change x bits after sealing + */ +static void test_seal_exec(void) +{ + int fd; + + printf("%s SEAL-EXEC\n", memfd_str); + + fd = mfd_assert_new("kern_memfd_seal_exec", + mfd_def_size, + MFD_CLOEXEC | MFD_ALLOW_SEALING); + + mfd_assert_mode(fd, 0777); + + mfd_assert_chmod(fd, 0644); + + mfd_assert_has_seals(fd, 0); + mfd_assert_add_seals(fd, F_SEAL_EXEC); + mfd_assert_has_seals(fd, F_SEAL_EXEC); + + mfd_assert_chmod(fd, 0600); + mfd_fail_chmod(fd, 0777); + mfd_fail_chmod(fd, 0670); + mfd_fail_chmod(fd, 0605); + mfd_fail_chmod(fd, 0700); + mfd_fail_chmod(fd, 0100); + mfd_assert_chmod(fd, 0666); + + close(fd); +} + /* * Test sharing via dup() * Test that seals are shared between dupped FDs and they're all equal. @@ -1059,6 +1138,7 @@ int main(int argc, char **argv) test_seal_shrink(); test_seal_grow(); test_seal_resize(); + test_seal_exec(); test_share_dup("SHARE-DUP", ""); test_share_mmap("SHARE-MMAP", ""); From patchwork Fri Apr 1 22:08:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Verkamp X-Patchwork-Id: 12798822 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54845C433F5 for ; Fri, 1 Apr 2022 22:09:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347359AbiDAWKv (ORCPT ); Fri, 1 Apr 2022 18:10:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48286 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353242AbiDAWKs (ORCPT ); Fri, 1 Apr 2022 18:10:48 -0400 Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 464CA46159 for ; Fri, 1 Apr 2022 15:08:56 -0700 (PDT) Received: by mail-pl1-x631.google.com with SMTP id e5so3574518pls.4 for ; Fri, 01 Apr 2022 15:08:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=lOkjGfGfl98SeySdZvzcrWOJEVOKytJoGvUFiOZ1aAI=; b=k3QYjMQbIkpZJu+RzninncrAbEnag3EmGlo4bQTg2Fc2+RK1oPVHKalNH09F6XaLOx k24r7rfB5xVIZvuu0s2NKWZ3DovCWTvt6Y0Y9zbNT6yHqQFH7IA3fZLbuFyHZSQeurjy G+A9aaph7FDTPINrdzYeKwqcjp/tXVW3oDQfc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=lOkjGfGfl98SeySdZvzcrWOJEVOKytJoGvUFiOZ1aAI=; b=lAKTtmAjQ+sdTyYOxQK03xKhhIUPugijWsaUJq0jKKVPtTAB9jBiyxBYMt5jseCLC1 egAKdejn7t1WThu2c8CSnWbsbTEGw0fSC2w0qt5DJ1kXUOA+3/k7iCIcDbzTtqe6s4hP 5Ag757dvwKsxmzEFX7L4FQD+Yz00iZCRPzMbWKzfYORyyP3hL8yINSQ28EAep9C4/tLV v9AVAPLDWbF2+DWuCNe4EoZPMp8JyCN1jR9BtSbehGuUHsy9NQi1FXYTFuxB/eFH+RD/ S2LDShVqb35SSTpjlt4XErRb0428RGcozQgO0Qmkq1NLu4VfceEmr/OYOaXURUJ1M/ey yJ8A== X-Gm-Message-State: AOAM530xa+e7lk1TOx3tZhoNVV7yOooLz8bd5kcZNMrX75KoD2hPikUq 2NGGPN5/8oVWeohurPaLYEuXpA== X-Google-Smtp-Source: ABdhPJw/qfYgMATifUmtsmB46MXU37QSE6npLKOGpPlqsWgKaI76Pgjk/RohjePaQficI+4rGcFbvQ== X-Received: by 2002:a17:90b:30ca:b0:1c9:a577:5e8c with SMTP id hi10-20020a17090b30ca00b001c9a5775e8cmr14185468pjb.227.1648850935864; Fri, 01 Apr 2022 15:08:55 -0700 (PDT) Received: from localhost ([2620:15c:202:201:72c9:527e:d936:c24b]) by smtp.gmail.com with UTF8SMTPSA id b19-20020a17090ae39300b001ca070d9dafsm8369294pjz.19.2022.04.01.15.08.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 01 Apr 2022 15:08:55 -0700 (PDT) From: Daniel Verkamp To: linux-mm@kvack.org Cc: linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Andrew Morton , Hugh Dickins , Mattias Nissler , Dmitry Torokhov , Kees Cook , Daniel Verkamp Subject: [PATCH 4/4] selftests/memfd: add tests for MFD_NOEXEC Date: Fri, 1 Apr 2022 15:08:34 -0700 Message-Id: <20220401220834.307660-5-dverkamp@chromium.org> X-Mailer: git-send-email 2.35.1.1094.g7c7d902a7c-goog In-Reply-To: <20220401220834.307660-1-dverkamp@chromium.org> References: <20220401220834.307660-1-dverkamp@chromium.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org Tests that ensure MFD_NOEXEC memfds have the appropriate mode bits and cannot be chmod-ed into being executable. Signed-off-by: Daniel Verkamp --- tools/testing/selftests/memfd/memfd_test.c | 34 ++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c index fdb0e46e9df9..a79567161cdf 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -32,6 +32,10 @@ #define F_SEAL_EXEC 0x0020 #endif +#ifndef MFD_NOEXEC +#define MFD_NOEXEC 0x0008U +#endif + /* * Default is not to test hugetlbfs */ @@ -959,6 +963,35 @@ static void test_seal_exec(void) close(fd); } +/* + * Test memfd_create with MFD_NOEXEC flag + * Test that MFD_NOEXEC applies F_SEAL_EXEC and prevents change of exec bits + */ +static void test_noexec(void) +{ + int fd; + + printf("%s NOEXEC\n", memfd_str); + + /* Create with NOEXEC and ALLOW_SEALING */ + fd = mfd_assert_new("kern_memfd_noexec", + mfd_def_size, + MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_NOEXEC); + mfd_assert_mode(fd, 0666); + mfd_assert_has_seals(fd, F_SEAL_EXEC); + mfd_fail_chmod(fd, 0777); + close(fd); + + /* Create with NOEXEC but without ALLOW_SEALING */ + fd = mfd_assert_new("kern_memfd_noexec", + mfd_def_size, + MFD_CLOEXEC | MFD_NOEXEC); + mfd_assert_mode(fd, 0666); + mfd_assert_has_seals(fd, F_SEAL_EXEC | F_SEAL_SEAL); + mfd_fail_chmod(fd, 0777); + close(fd); +} + /* * Test sharing via dup() * Test that seals are shared between dupped FDs and they're all equal. @@ -1132,6 +1165,7 @@ int main(int argc, char **argv) test_create(); test_basic(); + test_noexec(); test_seal_write(); test_seal_future_write();