From patchwork Thu Jan 2 23:32:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Isaac Manjarres X-Patchwork-Id: 13925059 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D1B6E77197 for ; Thu, 2 Jan 2025 23:33:07 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A6FC06B0083; Thu, 2 Jan 2025 18:33:06 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 9F8D16B0085; Thu, 2 Jan 2025 18:33:06 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 871B26B0088; Thu, 2 Jan 2025 18:33:06 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 66BEE6B0083 for ; Thu, 2 Jan 2025 18:33:06 -0500 (EST) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id D782516050A for ; Thu, 2 Jan 2025 23:33:05 +0000 (UTC) X-FDA: 82964112756.25.896EF18 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) by imf17.hostedemail.com (Postfix) with ESMTP id 3DA9540020 for ; Thu, 2 Jan 2025 23:32:25 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b="ppoYHs/n"; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf17.hostedemail.com: domain of 3LiJ3Zw4KCJE3Dvvx7v84vCCzD19916z.x97638FI-775Gvx5.9C1@flex--isaacmanjarres.bounces.google.com designates 209.85.216.74 as permitted sender) smtp.mailfrom=3LiJ3Zw4KCJE3Dvvx7v84vCCzD19916z.x97638FI-775Gvx5.9C1@flex--isaacmanjarres.bounces.google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1735860736; a=rsa-sha256; cv=none; b=fTBU2j1LZUlrYHLD72nIKlXbzFufSLnXKNTi9RQYmbn2zh3HLrcpAw5lLF6jgwqUpV3xrp I+fj+O2nweYKlz1wlrUhVgrFZZZ8lLhnezEANwgq5mJQYth6xIIqYxXzUmpCudakTZorCO oBO7HJJNBf3II7+w5QVni/a4fyCe8TI= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b="ppoYHs/n"; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf17.hostedemail.com: domain of 3LiJ3Zw4KCJE3Dvvx7v84vCCzD19916z.x97638FI-775Gvx5.9C1@flex--isaacmanjarres.bounces.google.com designates 209.85.216.74 as permitted sender) smtp.mailfrom=3LiJ3Zw4KCJE3Dvvx7v84vCCzD19916z.x97638FI-775Gvx5.9C1@flex--isaacmanjarres.bounces.google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1735860736; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=v6yaTDfkaNJVYvN9IEtl+N1Z6cSe/++H2abnIIHWux0=; b=xCrv1cnN8cvGW6EowXmIBSTXkRTg0z2ZxjxVBM7XuqgCNdj9N0C472QW9nbcLYRRuewfU1 6jsR794wdb4J8m0TVNE6ivD8Galc5+tDyXOYEUy0yTaDLOtnyD3j7DkB/wSVuOpx74zewn JyfNBEV8W0fab5ScwRPCWt+XQ1l68Ak= Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-2efa0eb9dacso16420205a91.1 for ; Thu, 02 Jan 2025 15:33:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1735860783; x=1736465583; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=v6yaTDfkaNJVYvN9IEtl+N1Z6cSe/++H2abnIIHWux0=; b=ppoYHs/n5+17X6az3Ymn+bM68zzukmY3PaMfmCf82KwShy1uJtJCR4gH2HPLePZv1Q jhjhaNEguPh/o841Y/Rs4pUDfBkQkZe4Ze2MtwqwSoR0INf9ISlldMn5LTwI3ttl7ZrQ p/HcPEuL5xb73hRzwd36Gq3CulbHz4UZlXS3SiZGTFCZFN6sVDOSysLoEWfwSGVIuk17 z8d7oc88SbyKqzn3O9OaV7rzpiJEXLwiwaKlpeOw/lN8N9Z9+zs4mZhV0lINT9cfCP7U X+nw3zFSDNj9e5+4YwRXJZrYJ/wDMpoj+wxIbyN1V5l+ZmNyOzKhC8FqPMMLvWckiTwL UELw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735860783; x=1736465583; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=v6yaTDfkaNJVYvN9IEtl+N1Z6cSe/++H2abnIIHWux0=; b=m87Pm033scWC0vUyy53VK2K6cV3iN0ugO85YCEhwBpkZjSnCKRWUl3VAanZ3UJYDz5 Q1r4RPunnRzVKUsNqvEXwr3HErWyVTkj62fowLmRmliQ3nuOAB2PBL3BnaLc6F2cQwru dI07bWaEe66HkMsatR1XFI72XDEcJvvtTi3zaN7+i/braUo801rHsbI/Rxr9Ma5Vpr+4 WbYsBGdRBZypTjW3tlTa57Ta0eLb8TLhKcVu+BpN+rqO8WAJoatkGel8yBWXrK02Q7b0 NzBanZxAfk8Kw5eV2r/UHBfMyGjq4OLjPimV9GEbtCa0n5ah9keF4iVOUjN5vyWVCWZH VrWw== X-Forwarded-Encrypted: i=1; AJvYcCVDoFqpWNVJ19NtW5YRE27ByGiUNexlQVhMeAqS9Gl8UUHkt6GHmVD5WnACmio9JR0cO+k61spBuQ==@kvack.org X-Gm-Message-State: AOJu0YzwOrdpNqgpFKkbbbBs9so08LxQ20CKTYg13qqvUqxdpPSHDrW9 1+4mlTExtApZEjgaNEGlnD4V5yLFfzZVmmc17mwD7nfisQ9e3/QsBGfdU+Xlz2yDL6X1MNDYB/N U4RDtAZ1DEjdUtOLJzcvxXgdqHCzLUv7qxg== X-Google-Smtp-Source: AGHT+IEHpT1wneDx2QefehHIafdQKlpZShR73+0EcuaPDdyhvMMTjby5J8JbVEp815hnmiWSln6qPCmr4ccXbyU/1PWS/A== X-Received: from pfbbw10.prod.google.com ([2002:a05:6a00:408a:b0:725:e84a:dd51]) (user=isaacmanjarres job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a00:92a4:b0:728:e1f9:b680 with SMTP id d2e1a72fcca58-72abdd7ac89mr65635875b3a.6.1735860782779; Thu, 02 Jan 2025 15:33:02 -0800 (PST) Date: Thu, 2 Jan 2025 15:32:50 -0800 In-Reply-To: <20250102233255.1180524-1-isaacmanjarres@google.com> Mime-Version: 1.0 References: <20250102233255.1180524-1-isaacmanjarres@google.com> X-Mailer: git-send-email 2.47.1.613.gc27f4b7a9f-goog Message-ID: <20250102233255.1180524-2-isaacmanjarres@google.com> Subject: [RFC PATCH RESEND v2 1/2] mm/memfd: Add support for F_SEAL_FUTURE_EXEC to memfd From: "Isaac J. Manjarres" To: lorenzo.stoakes@oracle.com, Jeff Layton , Chuck Lever , Alexander Aring , Andrew Morton , Shuah Khan Cc: surenb@google.com, kaleshsingh@google.com, jstultz@google.com, aliceryhl@google.com, jeffxu@google.com, kees@kernel.org, "Isaac J. Manjarres" , kernel-team@android.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org X-Stat-Signature: z66yki8wy4jwn7fzxxe646h9qg7waug3 X-Rspam-User: X-Rspamd-Queue-Id: 3DA9540020 X-Rspamd-Server: rspam08 X-HE-Tag: 1735860745-517431 X-HE-Meta: U2FsdGVkX18bc/caOFP7V0N1JNtRqQ1SwuBDsXRCSWURTfm8tuMCXIbgWhLY8uuW3ICeKMkqXQ85PagAuw7pgK6DVJH6LazB/k5fOhHxM+P/lPYvLqAHUYFBcgHP0zLRy9ztA+fTyOb92Ili5lAuf0MZ7kF02ocarBoGEKr0oqa/J9ZeN18tcNDLSpFYfAwIi1slklorPInm6HV+o3pcFb0gw4B+NJgMAG/uUMiTa6r5k2/7c0gL5zuHgMDqHlWeKQBPIl8Sasp8PTErZjAahB+UolG5VDLSeA0ysThyyS/Nbk859EidS41PluocaZKjEjHAQ6PBq40iZC8jGWRbtqKa4mrqKbW7kg3V5mMbqvRTfsq6Uexu/fD0Wkpepbu+1UFmVQm1+eVEaLGA4Py9yQqKXy1UpiunHp2HCilrCbVFKUIRSSzOZIxcQytBb14uNX2zZYknMlm7jOMNj7CMMG0NhZfzmfI7dxcFTUMJ03UAyFxQpfmPTFVeDoibC1Gd0R6Rlr7ojY5krmlKFzZ63Jw2kkSvX718hAemJUKs4cbwwW/Z+eZhQxSvH1bASKRwOZwhPoNmtMbfsX2h+CFFLm/bvVsFLl6xchXp1J8enR7GjJH5mmDuBgiVf3QIsTnShu+IWBrWoI3lrzz1YDkB3EMycEg69u+uTWlCOB5JQ72J6+LbXZgnZ2HNO+/QPxnrFxDi0pURolh8jtPIidt7dUX9Y85Ke+4GDeQoYp/IZIT2bPnNxzf69JUcHs11RsPdFs08f4SChnB7VYMKeuU0QKTm+2UPaGc72JkMVn2XY8gPkhYS1m9CdXbsn/tou1mHn2vIuyyBi3B158JA4nsDdRpQko9ZsM+LjZni6ygqAT+QQlfypu5O0hodP0mfbMB2DZq6Bl81G6QkHeOjbcGqxQer9k9aBMm9XF6oRpPJ8Jl8dHIiA0XI6NijX/amaQ8IfgdqGaPY5mkdnib5VNv isay5TY7 VH+uOx3U8Cc47hDBTI9QShRKxPtaQxLqTYaFoQk0NnzaCKtewNucbUToep4ZogJO933kuGk0x3MhfQKqCjedcRI3E0cc/Nf894UUy0q7OT0Ks3jLRQ947BfDgwCtLfBJmjsYT1toIJqbZ23SPlTHeFs2ctgvA3VQDQEqeqg8VOCaKbnbWVSovsrtL2DXfRiQQIYopmi2NrNlGXnTdtQwzb0AWrG2EPPmeZ5BwQEFqXIq5Vr7GIZ2d3FAq4CLFh9UDraQBGYQyGAzy3gZByMeLXKaJQXbDOvSuclwRJe2+8i8bRI45m/N9vP0lwJ9RTPB/lZ9zKzuajUdAhSTShaAX338g/1VJ4YYTaDKZbpHFS/X5ewxg2SXHerPEFPGy9fhRcRISP7zAoqa/3gjvVSS1yoXUDj4sMSpDz4IG7I7YqnQmAW2UreXUu/LPD+CXWq8y1FNauuIg7bs3wNm4ub5K/qNAec8MmPP57+U2xF74+Ne3ipmbpLvGBPvHFPQ/BUNV3dvTI115UqVAWz6Pc3P5oedR9Z7QhPVO+AgRTEu5zqC6F06Gd0wYmITU+Fp+DYpG281tr+HrTchiR94w3uKURsiWb6XvklkNdIZuU7j/zb/YH9ETPPHMz9tMNYjNhJ2hNUksDmVg/VuvHcN6nOD27l1WkBIgUJU/CRIkiOFhr38JATt943zarOKLE6b3Lssbs5LspblI7k57R6eE3BC7gzhZXB0utJm3KQnsjZeWfsrF02oQ18lSs+tA+A== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000295, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Android currently uses the ashmem driver [1] for creating shared memory regions between processes. Ashmem buffers can initially be mapped with PROT_READ, PROT_WRITE, and PROT_EXEC. Processes can then use the ASHMEM_SET_PROT_MASK ioctl command to restrict--never add--the permissions that the buffer can be mapped with. Processes can remove the ability to map ashmem buffers as executable to ensure that those buffers cannot be exploited to run unintended code. For instance, suppose process A allocates a memfd that is meant to be read and written by itself and another process, call it B. Process A shares the buffer with process B, but process B injects code into the buffer, and compromises process A, such that it makes A map the buffer with PROT_EXEC. This provides an opportunity for process A to run the code that process B injected into the buffer. If process A had the ability to seal the buffer against future executable mappings before sharing the buffer with process B, this attack would not be possible. Android is currently trying to replace ashmem with memfd. However, memfd does not have a provision to permanently remove the ability to map a buffer as executable, and leaves itself open to the type of attack described earlier. However, this should be something that can be achieved via a new file seal. There are known usecases (e.g. CursorWindow [2]) where a process maps a buffer with read/write permissions before restricting the buffer to being mapped as read-only for future mappings. The resulting VMA from the writable mapping has VM_MAYEXEC set, meaning that mprotect() can change the mapping to be executable. Therefore, implementing the seal similar to F_SEAL_WRITE would not be appropriate, since it would not work with the CursorWindow usecase. This is because the CursorWindow process restricts the mapping permissions to read-only after the writable mapping is created. So, adding a file seal for executable mappings that operates like F_SEAL_WRITE would fail. Therefore, add support for F_SEAL_FUTURE_EXEC, which is handled similarly to F_SEAL_FUTURE_WRITE. This ensures that CursorWindow can continue to create a writable mapping initially, and then restrict the permissions on the buffer to be mappable as read-only by using both F_SEAL_FUTURE_WRITE and F_SEAL_FUTURE_EXEC. After the seal is applied, any calls to mmap() with PROT_EXEC will fail. [1] https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/drivers/staging/android/ashmem.c [2] https://developer.android.com/reference/android/database/CursorWindow Signed-off-by: Isaac J. Manjarres --- include/uapi/linux/fcntl.h | 1 + mm/memfd.c | 39 +++++++++++++++++++++++++++++++++++++- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h index 6e6907e63bfc..ef066e524777 100644 --- a/include/uapi/linux/fcntl.h +++ b/include/uapi/linux/fcntl.h @@ -49,6 +49,7 @@ #define F_SEAL_WRITE 0x0008 /* prevent writes */ #define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */ #define F_SEAL_EXEC 0x0020 /* prevent chmod modifying exec bits */ +#define F_SEAL_FUTURE_EXEC 0x0040 /* prevent future executable mappings */ /* (1U << 31) is reserved for signed error codes */ /* diff --git a/mm/memfd.c b/mm/memfd.c index 5f5a23c9051d..cfd62454df5e 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -184,6 +184,7 @@ static unsigned int *memfd_file_seals_ptr(struct file *file) } #define F_ALL_SEALS (F_SEAL_SEAL | \ + F_SEAL_FUTURE_EXEC |\ F_SEAL_EXEC | \ F_SEAL_SHRINK | \ F_SEAL_GROW | \ @@ -357,14 +358,50 @@ static int check_write_seal(unsigned long *vm_flags_ptr) return 0; } +static inline bool is_exec_sealed(unsigned int seals) +{ + return seals & F_SEAL_FUTURE_EXEC; +} + +static int check_exec_seal(unsigned long *vm_flags_ptr) +{ + unsigned long vm_flags = *vm_flags_ptr; + unsigned long mask = vm_flags & (VM_SHARED | VM_EXEC); + + /* Executability is not a concern for private mappings. */ + if (!(mask & VM_SHARED)) + return 0; + + /* + * New PROT_EXEC and MAP_SHARED mmaps are not allowed when exec seal + * is active. + */ + if (mask & VM_EXEC) + return -EPERM; + + /* + * Prevent mprotect() from making an exec-sealed mapping executable in + * the future. + */ + *vm_flags_ptr &= ~VM_MAYEXEC; + + return 0; +} + int memfd_check_seals_mmap(struct file *file, unsigned long *vm_flags_ptr) { int err = 0; unsigned int *seals_ptr = memfd_file_seals_ptr(file); unsigned int seals = seals_ptr ? *seals_ptr : 0; - if (is_write_sealed(seals)) + if (is_write_sealed(seals)) { err = check_write_seal(vm_flags_ptr); + if (err) + return err; + } + + if (is_exec_sealed(seals)) + err = check_exec_seal(vm_flags_ptr); return err; } From patchwork Thu Jan 2 23:32:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Isaac Manjarres X-Patchwork-Id: 13925060 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6665AE77197 for ; Thu, 2 Jan 2025 23:33:11 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D7C066B0088; Thu, 2 Jan 2025 18:33:10 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id D04CE6B0089; Thu, 2 Jan 2025 18:33:10 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BA5C46B008A; Thu, 2 Jan 2025 18:33:10 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 967D76B0088 for ; Thu, 2 Jan 2025 18:33:10 -0500 (EST) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 450A480523 for ; Thu, 2 Jan 2025 23:33:10 +0000 (UTC) X-FDA: 82964112546.08.4269068 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) by imf06.hostedemail.com (Postfix) with ESMTP id AAC9F180004 for ; Thu, 2 Jan 2025 23:32:32 +0000 (UTC) Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=TrziV3wu; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf06.hostedemail.com: domain of 3MyJ3Zw4KCJY8I002C0D90HH4I6EE6B4.2ECB8DKN-CCAL02A.EH6@flex--isaacmanjarres.bounces.google.com designates 209.85.216.74 as permitted sender) smtp.mailfrom=3MyJ3Zw4KCJY8I002C0D90HH4I6EE6B4.2ECB8DKN-CCAL02A.EH6@flex--isaacmanjarres.bounces.google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1735860764; a=rsa-sha256; cv=none; b=pkWfWVStge5nzVH6yE8UJbhxNlKwj3WWfX7HZe1d0wA4aixfLskw0knGcvwn6C/WHgZ5fQ eELl8iUXC7LA7Y2it2YojIT6XCU1RR7HeZ2bPoITCsIb0xRHy0eT0RxYJ8lIVUF6LJgQQ0 wLfwMlFOy9E/MOF1voBogmZnNZ1QRVc= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=TrziV3wu; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf06.hostedemail.com: domain of 3MyJ3Zw4KCJY8I002C0D90HH4I6EE6B4.2ECB8DKN-CCAL02A.EH6@flex--isaacmanjarres.bounces.google.com designates 209.85.216.74 as permitted sender) smtp.mailfrom=3MyJ3Zw4KCJY8I002C0D90HH4I6EE6B4.2ECB8DKN-CCAL02A.EH6@flex--isaacmanjarres.bounces.google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1735860764; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=9DO6BLM5CMOo/wBOU4R18TkGC6gkh5CUUEjeVIIwslA=; b=7wx5cNgT2P9oWg6Xn+qRdH+KLTH7P/Eqel4jcTOr/P/x2thEkbNRnjAqKZFfmjCCPloYQs 3JGixTM0IkHhraFL/MUKqrVHeN1joMh8YYgHUzLKKE42ZaZnn5xp4ZheYZLmSQsKNJemJw RL7MlV2V2Bo4oP445LbHN2pxEndWn5Y= Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-2ef9e4c5343so26044071a91.0 for ; Thu, 02 Jan 2025 15:33:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1735860787; x=1736465587; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=9DO6BLM5CMOo/wBOU4R18TkGC6gkh5CUUEjeVIIwslA=; b=TrziV3wuTgX1eW9DXYzrTZk3UuKSbUuYpV/7URDUCIuOe2ra5AMrSSu4Q5F/IYHFh1 yOZWAtJ2mQqxSPr18Z7NMO7b2PSzSqI8Arq0/Mgbmm7mjdIA7K3rddu9NS1bmuLVpYtM Wy9gxk91rejkk4z9zhD06WfMLHCmT7gSF+scJ7PRTQc0w2lgjm7kmU1NTlTXLllY8lo8 +p3iDjXsTBme0TNIAfDHq91fPirhPGow43456+USGbjrsP8HXFd4xX2aW2xmAKjluzsc X8nWxYYALuZO6E4JgmURsS3iNc3ZIUoMlhWfontsRm37pJyyykBMNhARU+BNpc5IRgZN +YEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735860787; x=1736465587; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=9DO6BLM5CMOo/wBOU4R18TkGC6gkh5CUUEjeVIIwslA=; b=t/4zAEOLKEwvQ5hDfKkGGLfA41XQ3zfIs8FyoaSjhTHDc0Nhk93lGyWIqjZRQdHxb8 GQ/JZ1iRx2H/BuKNm14+zfjdkoG7HaPcbFOOBPnxDaEEN11TOZWh30CBCnaphE470kzg v4MN23xPqbtcWaK+BfR32mfvC26xodH7hS8R8Y7K/PE3p82Q5Q9+5reJtco4dAZEZl2p phPg3BFMihyo3ZKThaJxEoCayNBjbsCz2VR+eW/7ZjIwD+EvxfqOZRaX5RtRXG/HkHbL CsBkgYF9KoexNDwPLAXqz8nbm5PM3Do1pditaB9qlEUz/pA2zOIL8tH4Rd6aWCyIgIVd LKyA== X-Forwarded-Encrypted: i=1; AJvYcCUepKo9vhFO+K+Yg4mh986TqHYP7EbWVqMIMdaa7AwnQRouPoCkg0ETz8nFfp7Q3Kw32FQ258vz7Q==@kvack.org X-Gm-Message-State: AOJu0YyE4x+DwUftCVVw+l0Xetjiv+uuGHTzJxgLgZtPHHYGfIqqvl2t pO/DN1f/3gbVsPSl+jD/L5dcFSvlyjUbiJageMh2ZLO9jYkJ/lCQYuvRfBLFPrP/ep5USgRywzd ehzrwEpw7nJoNN/DyxUrsy/GWk5xbXClqXQ== X-Google-Smtp-Source: AGHT+IGn4ET5k3Rw4jazgCpM0o7s4VxY7D3G9HLPKKDi9G1NhugDfSye1BKW8ZRtwa2K9tuUnnUmyyKAttJLjZ0jGRqBSQ== X-Received: from pfd7.prod.google.com ([2002:a05:6a00:a807:b0:727:2d74:d385]) (user=isaacmanjarres job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a21:2d05:b0:1e1:a647:8a54 with SMTP id adf61e73a8af0-1e5e05ac4cbmr72878987637.20.1735860787347; Thu, 02 Jan 2025 15:33:07 -0800 (PST) Date: Thu, 2 Jan 2025 15:32:51 -0800 In-Reply-To: <20250102233255.1180524-1-isaacmanjarres@google.com> Mime-Version: 1.0 References: <20250102233255.1180524-1-isaacmanjarres@google.com> X-Mailer: git-send-email 2.47.1.613.gc27f4b7a9f-goog Message-ID: <20250102233255.1180524-3-isaacmanjarres@google.com> Subject: [RFC PATCH RESEND v2 2/2] selftests/memfd: Add tests for F_SEAL_FUTURE_EXEC From: "Isaac J. Manjarres" To: lorenzo.stoakes@oracle.com, Jeff Layton , Chuck Lever , Alexander Aring , Andrew Morton , Shuah Khan Cc: surenb@google.com, kaleshsingh@google.com, jstultz@google.com, aliceryhl@google.com, jeffxu@google.com, kees@kernel.org, "Isaac J. Manjarres" , kernel-team@android.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org X-Rspam-User: X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: AAC9F180004 X-Stat-Signature: 3kqyroyoi4kgitbuw7sngykq9uwuorrj X-HE-Tag: 1735860752-807664 X-HE-Meta: U2FsdGVkX1/nDnBrJ1PIg90T6PD8MAEcGbBv+VOsMZKziQoa0eoZTjJzPW74KY3LEaQJQTPl07Gr8vpEOVSts3ecyoPx0udxOMAdKS+/mAPr8oH9YYr2i2UjLqAFrmnKoqwEPMSvkdMqvWkimsF5MrucxB8t7gxvSkWrDuVG5pe6RyeKoy6Hdys2FXjQSw9pSoXnOb+h/q6zVPPd/CEUL+M98vBtbuSINoHZifSRYmY+Dw5KXtS6M9jdiL4H4O68O8Qjj7mUU6ZSkW1qKM/piI43GH5jsnrCJBcxZ5ylDkARiVaOQfzwDQFy4BSkz1kMDvSO5I9og+v+KVYd8NxPWcZS1hcTPbDBgKYe8kACY4VCljsf/EAgy08tGXWAM2mAAyW0MeLbwP7q8OhJm5ZkrP45NvQkRHrMmsHTG7ieAQ4or3n5sMeRCodguMjNUN6CeY167uTg/eBWD/ZCqftfguetRfpSdnVefc/wdtBhfzDrQgql4hnES1NCqFldn9ErPFpss7mScvHSPZZBEtPephNywa6wMPoBEC0XlRF6z7WOJih6h5N2/tsUp2azKqixpkR8XeQCErkIYtLhCxLYsp7X9HNwL7lBaKpfSqVlEEnCI+zo7yJR7ZO5LfTl8koXX1Eto3MSCP7UhSPyyglwcxM6+r10mEFZ/tUB0aXBT+SnSp8N48KIWtnmdiAfQNqxLv9udwPR6wYkGb6z8BMLtsQYlBrhP4POSpVqM97KwLchT0s8hSmTepl/ZlN0aomDkX7x81bl7exBY0dmBwdo1UeyV3ODhJPsP0A745By6kwQHR3K/AHE0V/ez3n6G4MH9ZHbM88WOmp3vyhousqAsmWlysuUkcrQltAaIJWrT6WKD8mVcE/pz3r7xwOpBtGa4Aff5kvykbHFJWN7WgU0iWmqKH/rStgHAsDiCd/w3bR7zGeSgYtgMtzf2JZi3cJYB6JVcwb76f/RjVu+sPP CC7Lishy 63e1gyr5CGBr9QRRfw9SA7VUXYCgbH57bO8dCXcE5Rl7ExE4uOM0doTe8EF6H7ip82vuZZe6GzLVntUlG4LZXCdWRFg0d0YftosFER8iOvMSI5Qn21oQuhEE+K4uE626Thkup7lOfMiZ/vCmkV8w7/VsNKT+7LEBbWKc7B5ZWiL553iu5mHjqdqOw73u/9Um1Jgv9lYoXz6oBa7sUoZD/xklQChdNMT1+QTQ/QMsQVgGqCyK4/FXP/nEGFptuo3JSlBLCZp13Q3AfxLYaPLGRJrlaRkeTZ0zc/5N6aOOFUw4ishnq3cGrFoqjXzFZvMjyb+jUCOnSJHKMhaW9mqUe/uugBg5+vcKwjSOw21HAm6DbYYF+gnQwPmKbGUN7gIE1T44U+hXpD14kFLRuzKPzB1t6un43FCKgGac6z0FFy67p2tEVUUow4amyYF5nEH/Espjb0sm9Bq18f6iphDwMK0rR2HC67GMLQ9aBaDNqQKgWRfN+dffE6DXm1GI+zojIbXEgcxB9wIAbcKzkniDAUHqZNDguIUG5wtvyLEHelqi8QweEXtT7FuYFWVsqg89Qi1wpZN/XQ8sd4B3koOw6/RTJhZO5ZNcfiKDwb2E9Jf95xmARD1sPvIqlzHyLIb3jFB/9rDhjxXkj+Z8Zv9atY1UxpyTqYZtvuIOHhIUfHMkTsODyi3vAU/qpUMFzs0wJbYeIJqKq5ZJuzdLSEgZu6xuixZM7nRWy5cVx X-Bogosity: Ham, tests=bogofilter, spamicity=0.007679, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Add tests to ensure that F_SEAL_FUTURE_EXEC behaves as expected. Signed-off-by: Isaac J. Manjarres --- tools/testing/selftests/memfd/memfd_test.c | 79 ++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c index c0c53451a16d..abc213a5ce99 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -31,6 +31,7 @@ #define STACK_SIZE 65536 #define F_SEAL_EXEC 0x0020 +#define F_SEAL_FUTURE_EXEC 0x0040 #define F_WX_SEALS (F_SEAL_SHRINK | \ F_SEAL_GROW | \ @@ -318,6 +319,37 @@ static void *mfd_assert_mmap_private(int fd) return p; } +static void *mfd_fail_mmap_exec(int fd) +{ + void *p; + + p = mmap(NULL, + mfd_def_size, + PROT_EXEC, + MAP_SHARED, + fd, + 0); + if (p != MAP_FAILED) { + printf("mmap() didn't fail as expected\n"); + abort(); + } + + return p; +} + +static void mfd_fail_mprotect_exec(void *p) +{ + int ret; + + ret = mprotect(p, + mfd_def_size, + PROT_EXEC); + if (!ret) { + printf("mprotect didn't fail as expected\n"); + abort(); + } +} + static int mfd_assert_open(int fd, int flags, mode_t mode) { char buf[512]; @@ -998,6 +1030,52 @@ static void test_seal_future_write(void) close(fd); } +/* + * Test SEAL_FUTURE_EXEC_MAPPING + * Test whether SEAL_FUTURE_EXEC_MAPPING actually prevents executable mappings. + */ +static void test_seal_future_exec_mapping(void) +{ + int fd; + void *p; + + + printf("%s SEAL-FUTURE-EXEC-MAPPING\n", memfd_str); + + fd = mfd_assert_new("kern_memfd_seal_future_exec_mapping", + mfd_def_size, + MFD_CLOEXEC | MFD_ALLOW_SEALING); + + /* + * PROT_READ | PROT_WRITE mappings create VMAs with VM_MAYEXEC set. + * However, F_SEAL_FUTURE_EXEC applies to subsequent mappings, + * so it should still succeed even if this mapping is active when the + * seal is applied. + */ + p = mfd_assert_mmap_shared(fd); + + mfd_assert_has_seals(fd, 0); + + mfd_assert_add_seals(fd, F_SEAL_FUTURE_EXEC); + mfd_assert_has_seals(fd, F_SEAL_FUTURE_EXEC); + + mfd_fail_mmap_exec(fd); + + munmap(p, mfd_def_size); + + /* Ensure that new mappings without PROT_EXEC work. */ + p = mfd_assert_mmap_shared(fd); + + /* + * Ensure that mappings created after the seal was applied cannot be + * made executable via mprotect(). + */ + mfd_fail_mprotect_exec(p); + + munmap(p, mfd_def_size); + close(fd); +} + static void test_seal_write_map_read_shared(void) { int fd; @@ -1639,6 +1717,7 @@ int main(int argc, char **argv) test_seal_shrink(); test_seal_grow(); test_seal_resize(); + test_seal_future_exec_mapping(); if (pid_ns_supported()) { test_sysctl_simple();