Message ID | 20221207154939.2532830-5-jeffxu@google.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp260476wrr; Wed, 7 Dec 2022 07:51:44 -0800 (PST) X-Google-Smtp-Source: AA0mqf4bCzjRXswfFPsg3Zphr/jId2Sb2medOTjDE6/SLpbJd2OB5P/XSjvsmpWbVwqcjuBgnGat X-Received: by 2002:aa7:c2d6:0:b0:46c:38a4:a54c with SMTP id m22-20020aa7c2d6000000b0046c38a4a54cmr19493914edp.393.1670428304449; Wed, 07 Dec 2022 07:51:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670428304; cv=none; d=google.com; s=arc-20160816; b=pNqWsx29jeA6r1bAEth3pcrMuMhdaeFqzXtQvdw73BKP2QOdEEHKhHvpfGr6F2lnK1 K7rO54c6V1/If4+8nXxPRIkffIr/xg5W4e+3irHiYcY3ZmDC8wLTcSl0m8LoKi/xGwvl CLPfoo4YelmJqnsBqC1JYw7pUgwaMy7RJvt+YnQWUYlj9kUIvjVefUqXcW8Pg6rd9H+i RGqRnRXSNK651F5pLU/e/il6Eq9M3dx5WP/y/wqi2oeEdIaKFVnfF0yJ/vaOQuiJeQp4 iU5FTxnKjioHE4b7lluMqClnvhU5hCLCRmc4JCya+6D7swbNlaEhb9lSCfQyaREJaByc IM4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=68tZIB+0aYpPIylSIqK6cc/meXXHAi0u5AcBKUyeGcY=; b=ktlXzAQ2Ek8KO6MvHufYTdnafQB75BudyQJ0mKwWE14uS9QcW9yPqwC9PlJrMMqPt0 O1uwPrwQi0JGwfLtPf+EPl4i/rsu0lo625nj4gzQh+kB8V03W/fh3dwUiUvA8n45koPX IhML+gEYMJ+pgfsO9XGgJZIYVj8IaSkfQ6iSPgNyU5O2HI6U5TUI4gt4Y9reULMvITK6 lQES7P8GbqAZ5t4bqITqNALww5Poq/YdQptMb/F5GmPdDmX1bG05GJKYQOO/iV/W86X7 9GKTYsOq6V37jyYngvEgyYJL8aES4nfiJZrq6xmRGef9t8+iOdav0LB5pyc5TSMs5kwu ap7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Pgcz8EqF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ht10-20020a170907608a00b0078db3762061si7906093ejc.439.2022.12.07.07.51.19; Wed, 07 Dec 2022 07:51:44 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Pgcz8EqF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229866AbiLGPuN (ORCPT <rfc822;foxyelen666@gmail.com> + 99 others); Wed, 7 Dec 2022 10:50:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50422 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229828AbiLGPtt (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Wed, 7 Dec 2022 10:49:49 -0500 Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0BC6C326DF for <linux-kernel@vger.kernel.org>; Wed, 7 Dec 2022 07:49:49 -0800 (PST) Received: by mail-pl1-x631.google.com with SMTP id s7so17386578plk.5 for <linux-kernel@vger.kernel.org>; Wed, 07 Dec 2022 07:49:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=68tZIB+0aYpPIylSIqK6cc/meXXHAi0u5AcBKUyeGcY=; b=Pgcz8EqFIllSIrbiyT8+zFROC9GpuYiPrYWAWuws/ZAml4A7Ugasa59H8dzt4twoB4 O0cAxxO9Mke403E/Mj+rjoT+GeN92NHh57bpsegW33gdWlb7tQAmt+ewJoJYOEJvEyeH jGBefsgqUB3ZHzuky+3uRwszEnFjlO/ZS+68A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=68tZIB+0aYpPIylSIqK6cc/meXXHAi0u5AcBKUyeGcY=; b=c+56RN1229YtQJ1AO9WUr8K7/1VI24Sfek6I1/Ec+Ny4zTwpDaJRcer35OaOO6gv8s lflXc6juRLtA5RzFRGFAmWHG1hxgXvQUFg2Ol5TD/BC4WqBEsEbqNcQzBn6HB+UNjLI8 upDeWUCbu/yb2zPMgiPySR3yflYxRwQjtYe5M+t17Pzgw8hJvHT9bHOAcE0Qyd2mEKxf 8ARWpd2oYr+GgMGb7+7dnDz2o9rLK4Vf1xrKLIPEFNCVyEl3bmx0rK51DvkDqCbX9Btu 67noElESMiyiCC7793QsB8cSBmSvWePmOQXRQLIgJ+FuPAvUmM1bryap78B71DY59rBw ecrA== X-Gm-Message-State: ANoB5plXP6cjVAkEP167xdP2Lm5rEh15OKKTBHV+VrTpW2Goe8pYqJVT f78DnGRTVK/VWi1qo98N52lwZQ== X-Received: by 2002:a05:6a21:9991:b0:a4:5f8d:805a with SMTP id ve17-20020a056a21999100b000a45f8d805amr1331414pzb.53.1670428188610; Wed, 07 Dec 2022 07:49:48 -0800 (PST) Received: from jeffxud.c.googlers.com.com (30.202.168.34.bc.googleusercontent.com. [34.168.202.30]) by smtp.gmail.com with ESMTPSA id a9-20020a170902ecc900b0017f7628cbddsm14920934plh.30.2022.12.07.07.49.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Dec 2022 07:49:47 -0800 (PST) From: jeffxu@chromium.org To: skhan@linuxfoundation.org, keescook@chromium.org Cc: akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, jannh@google.com, linux-hardening@vger.kernel.org Subject: [PATCH v6 4/6] mm/memfd: Add write seals when apply SEAL_EXEC to executable memfd Date: Wed, 7 Dec 2022 15:49:37 +0000 Message-Id: <20221207154939.2532830-5-jeffxu@google.com> X-Mailer: git-send-email 2.39.0.rc0.267.gcb52ba06e7-goog In-Reply-To: <20221207154939.2532830-1-jeffxu@google.com> References: <20221207154939.2532830-1-jeffxu@google.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751571029793767763?= X-GMAIL-MSGID: =?utf-8?q?1751571029793767763?= |
Series |
mm/memfd: introduce MFD_NOEXEC_SEAL and MFD_EXEC
|
|
Commit Message
Jeff Xu
Dec. 7, 2022, 3:49 p.m. UTC
From: Jeff Xu <jeffxu@google.com> In order to avoid WX mappings, add F_SEAL_WRITE when apply F_SEAL_EXEC to an executable memfd, so W^X from start. This implys application need to fill the content of the memfd first, after F_SEAL_EXEC is applied, application can no longer modify the content of the memfd. Typically, application seals the memfd right after writing to it. For example: 1. memfd_create(MFD_EXEC). 2. write() code to the memfd. 3. fcntl(F_ADD_SEALS, F_SEAL_EXEC) to convert the memfd to W^X. 4. call exec() on the memfd. Signed-off-by: Jeff Xu <jeffxu@google.com> --- mm/memfd.c | 6 ++++++ 1 file changed, 6 insertions(+)
Comments
On Wed, Dec 07, 2022 at 03:49:37PM +0000, jeffxu@chromium.org wrote: > From: Jeff Xu <jeffxu@google.com> > > In order to avoid WX mappings, add F_SEAL_WRITE when apply > F_SEAL_EXEC to an executable memfd, so W^X from start. > > This implys application need to fill the content of the memfd first, > after F_SEAL_EXEC is applied, application can no longer modify the > content of the memfd. > > Typically, application seals the memfd right after writing to it. > For example: > 1. memfd_create(MFD_EXEC). > 2. write() code to the memfd. > 3. fcntl(F_ADD_SEALS, F_SEAL_EXEC) to convert the memfd to W^X. > 4. call exec() on the memfd. > > Signed-off-by: Jeff Xu <jeffxu@google.com> Reviewed-by: Kees Cook <keescook@chromium.org>
diff --git a/mm/memfd.c b/mm/memfd.c index ec70675a7069..92f0a5765f7c 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -222,6 +222,12 @@ static int memfd_add_seals(struct file *file, unsigned int seals) } } + /* + * SEAL_EXEC implys SEAL_WRITE, making W^X from the start. + */ + if (seals & F_SEAL_EXEC && inode->i_mode & 0111) + seals |= F_SEAL_SHRINK|F_SEAL_GROW|F_SEAL_WRITE|F_SEAL_FUTURE_WRITE; + *file_seals |= seals; error = 0;