From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 3C134C433F5 for ; Wed, 20 Apr 2022 23:23:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=5vVL8Co+wGrMCpF6pirFzRONfP1wRSOccOqJzND+XCY=; b=djtR0wLJC9PHpX DLs0VxtABuYVL7+0Tp2B64vg44TktIdvAUBHKv0mipfwVb9DZrWpSFb0fFdZp05HKR+6UyC4D6gNp 8vnJEArEY5lhcEm6Pk3YbudhFt7HaxxDBxl9N5CvgjXziBPL5mlNnF9PMTpOEWBnMEf1vsJ8xZXhR N08GVavS1freaf6jbpusFRmtnJ80gWzPhJqrR1hR41Rm787RQey3swVql+9fGxu+ihX3aXsoAkTSy /WUBvaCcc6Qoi3xIQLPkypUfTPZwe0jOEqx/jPa60NzeQjU6PAK/339YcGM/Odc7PtTxX5lWljVfu E/pgTsfCDRnYTiOKTwxg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nhJdw-00Apae-HT; Wed, 20 Apr 2022 23:21:52 +0000 Received: from mail-pg1-x530.google.com ([2607:f8b0:4864:20::530]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nhJdt-00ApZR-Fy for linux-arm-kernel@lists.infradead.org; Wed, 20 Apr 2022 23:21:51 +0000 Received: by mail-pg1-x530.google.com with SMTP id t4so3125632pgc.1 for ; Wed, 20 Apr 2022 16:21:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=6Ty3DFGunF6jW21MAnsyi+iAr+gyos3k1HPrH3m9fTc=; b=XnWq2s9XXwGGB2wgFdDYbKC7tkgxh2/Z4V4PkH12svVokJESgvrFm5JNzgsc74GH3y PRmXS5NWLTC5YYg3pP+kw7BUee1T44m8duw4HXfmeLtW6YHy8MuBR4c8niTk8T0VuZ9b QJEAL6A9MGfaxtHAG67ubRu9en7CGwFeOVg9E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=6Ty3DFGunF6jW21MAnsyi+iAr+gyos3k1HPrH3m9fTc=; b=QJoBHcgSFzaNb2j/lKitRyVjBQNyuYUcgEcjDUQ2vy049vIvZCSc1DBxdRtqBKyNF+ iJdCrD8h8hjqOKS2PSUeIoD5aJfaRsIUcK1TmTHcDn1jgQxICzP7lKPxRzFJcKKd3UXC w7yyZDOBgmxlRtq2P8wyBIhTnEuIJ0NW3GNRIqEHU3lmpSBW72IG7irm7UPs0etSiXmZ z96lJXyY9uNXpMCMYEFvv9ZPX29AxkFf3Of1u184TZ4T6XpZtEbJ6WZjNQrD55SReqVB +jIwCDUU3AWY6Y71ALTZV95kBkr7a/aXlYLONoftGuv8/3NFD5NSJvrkiNBTD4HyVf0C KUQQ== X-Gm-Message-State: AOAM5309j3AVek+GPWBU4s/7M52mNNCTmhK7D2YojYt1DKi5u9SDSQn9 l2d1sI5kuATYki9O3JKwPOyG3g== X-Google-Smtp-Source: ABdhPJwXpf1B85gWACAiQZBQg4zWKjO4yRVSkAvJBvOqRuLOMe9Mwe1L7hhkVq+XyKdgJYc9LDZ6kA== X-Received: by 2002:a65:46cf:0:b0:399:13b3:dd8b with SMTP id n15-20020a6546cf000000b0039913b3dd8bmr21529884pgr.585.1650496906919; Wed, 20 Apr 2022 16:21:46 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id u7-20020aa78487000000b00505d9277cb3sm20637059pfn.38.2022.04.20.16.21.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Apr 2022 16:21:46 -0700 (PDT) Date: Wed, 20 Apr 2022 16:21:45 -0700 From: Kees Cook To: Topi Miettinen Cc: Catalin Marinas , Andrew Morton , Christoph Hellwig , Lennart Poettering , Zbigniew =?utf-8?Q?J=C4=99drzejewski-Szmek?= , Will Deacon , Alexander Viro , Eric Biederman , Szabolcs Nagy , Mark Brown , Jeremy Linton , linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-abi-devel@lists.sourceforge.net, linux-hardening@vger.kernel.org, Jann Horn , Salvatore Mesoraca , Igor Zhbanov Subject: Re: [PATCH RFC 0/4] mm, arm64: In-kernel support for memory-deny-write-execute (MDWE) Message-ID: <202204201610.093C9D5FE8@keescook> References: <20220413134946.2732468-1-catalin.marinas@arm.com> <202204141028.0482B08@keescook> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220420_162149_560611_40C43E70 X-CRM114-Status: GOOD ( 50.92 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Wed, Apr 20, 2022 at 10:34:33PM +0300, Topi Miettinen wrote: > On 20.4.2022 16.01, Catalin Marinas wrote: > > On Thu, Apr 14, 2022 at 11:52:17AM -0700, Kees Cook wrote: > > > On Wed, Apr 13, 2022 at 02:49:42PM +0100, Catalin Marinas wrote: > > > > The background to this is that systemd has a configuration option called > > > > MemoryDenyWriteExecute [1], implemented as a SECCOMP BPF filter. Its aim > > > > is to prevent a user task from inadvertently creating an executable > > > > mapping that is (or was) writeable. Since such BPF filter is stateless, > > > > it cannot detect mappings that were previously writeable but > > > > subsequently changed to read-only. Therefore the filter simply rejects > > > > any mprotect(PROT_EXEC). The side-effect is that on arm64 with BTI > > > > support (Branch Target Identification), the dynamic loader cannot change > > > > an ELF section from PROT_EXEC to PROT_EXEC|PROT_BTI using mprotect(). > > > > For libraries, it can resort to unmapping and re-mapping but for the > > > > main executable it does not have a file descriptor. The original bug > > > > report in the Red Hat bugzilla - [2] - and subsequent glibc workaround > > > > for libraries - [3]. > > > > > > Right, so, the systemd filter is a big hammer solution for the kernel > > > not having a very easy way to provide W^X mapping protections to > > > userspace. There's stuff in SELinux, and there have been several > > > attempts[1] at other LSMs to do it too, but nothing stuck. > > > > > > Given the filter, and the implementation of how to enable BTI, I see two > > > solutions: > > > > > > - provide a way to do W^X so systemd can implement the feature differently > > > - provide a way to turn on BTI separate from mprotect to bypass the filter > > > > > > I would agree, the latter seems like the greater hack, > > > > We discussed such hacks in the past but they are just working around the > > fundamental issue - systemd wants W^X but with BPF it can only achieve > > it by preventing mprotect(PROT_EXEC) irrespective of whether the mapping > > was already executable. If we find a better solution for W^X, we > > wouldn't have to hack anything for mprotect(PROT_EXEC|PROT_BTI). > > > > > so I welcome > > > this RFC, though I think it might need to explore a bit of the feature > > > space exposed by other solutions[1] (i.e. see SARA and NAX), otherwise > > > it risks being too narrowly implemented. For example, playing well with > > > JITs should be part of the design, and will likely need some kind of > > > ELF flags and/or "sealing" mode, and to handle the vma alias case as > > > Jann Horn pointed out[2]. > > > > I agree we should look at what we want to cover, though trying to avoid > > re-inventing SELinux. With this patchset I went for the minimum that > > systemd MDWE does with BPF. > > > > I think JITs get around it using something like memfd with two separate > > mappings to the same page. We could try to prevent such aliases but > > allow it if an ELF note is detected (or get the JIT to issue a prctl()). > > > > Anyway, with a prctl() we can allow finer-grained control starting with > > anonymous and file mappings and later extending to vma aliases, > > writeable files etc. On top we can add a seal mask so that a process > > cannot disable a control was set. Something like (I'm not good at > > names): > > > > prctl(PR_MDWX_SET, flags, seal_mask); > > prctl(PR_MDWX_GET); > > > > with flags like: > > > > PR_MDWX_MMAP - basics, should cover mmap() and mprotect() > > PR_MDWX_ALIAS - vma aliases, allowed with an ELF note > > PR_MDWX_WRITEABLE_FILE > > > > (needs some more thinking) > > > > For systemd, feature compatibility with the BPF version is important so that > we could automatically switch to the kernel version once available without > regressions. So I think PR_MDWX_MMAP (or maybe PR_MDWX_COMPAT) should match > exactly what MemoryDenyWriteExecute=yes as implemented with BPF has: only > forbid mmap(PROT_EXEC|PROT_WRITE) and mprotect(PROT_EXEC). Like BPF, once > installed there should be no way to escape and ELF flags should be also > ignored. ARM BTI should be allowed though (allow PROT_EXEC|PROT_BTI if the > old flags had PROT_EXEC). > > Then we could have improved versions (other PR_MDWX_ prctls) with lots more > checks. This could be enabled with MemoryDenyWriteExecute=strict or so. > > Perhaps also more relaxed versions (like SARA) could be interesting (system > service running Python with FFI, or perhaps JVM etc), enabled with for > example MemoryDenyWriteExecute=trampolines. That way even those programs > would get some protection (though there would be a gap in the defences). Yup, I think we're all on the same page. Catalin, can you respin with a prctl for enabling MDWE? I propose just: prctl(PR_MDWX_SET, flags); prctl(PR_MDWX_GET); PR_MDWX_FLAG_MMAP disallows PROT_EXEC on any VMA that is or was PROT_WRITE, covering at least: mmap, mprotect, pkey_mprotect, and shmat. I don't think anything should be allowed to be disabled once set. -- Kees Cook _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel