From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 1BA77C433EF for ; Wed, 20 Apr 2022 19:35:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: Content-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:From:References:Cc:To:Subject: MIME-Version:Date:Message-ID:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=NTonPIhsjXdxnPsW9cyJLatOzgE0+1Ad3mJLa4b1xlM=; b=plye1+gAVOxqlO /21v3YXH1rdj/hhIpO03fipWQtR8/TAgxVI3tXc9f4mvlxZosfBfapiXzjd6S5Zw5tnBHZ8g0T76M KhNgtF7UmS3M9Z7eh8wlwh6JuWJGpWuC2xr7RDyTtMEg3YxhMT4imp4rMTjfW/4y/ssRWSJVhbS1i 1cxubpspDbFwxyX/F4gqJutd8o61zwFNsuYFOD0SXziexMn5Vx8+SifBJ7ZuzG63ixGBNEZbIDdSp ySMtna8kWhSRIcaYmmTUB6q4DP6WxGVANoJu63kzYFDx2y3Tl410cf+QiS0jZUnsrRZM2voTURXdz XCe787UkhhzrcvG0K73g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nhG67-00ADOl-BY; Wed, 20 Apr 2022 19:34:43 +0000 Received: from mail-lj1-x22d.google.com ([2a00:1450:4864:20::22d]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nhG63-00ADMi-1g for linux-arm-kernel@lists.infradead.org; Wed, 20 Apr 2022 19:34:41 +0000 Received: by mail-lj1-x22d.google.com with SMTP id n17so3096495ljc.11 for ; Wed, 20 Apr 2022 12:34:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=tjgtD5b88stSGfQKWtLEKZrrmLsw2qkBuwSeeJ0zuRk=; b=REQ3x7fKLP/EuTnv0GmQmMXaaniRwUtG/2NAsMQ0MKCDkm1I6tRznXQUJsItKuoTlm p2MF8iE5Zzu70G+Gasx2709mXA32PLi1wAASYvs9Q+xTSQ6+D9l0maFctJ2wOTMXGrai bXT3nA9aBaIPBAQsD2PONNhOJkMpkO0CtaImBZd91OqIgwwKnIukZKvAOeSfejYz+uoA pmSTmTrd9MKdpBJza5p0CZyEbb97EnQ4kmBNIyEBE9MjU3kxGEbL/vd8cAMOmYYBgV+E cM5GkendfRXfCHNQhG1krUj2XdXAt5aLy1IZPHTXMHM/5rGHWxU+ZYijqStV6BvlSlGD r2Dg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=tjgtD5b88stSGfQKWtLEKZrrmLsw2qkBuwSeeJ0zuRk=; b=glLyOyKUP+owrgbsJPTAWCD+Ae5hBsO80KslfXJt4urhGAhHOjFxnpPdKIzz+ryuCI H2CMdXPld433RljYlkR0nvICEIpJaNtIJvUZKnYMq0XuVBNcVMIhunDIEutkv+3Wmeds +aP4ONBNZ2AppRc2pULVn221TSZ3Ry38I7jg+3YUOSvn/BcuAWw/nbLtu5myAEppRI3s UYSHYl74RAi9id2TuXkowjygkiyLAdPSBxJM/tfNXNStdB+X3Ex74N96/aHYJ9Z+h4Kr V3Gfh1tx+Y2uXHogx16NR8rbbyizp+Z+zzA4SIImz32bJl/OFXGIACo7LprEVpdbm33e evlg== X-Gm-Message-State: AOAM533RXmuivquy6PkHjMixT23a2We2MTwUNRXuU9ODOSn5PjTuBeBO saS/EbWp5TYGgUL4L3/nwKnBngAylhXCkTqV X-Google-Smtp-Source: ABdhPJxsHjCQqq6WluovUBYdrQyV3jelbuozqG0OYcQa6CZdvrrYWe8QWnKWHKNYaNel51RNGyzwhg== X-Received: by 2002:a05:651c:905:b0:247:e451:48a5 with SMTP id e5-20020a05651c090500b00247e45148a5mr14529352ljq.313.1650483275515; Wed, 20 Apr 2022 12:34:35 -0700 (PDT) Received: from [192.168.1.38] (91-159-150-194.elisa-laajakaista.fi. [91.159.150.194]) by smtp.gmail.com with ESMTPSA id d14-20020a19f24e000000b00471a405963asm698679lfk.304.2022.04.20.12.34.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 20 Apr 2022 12:34:35 -0700 (PDT) Message-ID: Date: Wed, 20 Apr 2022 22:34:33 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Subject: Re: [PATCH RFC 0/4] mm, arm64: In-kernel support for memory-deny-write-execute (MDWE) Content-Language: en-US To: Catalin Marinas , Kees Cook Cc: Andrew Morton , Christoph Hellwig , Lennart Poettering , =?UTF-8?Q?Zbigniew_J=c4=99drzejewski-Szmek?= , Will Deacon , Alexander Viro , Eric Biederman , Szabolcs Nagy , Mark Brown , Jeremy Linton , linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-abi-devel@lists.sourceforge.net, linux-hardening@vger.kernel.org, Jann Horn , Salvatore Mesoraca , Igor Zhbanov References: <20220413134946.2732468-1-catalin.marinas@arm.com> <202204141028.0482B08@keescook> From: Topi Miettinen In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220420_123439_116326_A6F2E41E X-CRM114-Status: GOOD ( 35.49 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 20.4.2022 16.01, Catalin Marinas wrote: > On Thu, Apr 14, 2022 at 11:52:17AM -0700, Kees Cook wrote: >> On Wed, Apr 13, 2022 at 02:49:42PM +0100, Catalin Marinas wrote: >>> The background to this is that systemd has a configuration option called >>> MemoryDenyWriteExecute [1], implemented as a SECCOMP BPF filter. Its aim >>> is to prevent a user task from inadvertently creating an executable >>> mapping that is (or was) writeable. Since such BPF filter is stateless, >>> it cannot detect mappings that were previously writeable but >>> subsequently changed to read-only. Therefore the filter simply rejects >>> any mprotect(PROT_EXEC). The side-effect is that on arm64 with BTI >>> support (Branch Target Identification), the dynamic loader cannot change >>> an ELF section from PROT_EXEC to PROT_EXEC|PROT_BTI using mprotect(). >>> For libraries, it can resort to unmapping and re-mapping but for the >>> main executable it does not have a file descriptor. The original bug >>> report in the Red Hat bugzilla - [2] - and subsequent glibc workaround >>> for libraries - [3]. >> >> Right, so, the systemd filter is a big hammer solution for the kernel >> not having a very easy way to provide W^X mapping protections to >> userspace. There's stuff in SELinux, and there have been several >> attempts[1] at other LSMs to do it too, but nothing stuck. >> >> Given the filter, and the implementation of how to enable BTI, I see two >> solutions: >> >> - provide a way to do W^X so systemd can implement the feature differently >> - provide a way to turn on BTI separate from mprotect to bypass the filter >> >> I would agree, the latter seems like the greater hack, > > We discussed such hacks in the past but they are just working around the > fundamental issue - systemd wants W^X but with BPF it can only achieve > it by preventing mprotect(PROT_EXEC) irrespective of whether the mapping > was already executable. If we find a better solution for W^X, we > wouldn't have to hack anything for mprotect(PROT_EXEC|PROT_BTI). > >> so I welcome >> this RFC, though I think it might need to explore a bit of the feature >> space exposed by other solutions[1] (i.e. see SARA and NAX), otherwise >> it risks being too narrowly implemented. For example, playing well with >> JITs should be part of the design, and will likely need some kind of >> ELF flags and/or "sealing" mode, and to handle the vma alias case as >> Jann Horn pointed out[2]. > > I agree we should look at what we want to cover, though trying to avoid > re-inventing SELinux. With this patchset I went for the minimum that > systemd MDWE does with BPF. > > I think JITs get around it using something like memfd with two separate > mappings to the same page. We could try to prevent such aliases but > allow it if an ELF note is detected (or get the JIT to issue a prctl()). > > Anyway, with a prctl() we can allow finer-grained control starting with > anonymous and file mappings and later extending to vma aliases, > writeable files etc. On top we can add a seal mask so that a process > cannot disable a control was set. Something like (I'm not good at > names): > > prctl(PR_MDWX_SET, flags, seal_mask); > prctl(PR_MDWX_GET); > > with flags like: > > PR_MDWX_MMAP - basics, should cover mmap() and mprotect() > PR_MDWX_ALIAS - vma aliases, allowed with an ELF note > PR_MDWX_WRITEABLE_FILE > > (needs some more thinking) > For systemd, feature compatibility with the BPF version is important so that we could automatically switch to the kernel version once available without regressions. So I think PR_MDWX_MMAP (or maybe PR_MDWX_COMPAT) should match exactly what MemoryDenyWriteExecute=yes as implemented with BPF has: only forbid mmap(PROT_EXEC|PROT_WRITE) and mprotect(PROT_EXEC). Like BPF, once installed there should be no way to escape and ELF flags should be also ignored. ARM BTI should be allowed though (allow PROT_EXEC|PROT_BTI if the old flags had PROT_EXEC). Then we could have improved versions (other PR_MDWX_ prctls) with lots more checks. This could be enabled with MemoryDenyWriteExecute=strict or so. Perhaps also more relaxed versions (like SARA) could be interesting (system service running Python with FFI, or perhaps JVM etc), enabled with for example MemoryDenyWriteExecute=trampolines. That way even those programs would get some protection (though there would be a gap in the defences). -Topi _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel