From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF1E9C433F5 for ; Wed, 13 Apr 2022 18:39:43 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3D27A6B0072; Wed, 13 Apr 2022 14:39:43 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 358D56B0073; Wed, 13 Apr 2022 14:39:43 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1AB2F6B0074; Wed, 13 Apr 2022 14:39:43 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.28]) by kanga.kvack.org (Postfix) with ESMTP id 09C9D6B0072 for ; Wed, 13 Apr 2022 14:39:43 -0400 (EDT) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id D48682577A for ; Wed, 13 Apr 2022 18:39:42 +0000 (UTC) X-FDA: 79352719404.16.CA16C6B Received: from mail-lj1-f169.google.com (mail-lj1-f169.google.com [209.85.208.169]) by imf02.hostedemail.com (Postfix) with ESMTP id 3BED38000F for ; Wed, 13 Apr 2022 18:39:42 +0000 (UTC) Received: by mail-lj1-f169.google.com with SMTP id 17so3311952lji.1 for ; Wed, 13 Apr 2022 11:39:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=v0uxIEiOGXAVbrPGMXz16+Yl9VteQ3InKsyKHHrbkhY=; b=h2OmjY4+49Tg6IGmmKVnS46h0KMF5nJCrpra12ygtmpweIVAW4C9qzxr0IhwZZEkU6 r7BQKw12FLOi3dtraqvutf6t94HSeOzMa9EC7/DPsC/VPbyvc4sbTONsqSKXVwJrk4NQ 9/8kCNc4U140teNFFauidckx5eHVIC+7LLlV/7gGC2mz3w9RkSL0OqGvASOKJcj5UyaI 4EuWcsiT2laec06NvgBB72OnYzCUNr5H31jPErL91bBqJi21Vc3TQnxvmvGILKPbQb8z CpXxPbcoe11SYDJsRjyQeXOl3DgYvLfyR0E9zp/So6Uh7gtb5DHrsl/Ybq49TZk4J1sD 8tzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=v0uxIEiOGXAVbrPGMXz16+Yl9VteQ3InKsyKHHrbkhY=; b=yWVTu6ixASrbBQRS3NI99MIND73Xls+zBwYTz2q1GC3aLmbGlil75iLdfQJUwom+0J CWiNXDlZj5Reifhuy6JQDkw2HLNHaOi8BVnfprH+CFdtOx3bIRO2xRDmDdZGPXgD7lfY aufOctR1ddR1uFh8qRSWy69LkBcY/0tYsc3C8HaX2IPsW6KW3Of1MfgQ9v80p/bSWm+6 kUDkMUF8Xp46eOL9OrETdoUK216/0I4+rucruRBgjv+miieGPglQg0miw59mzro6FeY4 M0oRpsMqI9A2bK3jzWBWFmcO1QHup6He6V+wDJHLWlRqg2YTH4mHsmZm+JRxELdzWFmu /TPw== X-Gm-Message-State: AOAM531KS060w7LZ0QI1HE/6DQ6tFrtCWocolLIjRAbB9ZMZAhAttwN3 PZGiEluKXrdp//RkTOpdXJM= X-Google-Smtp-Source: ABdhPJzhbs3dT23xzQ3oXIyWAhtY4I0DTwhniFJB67OwXphv4OtRYr1uWo06bpQLykfliFtF418d6Q== X-Received: by 2002:a05:651c:a0e:b0:249:90c8:453d with SMTP id k14-20020a05651c0a0e00b0024990c8453dmr26505188ljq.399.1649875180430; Wed, 13 Apr 2022 11:39:40 -0700 (PDT) Received: from [192.168.1.38] (91-159-150-194.elisa-laajakaista.fi. [91.159.150.194]) by smtp.gmail.com with ESMTPSA id u3-20020a197903000000b00464f4c76ebbsm2256852lfc.94.2022.04.13.11.39.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Apr 2022 11:39:39 -0700 (PDT) Message-ID: <2a2becf1-fc19-a7da-deb7-1c12781d503d@gmail.com> Date: Wed, 13 Apr 2022 21:39:37 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Subject: Re: [PATCH RFC 0/4] mm, arm64: In-kernel support for memory-deny-write-execute (MDWE) Content-Language: en-US To: Catalin Marinas , Andrew Morton , Christoph Hellwig , Lennart Poettering , =?UTF-8?Q?Zbigniew_J=c4=99drzejewski-Szmek?= Cc: Will Deacon , Alexander Viro , Eric Biederman , Kees Cook , Szabolcs Nagy , Mark Brown , Jeremy Linton , linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-abi-devel@lists.sourceforge.net References: <20220413134946.2732468-1-catalin.marinas@arm.com> From: Topi Miettinen In-Reply-To: <20220413134946.2732468-1-catalin.marinas@arm.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 3BED38000F X-Rspam-User: Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=h2OmjY4+; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf02.hostedemail.com: domain of toiwoton@gmail.com designates 209.85.208.169 as permitted sender) smtp.mailfrom=toiwoton@gmail.com X-Stat-Signature: ih58e6xm7o8f31ezhdfa6cicqkocd5a6 X-HE-Tag: 1649875182-502310 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 13.4.2022 16.49, Catalin Marinas wrote: > Hi, > > The background to this is that systemd has a configuration option called > MemoryDenyWriteExecute [1], implemented as a SECCOMP BPF filter. Its aim > is to prevent a user task from inadvertently creating an executable > mapping that is (or was) writeable. Since such BPF filter is stateless, > it cannot detect mappings that were previously writeable but > subsequently changed to read-only. Therefore the filter simply rejects > any mprotect(PROT_EXEC). The side-effect is that on arm64 with BTI > support (Branch Target Identification), the dynamic loader cannot change > an ELF section from PROT_EXEC to PROT_EXEC|PROT_BTI using mprotect(). > For libraries, it can resort to unmapping and re-mapping but for the > main executable it does not have a file descriptor. The original bug > report in the Red Hat bugzilla - [2] - and subsequent glibc workaround > for libraries - [3]. > > Add in-kernel support for such feature as a DENY_WRITE_EXEC personality > flag, inherited on fork() and execve(). The kernel tracks a previously > writeable mapping via a new VM_WAS_WRITE flag (64-bit only > architectures). I went for a personality flag by analogy with the > READ_IMPLIES_EXEC one. However, I'm happy to change it to a prctl() if > we don't want more personality flags. A minor downside with the > personality flag is that there is no way for the user to query which > flags are supported, so in patch 3 I added an AT_FLAGS bit to advertise > this. With systemd there's a BPF construct to block personality changes (LockPersonality=yes) but I think prctl() would be easier to lock down irrevocably. Requiring or implying NoNewPrivileges could prevent nasty surprises from set-uid Python programs which happen to use FFI. > Posting this as an RFC to start a discussion and cc'ing some of the > systemd guys and those involved in the earlier thread around the glibc > workaround for dynamic libraries [4]. Before thinking of upstreaming > this we'd need the systemd folk to buy into replacing the MDWE SECCOMP > BPF filter with the in-kernel one. As the author of this feature in systemd (also similar feature in Firejail), I'd highly prefer in-kernel version to BPF protection. I'd definitely also want to use this in place of BPF on x86_64 and other arches too. In-kernel version would probably allow covering pretty easily this case (maybe it already does): fd = memfd_create(...); write(fd, malicious_code, sizeof(malicious_code)); mmap(..., PROT_EXEC, ..., fd); Other memory W^X implementations include S.A.R.A [1] and SELinux EXECMEM/EXECSTACK/EXECHEAP protections [2], [3]. SELinux checks IS_PRIVATE(file_inode(file)) and vma->anon_vma != NULL, which might be useful additions here too (or future extensions if you prefer). -Topi [1] https://smeso.it/sara/ [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c#n3708 [3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c#n3787