From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC0F6C27C53 for ; Fri, 7 Jun 2024 15:58:25 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 828376B009C; Fri, 7 Jun 2024 11:58:25 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7D9076B009D; Fri, 7 Jun 2024 11:58:25 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 69F2F6B00A1; Fri, 7 Jun 2024 11:58:25 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 4E5196B009C for ; Fri, 7 Jun 2024 11:58:25 -0400 (EDT) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id F3E7640173 for ; Fri, 7 Jun 2024 15:58:24 +0000 (UTC) X-FDA: 82204549728.28.0BF3092 Received: from mail-oa1-f52.google.com (mail-oa1-f52.google.com [209.85.160.52]) by imf22.hostedemail.com (Postfix) with ESMTP id 30AEEC0008 for ; Fri, 7 Jun 2024 15:58:21 +0000 (UTC) Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=JLFiZWoC; spf=pass (imf22.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.160.52 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1717775902; a=rsa-sha256; cv=none; b=ac2dDPKStY/s/WIqxN9YazsNBnQJJYSk1mCghbm5G+T75k+PuCY9vx9HJcZS/6HOWQ6/MA fwqMxim9aIpx4l0/Dto/pTlsCi0LBZePrXb+h1+Phvkv4nTE6ipt02Xh+Hfb5fuUE8SiE4 dciTpymNO+AR7/dgkQviVNGaa8bl/Q4= ARC-Authentication-Results: i=1; imf22.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=JLFiZWoC; spf=pass (imf22.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.160.52 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1717775902; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=TEadrKSLCgbuFYvra79wv6BZ/tbvq8SfRbQUE/5o6is=; b=xZR+v/ZraUz4JQj+D3q4V0GHrHoASZhv+ef2nDeGmbVUBmhK5RrIfMTsbeQ/pzcP7ucTJ0 mrGgyVTgwTR/0PGDCIOSznOB5NSVw9gaFZhxu4dLNebWd4wzO5VcHAfRimEpDh4Cti+Mn4 81aa9vCEVyKvi4/+JsqG0wrqzbpCaT8= Received: by mail-oa1-f52.google.com with SMTP id 586e51a60fabf-250928a8580so1084705fac.3 for ; Fri, 07 Jun 2024 08:58:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1717775901; x=1718380701; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=TEadrKSLCgbuFYvra79wv6BZ/tbvq8SfRbQUE/5o6is=; b=JLFiZWoCWSRWab3m7dYl3axd2SjnI6UyDKnvBtWGVd0+/PThf3DoGIBVFBl2iZj20i /IquBidKxXyC7pt80DjQe9JndAny5odiYUVRcVQznBC2aIlhmcr53tCzfgmeKYxKpAVb Dl4AnRxRNMOZZyzBSTbUuoXk/msCyPC/l/Evk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717775901; x=1718380701; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TEadrKSLCgbuFYvra79wv6BZ/tbvq8SfRbQUE/5o6is=; b=alg1xuEQjLV5kDvVTe8IJqxWVP2VVhUQ9SXgFDZYB36LlvkAk5Wp74f3my7WCsMVA5 CimIXdTD6VWxMZ7aAPVu4mW9YdAFxQzH3SkhuDfW2OHwXsJcSU6MJl9936CnnLJyNTjC hZHgB9qVznDOERtssuuCUgMTAlCW1Aq7SSl5/Hw4DktJtOq1vdt3+jiTHN4khYPaPqpe PoFpxz1kctzJM0pfwcFnrdcBJqZa8GF87MLov0Mac0s6c5AbxYuBCRGWhnN1c08W8/dY RAeY5o+FoPi6exWOEdRYe9lof/wiTssDwMMX+rdjn5kSY0MxA36kIZ8Ei7PwF/yZpMTJ oEjQ== X-Forwarded-Encrypted: i=1; AJvYcCX3cPOJmJ9M0smE868vlKbtTLNaL3wN5hmjkAVUdysFhSgEVKPlrxpc3CA1NTtjYmt6cHe/+lD8Ot51l+V+wrzI65Q= X-Gm-Message-State: AOJu0YyN143w7v14AKGcrsarNe6rbB9C9urTpxphAy25u/REAE0a0gqc wTPQLfDAgdZpkGa+6qwuEv5G+7lmW3gsTE8kPvQpCMvP/ZwinacXQsYPaw35A8NmqO4QHvB0M5P ln7YlXn3xnwIfu7jtVddlIP8sILZ9uZ8fKkXc X-Google-Smtp-Source: AGHT+IH/nK4F4tRexrZp1VOlLuPeWYKcpRRXCgXdkWdzR5d80ML7hH7jCR2Ex7YNQ9Ay6MVBijqvI9/8yMfwBjsXrRM= X-Received: by 2002:a05:6871:289:b0:254:8bb9:d0c2 with SMTP id 586e51a60fabf-2548bba70dbmr376857fac.33.1717775900892; Fri, 07 Jun 2024 08:58:20 -0700 (PDT) MIME-Version: 1.0 References: <20240513191544.94754-1-pobrn@protonmail.com> <20240522162324.0aeba086228eddd8aff4f628@linux-foundation.org> <1KDsEBw8g7ymBVpGJZp9NRH1HmCBsQ_jjQ_jKOg90gLUFhW5W6lcG-bI4-5OPkrD24RiG7G83VoZL4SXPQjfldsNFDg7bFnFFgrVZWwSWXQ=@protonmail.com> <08450f80-4c33-40db-886f-fee18e531545@app.fastmail.com> <1e1edbdc-f91f-4106-baa6-b765b78e6abc@app.fastmail.com> In-Reply-To: <1e1edbdc-f91f-4106-baa6-b765b78e6abc@app.fastmail.com> From: Jeff Xu Date: Fri, 7 Jun 2024 08:58:08 -0700 Message-ID: Subject: Re: [PATCH v1] memfd: `MFD_NOEXEC_SEAL` should not imply `MFD_ALLOW_SEALING` To: David Rheinsberg Cc: Jeff Xu , Aleksa Sarai , =?UTF-8?B?QmFybmFiw6FzIFDFkWN6ZQ==?= , Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, dmitry.torokhov@gmail.com, Daniel Verkamp , hughd@google.com, jorgelo@chromium.org, skhan@linuxfoundation.org, Kees Cook Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 30AEEC0008 X-Rspam-User: X-Rspamd-Server: rspam12 X-Stat-Signature: f8gok8yf5p6ro6dd54kquxfkf8y9y7qa X-HE-Tag: 1717775901-458531 X-HE-Meta: U2FsdGVkX18yJh3MlEgzvMVq7cpZyQ2+D++Xn/Tr+eXGylACNsdveCZM6uQpukesXxzwfKDH+Q229sbivTcqdVJRf++dcqzIaEq7qBx7j31nfKmSjvQyEFZJJOSEvwFFZWPRy+R7YT0RIKwCbN4LySeLOigk4SWHzn8ydcPsRVF+nwIVxZ1Fz2ayb1G/u0BXgIEP37FNYA1u1nUAl+gbiY41X3PZHJg65UDnPmyvcvEkqw7tlkRIf0wD3on334rckfYH+1PpQQ/G+wSuPF0If+tj9tNuZmzxk/lL2kJruN53KYePZjxt1gXDB4a/4Mrg3MfGS7E/GtvxNYglhqxjIZ4s3sMUISPV5/j9ZZfdx/CW9xJYiW25AIDuYCMMU62nOpJbJcKSHHRBkxetFsaB48MkmxemkY02UBTVxsQggweIsWUSmV41MiqpyD69vlL1WtfeTfNr5hX5xBca1/Sv3ZGcScs05GFr6dMN41wP06wbv4+qK0coZxtbkqeczch5r9QoUpYhx8BatlqYRMqz4GTkA1YARmn4P/DPL2gKRnVYYonymeh3cr99jgkVYoj09l6K4plMPmaTRi4Y9LwKJYVSW1Nix9/flWaM677vpEgrWJOb6DHFJzZGR0vJKt60za7fdn+BYDBjdgue4ytGdIl0pP2OklnQ+TyqyyfS99p3MTJ1WX4XUEbzuUEcIys0cnupUCM0cSdT6n7/X7KaeaMiuwqojrZL7n+knTbwTBWspg1uYn3AmPqmS2I2yrdSX6aZxdthpoFFLu3BEId7+iOo0juEiZzGGH2aOjurodECN//SbTnMN8AIHGjVo2SSyITRHSJNKn6aE89f3uRu9SmsE0BWYe23chVn2MSZBxgUV8sY96HZIswULJcq0D72nJMcJjUNM3a/iOSm45KoisaAZ8M1xgFwo5H6dM4FsepNkAGTqJokGGkhkTGj5C5UskOMKjp9LxmEAlx+JB6 42ywg3Z9 jPCgEWJ+0MvfNI6FJLVB8eToyGPaW2yrIJfm3e9IAB6LQoXSyK1vxb6eUAAAiE4ycQfKLqMr9brJg5TSHkYcWTLi8sT2rP2G9srvbAGI/F+kzc4CPQz3fThJ+no1tWBfBFeMSKe+i4FBqy7d7plXXNzr5RwZCfF64UjrlPAXkx38Q3/PqfRi2MK/kcJTzxq9l6WZ18L6cv5g8yDH6agkkYIkVTGs+OR8xDnT73aYimTOjhD7nhlH59HoVMRt+G9UAXURE3YolMUn+pGRnK4da+zADGWGVSmGjpEV/fjwkKgXSSW02tjlbfMC/nFTOjO5kfG4smFy4DEqyNnHnilITt52IUcaY6vb8Rl/TaxVtmo/pWV0RzFBCD3lbsq57TfZyBedW3zja9EleG4ts9Mkxtaalew2a0dF+u4eY X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi David, On Fri, Jun 7, 2024 at 1:38=E2=80=AFAM David Rheinsberg wrote: > > Hi > > On Tue, May 28, 2024, at 7:13 PM, Jeff Xu wrote: > >> > Another solution is to change memfd to be by-default sealable, > >> > although that will be an api change, but what side effect will it b= e > >> > ? > >> > If we are worried about the memfd being sealed by an attacker, the > >> > malicious code could also overwrite the content since memfd is not > >> > sealed. > >> > >> You cannot change the default-seals retrospectively. There are existin= g shmem-users that share file-descriptors and *expect* the other party to b= e able to override data, but do *not* expect the other party to be able to = apply seals. Note that these models explicitly *want* shared, writable acce= ss to the buffer (e.g., render-client shares a buffer with the display serv= er for scanout), so just because you can *write* to a shmem-file does not m= ean that sharing is unsafe (e.g., using SIGBUS+mmap can safely deal with pa= ge-faults). > >> > > If the other party is controlled by an attacker, the attacker can > > write garbage to the shm-file/memfd, that is already the end of the > > game, at that point, sealing is no longer a concern, right? > > No. If a graphics client shares a buffer with a graphics server, the clie= nt is free to write garbage into the buffer. This is not unsafe. The graphi= cs server will display whatever the client writes into the buffer. This is = completely safe, without sealing and with a writable buffer. > > > If the threat-model is preventing attacker on the other side to write > > the garbage data, then F_SEAL_WRITE|F_SEAL_SHRINK|F_SEAL_GROW can be > > applied, in that case, default-sealable seems preferable because of > > less code change. > > Again, the threat-model is *NOT* concerned with writes. > > Graphics clients/servers are a good example where *ANY* data is valid and= can be processed by the privileged server. Hence, *ANY* writes are allowed= and safe. No need for any seals. Those setups existed way before `memfd_cr= eate` was added (including seals). > > However, when windows are resized, graphic buffers need to be resized as = well. In those setups, the graphics server might call `ftruncate(2)`. If yo= u suddenly make shmem-files sealable by default, a client can set `F_SEAL_S= HRINK/GROW` and the privileged graphics server will get an error from `ftru= ncate(2)`, which it might not be able to handle, as it correctly never expe= cted this to happen. > The graphic buffer is a good example for shmem-files of not-sealable-by-default. Thanks for the details. -Jeff > Thanks > David