From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=vrBG=ND=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1
	autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D862DC4338F
	for <linux-mm@archiver.kernel.org>; Thu, 12 Aug 2021 12:47:56 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 70DB060720
	for <linux-mm@archiver.kernel.org>; Thu, 12 Aug 2021 12:47:56 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 70DB060720
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id D2F608D0006; Thu, 12 Aug 2021 08:47:55 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id CDF768D0002; Thu, 12 Aug 2021 08:47:55 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id B80088D0006; Thu, 12 Aug 2021 08:47:55 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0235.hostedemail.com [216.40.44.235])
	by kanga.kvack.org (Postfix) with ESMTP id 9BBD68D0002
	for <linux-mm@kvack.org>; Thu, 12 Aug 2021 08:47:55 -0400 (EDT)
Received: from smtpin01.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id 3CBC318028E7B
	for <linux-mm@kvack.org>; Thu, 12 Aug 2021 12:47:55 +0000 (UTC)
X-FDA: 78466405710.01.EE551D8
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124])
	by imf03.hostedemail.com (Postfix) with ESMTP id A0F513007590
	for <linux-mm@kvack.org>; Thu, 12 Aug 2021 12:47:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1628772474;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=+Q2PV7VnI4EE36Yroitk5R4cnOmAOmNpL3oeGGqR8U8=;
	b=TtAMD7WUCmWIscXO326+NL5f6S7dRcg8R1ZJ1rsjs8EQhU97BrRoFqn4XbetwhWPxTev4L
	Z+pp0ri+iJ3kMtMTyPT9ogPQURj0cY8aJFQJtv+jFlbGOq6vli7qldJ9UN3qIOhYwsiHiE
	UsZIA+dCTMXIaBOmQ0xGJGQexm4RrAo=
Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com
 [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-501-23z4sSeGNmuD2ynwASb_Tg-1; Thu, 12 Aug 2021 08:47:51 -0400
X-MC-Unique: 23z4sSeGNmuD2ynwASb_Tg-1
Received: by mail-wm1-f72.google.com with SMTP id y206-20020a1c7dd70000b02902e6a442ea44so2894384wmc.9
        for <linux-mm@kvack.org>; Thu, 12 Aug 2021 05:47:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:organization
         :message-id:date:user-agent:mime-version:in-reply-to
         :content-language:content-transfer-encoding;
        bh=+Q2PV7VnI4EE36Yroitk5R4cnOmAOmNpL3oeGGqR8U8=;
        b=rfdif9T03ngrFvySMw9AKCUOSqN7hPJx9yD1lu5J6eQPvy31OqdXnemGsxsCFcA8Ac
         t7hxVLLwtDbfwxbyoCCrch9AoJue6bDKL9k/a+fbXXFGHbfOaotnh2y2YAuLXFBs9Xyg
         odtHaXT6cAuF4yjJ27oU1T9r0AaGh40jJR2sG1M/WnohkkFyITaUZUqqPUXyA2oIAFsK
         MPt9uR4N4XBjJqVBzNv0nPUs9aNdxu5C5w0J6RGHSuLP7vo0u4mIwY0SntAKD7UQxNTD
         MJSpxUav+io6qmPKeWhbweWalhc9yB2pJ0xdE7etl7VtojORzehTbf3n6FTORLTa3/kr
         fohw==
X-Gm-Message-State: AOAM531XuO3N0A2INa8wVpiVqdVI8z22aWhV1h8VWWUn3NVzn+JUmL3w
	5njbZAZSqULxKmWdjuLz21XfVHxdcuGKSCVa/qC81R+XdPgYP+PAg6yM6rTkjveHup28lGvzxXt
	YyEYhrDF0ms8rwFPGpsDblPg0yPjd5BTApTrHR3Dv9+RJfG7DI/8g0KlU2C0=
X-Received: by 2002:a05:600c:3644:: with SMTP id y4mr10313624wmq.156.1628772470154;
        Thu, 12 Aug 2021 05:47:50 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzVQ12ODWZtcTQdX51baaEDiT/qZqZ0A623jE9FyRBicdlISiUu/+dSjRRCSRweYcYjSAvmxQ==
X-Received: by 2002:a05:600c:3644:: with SMTP id y4mr10313541wmq.156.1628772469723;
        Thu, 12 Aug 2021 05:47:49 -0700 (PDT)
Received: from [192.168.3.132] (p4ff23d8b.dip0.t-ipconnect.de. [79.242.61.139])
        by smtp.gmail.com with ESMTPSA id f2sm1958077wru.31.2021.08.12.05.47.47
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 12 Aug 2021 05:47:48 -0700 (PDT)
Subject: Re: [PATCH v1 0/7] Remove in-tree usage of MAP_DENYWRITE
To: Florian Weimer <fweimer@redhat.com>
Cc: linux-kernel@vger.kernel.org,
 Linus Torvalds <torvalds@linux-foundation.org>,
 Andrew Morton <akpm@linux-foundation.org>,
 Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
 Borislav Petkov <bp@alien8.de>, "H. Peter Anvin" <hpa@zytor.com>,
 Alexander Viro <viro@zeniv.linux.org.uk>,
 Alexey Dobriyan <adobriyan@gmail.com>, Steven Rostedt <rostedt@goodmis.org>,
 Peter Zijlstra <peterz@infradead.org>,
 Arnaldo Carvalho de Melo <acme@kernel.org>,
 Mark Rutland <mark.rutland@arm.com>,
 Alexander Shishkin <alexander.shishkin@linux.intel.com>,
 Jiri Olsa <jolsa@redhat.com>, Namhyung Kim <namhyung@kernel.org>,
 Petr Mladek <pmladek@suse.com>,
 Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
 Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
 Rasmus Villemoes <linux@rasmusvillemoes.dk>,
 Kees Cook <keescook@chromium.org>, "Eric W. Biederman"
 <ebiederm@xmission.com>, Greg Ungerer <gerg@linux-m68k.org>,
 Geert Uytterhoeven <geert@linux-m68k.org>, Mike Rapoport <rppt@kernel.org>,
 Vlastimil Babka <vbabka@suse.cz>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>,
 Chinwen Chang <chinwen.chang@mediatek.com>,
 Michel Lespinasse <walken@google.com>,
 Catalin Marinas <catalin.marinas@arm.com>,
 "Matthew Wilcox (Oracle)" <willy@infradead.org>,
 Huang Ying <ying.huang@intel.com>, Jann Horn <jannh@google.com>,
 Feng Tang <feng.tang@intel.com>, Kevin Brodsky <Kevin.Brodsky@arm.com>,
 Michael Ellerman <mpe@ellerman.id.au>, Shawn Anastasio <shawn@anastas.io>,
 Steven Price <steven.price@arm.com>, Nicholas Piggin <npiggin@gmail.com>,
 Christian Brauner <christian.brauner@ubuntu.com>,
 Jens Axboe <axboe@kernel.dk>, Gabriel Krisman Bertazi
 <krisman@collabora.com>, Peter Xu <peterx@redhat.com>,
 Suren Baghdasaryan <surenb@google.com>, Shakeel Butt <shakeelb@google.com>,
 Marco Elver <elver@google.com>, Daniel Jordan <daniel.m.jordan@oracle.com>,
 Nicolas Viennot <Nicolas.Viennot@twosigma.com>,
 Thomas Cedeno <thomascedeno@google.com>,
 Collin Fijalkovich <cfijalkovich@google.com>, Michal Hocko
 <mhocko@suse.com>, Miklos Szeredi <miklos@szeredi.hu>,
 Chengguang Xu <cgxu519@mykernel.net>,
 =?UTF-8?Q?Christian_K=c3=b6nig?= <ckoenig.leichtzumerken@gmail.com>,
 linux-unionfs@vger.kernel.org, linux-api@vger.kernel.org, x86@kernel.org,
 linux-fsdevel@vger.kernel.org, linux-mm@kvack.org
References: <20210812084348.6521-1-david@redhat.com>
 <87r1eyg8h6.fsf@oldenburg.str.redhat.com>
From: David Hildenbrand <david@redhat.com>
Organization: Red Hat
Message-ID: <a57e5120-866c-0b27-8203-0632edda2717@redhat.com>
Date: Thu, 12 Aug 2021 14:47:46 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <87r1eyg8h6.fsf@oldenburg.str.redhat.com>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: A0F513007590
Authentication-Results: imf03.hostedemail.com;
	dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=TtAMD7WU;
	dmarc=pass (policy=none) header.from=redhat.com;
	spf=none (imf03.hostedemail.com: domain of david@redhat.com has no SPF policy when checking 216.205.24.124) smtp.mailfrom=david@redhat.com
X-Rspamd-Server: rspam04
X-Stat-Signature: pfbrpimit7morimfpog774z3ygq4qunr
X-HE-Tag: 1628772474-681239
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On 12.08.21 14:20, Florian Weimer wrote:
> * David Hildenbrand:
> 
>> There are some (minor) user-visible changes with this series:
>> 1. We no longer deny write access to shared libaries loaded via legacy
>>     uselib(); this behavior matches modern user space e.g., via dlopen().
>> 2. We no longer deny write access to the elf interpreter after exec
>>     completed, treating it just like shared libraries (which it often is).
> 
> We have a persistent issue with people using cp (or similar tools) to
> replace system libraries.  Since the file is truncated first, all
> relocations and global data are replaced by file contents, result in
> difficult-to-diagnose crashes.  It would be nice if we had a way to
> prevent this mistake.  It doesn't have to be MAP_DENYWRITE or MAP_COPY.
> It could be something completely new, like an option that turns every
> future access beyond the truncation point into a signal (rather than
> getting bad data or bad code and crashing much later).
> 
> I don't know how many invalid copy operations are currently thwarted by
> the current program interpreter restriction.  I doubt that lifting the
> restriction matters.
> 
>> 3. We always deny write access to the file linked via /proc/pid/exe:
>>     sys_prctl(PR_SET_MM_EXE_FILE) will fail if write access to the file
>>     cannot be denied, and write access to the file will remain denied
>>     until the link is effectivel gone (exec, termination,
>>     PR_SET_MM_EXE_FILE) -- just as if exec'ing the file.
>>
>> I was wondering if we really care about permanently disabling write access
>> to the executable, or if it would be good enough to just disable write
>> access while loading the new executable during exec; but I don't know
>> the history of that -- and it somewhat makes sense to deny write access
>> at least to the main executable. With modern user space -- dlopen() -- we
>> can effectively modify the content of shared libraries while being used.
> 
> Is there a difference between ET_DYN and ET_EXEC executables?

No, I don't think so. When exec'ing, the main executable will see a 
deny_write_access(file); AFAIKT, that can either be ET_DYN or ET_EXEC.

-- 
Thanks,

David / dhildenb