From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A2B3C47090 for ; Fri, 2 Dec 2022 22:44:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234307AbiLBWn7 (ORCPT ); Fri, 2 Dec 2022 17:43:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40502 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231904AbiLBWn5 (ORCPT ); Fri, 2 Dec 2022 17:43:57 -0500 Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7B6CDF4670 for ; Fri, 2 Dec 2022 14:43:56 -0800 (PST) Received: by mail-pl1-x633.google.com with SMTP id 4so5957456pli.0 for ; Fri, 02 Dec 2022 14:43:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=kIw6cuSEK90NH31AzQ1v2T7W5ZiOXTSu4ULwnQfkqVc=; b=kC0gZVYq27yEx2sH78OZLOAGSqTIlyl6SpBEpf5LadG6OUZ3p70QkSTVWxApijdSN6 15qLeNAyjFSnWyaV+diHTC3IQSgx0Uyz++2QI69mkac4a0QCqQREgIr5EwhrobwoLoAv TAsCaWwd8wpZize+t/vesLq/JwhZRDvxyiX18= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=kIw6cuSEK90NH31AzQ1v2T7W5ZiOXTSu4ULwnQfkqVc=; b=iHEgfctbaOCKqV7kusBS834sEU9VZsHL3xJxh/lu11kztgd5zl6DXIrSCbq0SDskIb woOPb4zM82kOLFHAFZubsNGTu6M6WGpX670iMWJXYbBicTcCBVOa/Kjf7GVgQI3MGvcr 7RsScqaN4DzX7hyioFovwFGAmNZlJ6nn1xRTbc5b8Ykey+NJAzUYItoSAfKg1+ZKD47R vH8MzyRQWDikLpkJeASl11BUFvASAwVQ0FTDqaEJc/esF/AFdqewIvKsPBZyEO+qaJs2 C+e/EWWqi/4nixOhP+QgzQDkPPOtZP7+wfXO2oHy6dl2v9Wls/2al+biZB5wHpaYV+GV UQkw== X-Gm-Message-State: ANoB5plwJi8VvVT2Xw0iDfXI4x0S1R/jNrBIugOCIijLFLJK+/tpXpcd pw4rgLwX5NLpl2gWWDjynzrElg== X-Google-Smtp-Source: AA0mqf4FHPfC3Xt/4K5UqFq2Exw5EJP5fAZMMa/RYHDJDthNxZmYvkMhAGg56BEB5/1STGolgNzlNw== X-Received: by 2002:a17:903:3052:b0:189:63f2:d58b with SMTP id u18-20020a170903305200b0018963f2d58bmr40883166pla.158.1670021035890; Fri, 02 Dec 2022 14:43:55 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id j4-20020a17090a2a8400b002137d3da760sm7050969pjd.39.2022.12.02.14.43.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Dec 2022 14:43:55 -0800 (PST) Date: Fri, 2 Dec 2022 14:43:54 -0800 From: Kees Cook To: jeffxu@chromium.org Cc: skhan@linuxfoundation.org, akpm@linux-foundation.org, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jeffxu@google.com, jorgelo@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, mnissler@chromium.org, jannh@google.com, linux-hardening@vger.kernel.org Subject: Re: [PATCH v3] mm/memfd: add F_SEAL_EXEC Message-ID: <202212021443.0F684E33@keescook> References: <20221202013404.163143-1-jeffxu@google.com> <20221202013404.163143-2-jeffxu@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221202013404.163143-2-jeffxu@google.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 02, 2022 at 01:33:59AM +0000, jeffxu@chromium.org wrote: > From: Daniel Verkamp > > The new F_SEAL_EXEC flag will prevent modification of the exec bits: > written as traditional octal mask, 0111, or as named flags, S_IXUSR | > S_IXGRP | S_IXOTH. Any chmod(2) or similar call that attempts to modify > any of these bits after the seal is applied will fail with errno EPERM. > > This will preserve the execute bits as they are at the time of sealing, > so the memfd will become either permanently executable or permanently > un-executable. > > Co-developed-by: Jeff Xu > Signed-off-by: Jeff Xu > Signed-off-by: Daniel Verkamp > --- > include/uapi/linux/fcntl.h | 1 + > mm/memfd.c | 2 ++ > mm/shmem.c | 6 ++++++ > 3 files changed, 9 insertions(+) > > diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h > index 2f86b2ad6d7e..e8c07da58c9f 100644 > --- a/include/uapi/linux/fcntl.h > +++ b/include/uapi/linux/fcntl.h > @@ -43,6 +43,7 @@ > #define F_SEAL_GROW 0x0004 /* prevent file from growing */ > #define F_SEAL_WRITE 0x0008 /* prevent writes */ > #define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */ > +#define F_SEAL_EXEC 0x0020 /* prevent chmod modifying exec bits */ > /* (1U << 31) is reserved for signed error codes */ > > /* > diff --git a/mm/memfd.c b/mm/memfd.c > index 08f5f8304746..4ebeab94aa74 100644 > --- a/mm/memfd.c > +++ b/mm/memfd.c > @@ -147,6 +147,7 @@ static unsigned int *memfd_file_seals_ptr(struct file *file) > } > > #define F_ALL_SEALS (F_SEAL_SEAL | \ > + F_SEAL_EXEC | \ > F_SEAL_SHRINK | \ > F_SEAL_GROW | \ > F_SEAL_WRITE | \ > @@ -175,6 +176,7 @@ static int memfd_add_seals(struct file *file, unsigned int seals) > * SEAL_SHRINK: Prevent the file from shrinking > * SEAL_GROW: Prevent the file from growing > * SEAL_WRITE: Prevent write access to the file > + * SEAL_EXEC: Prevent modification of the exec bits in the file mode > * > * As we don't require any trust relationship between two parties, we > * must prevent seals from being removed. Therefore, sealing a file > diff --git a/mm/shmem.c b/mm/shmem.c > index c1d8b8a1aa3b..e18a9cf9d937 100644 > --- a/mm/shmem.c > +++ b/mm/shmem.c > @@ -1085,6 +1085,12 @@ static int shmem_setattr(struct user_namespace *mnt_userns, > if (error) > return error; > > + if ((info->seals & F_SEAL_EXEC) && (attr->ia_valid & ATTR_MODE)) { > + if ((inode->i_mode ^ attr->ia_mode) & 0111) { > + return -EPERM; > + } > + } > + > if (S_ISREG(inode->i_mode) && (attr->ia_valid & ATTR_SIZE)) { > loff_t oldsize = inode->i_size; > loff_t newsize = attr->ia_size; > -- > 2.39.0.rc0.267.gcb52ba06e7-goog > This looks sensible to me! Reviewed-by: Kees Cook -- Kees Cook