From: Catalin Marinas <catalin.marinas@arm.com>
To: "Andrew Morton" <akpm@linux-foundation.org>,
"Christoph Hellwig" <hch@infradead.org>,
"Lennart Poettering" <lennart@poettering.net>,
"Zbigniew Jędrzejewski-Szmek" <zbyszek@in.waw.pl>
Cc: Will Deacon <will@kernel.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Eric Biederman <ebiederm@xmission.com>,
Kees Cook <keescook@chromium.org>,
Szabolcs Nagy <szabolcs.nagy@arm.com>,
Mark Brown <broonie@kernel.org>,
Jeremy Linton <jeremy.linton@arm.com>,
Topi Miettinen <toiwoton@gmail.com>,
linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
linux-abi-devel@lists.sourceforge.net
Subject: [PATCH RFC 2/4] mm, personality: Implement memory-deny-write-execute as a personality flag
Date: Wed, 13 Apr 2022 14:49:44 +0100 [thread overview]
Message-ID: <20220413134946.2732468-3-catalin.marinas@arm.com> (raw)
In-Reply-To: <20220413134946.2732468-1-catalin.marinas@arm.com>
The aim of such policy is to prevent a user task from inadvertently
creating an executable mapping that is or was writeable (and
subsequently made read-only).
An example of mmap() returning -EACCESS if the policy is enabled:
mmap(0, size, PROT_READ | PROT_WRITE | PROT_EXEC, flags, 0, 0);
Similarly, mprotect() would return -EACCESS below:
addr = mmap(0, size, PROT_READ | PROT_EXEC, flags, 0, 0);
mprotect(addr, size, PROT_READ | PROT_WRITE | PROT_EXEC);
With the past vma writeable permission tracking, mprotect() below would
also fail with -EACCESS:
addr = mmap(0, size, PROT_READ | PROT_WRITE, flags, 0, 0);
mprotect(addr, size, PROT_READ | PROT_EXEC);
While the above could be achieved by checking PROT_WRITE & PROT_EXEC on
mmap/mprotect and denying mprotect(PROT_EXEC) altogether (current
systemd MDWE approach via SECCOMP BPF filters), we want the following
scenario to succeed:
addr = mmap(0, size, PROT_READ | PROT_EXEC, flags, 0, 0);
mprotect(addr, size, PROT_READ | PROT_EXEC | PROT_BTI);
where PROT_BTI enables branch tracking identification on arm64.
The choice for a DENY_WRITE_EXEC personality flag, inherited on fork()
and execve(), was made by analogy to READ_IMPLIES_EXEC.
Note that it is sufficient to check for VM_WAS_WRITE in
map_deny_write_exec() as this flag is always set on VM_WRITE mappings.
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
---
include/linux/mman.h | 10 ++++++++++
include/uapi/linux/personality.h | 1 +
mm/mmap.c | 3 +++
mm/mprotect.c | 5 +++++
4 files changed, 19 insertions(+)
diff --git a/include/linux/mman.h b/include/linux/mman.h
index 2d841ddae2aa..17e91a1bdfb3 100644
--- a/include/linux/mman.h
+++ b/include/linux/mman.h
@@ -166,4 +166,14 @@ calc_vm_flag_bits(unsigned long flags)
}
unsigned long vm_commit_limit(void);
+
+static inline bool map_deny_write_exec(unsigned long vm_flags)
+{
+ if (IS_ENABLED(CONFIG_ARCH_ENABLE_DENY_WRITE_EXEC) &&
+ (current->personality & DENY_WRITE_EXEC) &&
+ (vm_flags & VM_EXEC) && (vm_flags & VM_WAS_WRITE))
+ return true;
+ return false;
+}
+
#endif /* _LINUX_MMAN_H */
diff --git a/include/uapi/linux/personality.h b/include/uapi/linux/personality.h
index 49796b7756af..c8d924be3dcd 100644
--- a/include/uapi/linux/personality.h
+++ b/include/uapi/linux/personality.h
@@ -22,6 +22,7 @@ enum {
WHOLE_SECONDS = 0x2000000,
STICKY_TIMEOUTS = 0x4000000,
ADDR_LIMIT_3GB = 0x8000000,
+ DENY_WRITE_EXEC = 0x10000000,
};
/*
diff --git a/mm/mmap.c b/mm/mmap.c
index 3aa839f81e63..8e894270a80e 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1579,6 +1579,9 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
vm_flags |= VM_NORESERVE;
}
+ if (map_deny_write_exec(vm_flags))
+ return -EACCES;
+
addr = mmap_region(file, addr, len, vm_flags, pgoff, uf);
if (!IS_ERR_VALUE(addr) &&
((vm_flags & VM_LOCKED) ||
diff --git a/mm/mprotect.c b/mm/mprotect.c
index b69ce7a7b2b7..ff0d13a4c1ed 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -627,6 +627,11 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
goto out;
}
+ if (map_deny_write_exec(newflags)) {
+ error = -EACCES;
+ goto out;
+ }
+
/* Allow architectures to sanity-check the new flags */
if (!arch_validate_flags(newflags)) {
error = -EINVAL;
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: "Andrew Morton" <akpm@linux-foundation.org>,
"Christoph Hellwig" <hch@infradead.org>,
"Lennart Poettering" <lennart@poettering.net>,
"Zbigniew Jędrzejewski-Szmek" <zbyszek@in.waw.pl>
Cc: Will Deacon <will@kernel.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Eric Biederman <ebiederm@xmission.com>,
Kees Cook <keescook@chromium.org>,
Szabolcs Nagy <szabolcs.nagy@arm.com>,
Mark Brown <broonie@kernel.org>,
Jeremy Linton <jeremy.linton@arm.com>,
Topi Miettinen <toiwoton@gmail.com>,
linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
linux-abi-devel@lists.sourceforge.net
Subject: [PATCH RFC 2/4] mm, personality: Implement memory-deny-write-execute as a personality flag
Date: Wed, 13 Apr 2022 14:49:44 +0100 [thread overview]
Message-ID: <20220413134946.2732468-3-catalin.marinas@arm.com> (raw)
In-Reply-To: <20220413134946.2732468-1-catalin.marinas@arm.com>
The aim of such policy is to prevent a user task from inadvertently
creating an executable mapping that is or was writeable (and
subsequently made read-only).
An example of mmap() returning -EACCESS if the policy is enabled:
mmap(0, size, PROT_READ | PROT_WRITE | PROT_EXEC, flags, 0, 0);
Similarly, mprotect() would return -EACCESS below:
addr = mmap(0, size, PROT_READ | PROT_EXEC, flags, 0, 0);
mprotect(addr, size, PROT_READ | PROT_WRITE | PROT_EXEC);
With the past vma writeable permission tracking, mprotect() below would
also fail with -EACCESS:
addr = mmap(0, size, PROT_READ | PROT_WRITE, flags, 0, 0);
mprotect(addr, size, PROT_READ | PROT_EXEC);
While the above could be achieved by checking PROT_WRITE & PROT_EXEC on
mmap/mprotect and denying mprotect(PROT_EXEC) altogether (current
systemd MDWE approach via SECCOMP BPF filters), we want the following
scenario to succeed:
addr = mmap(0, size, PROT_READ | PROT_EXEC, flags, 0, 0);
mprotect(addr, size, PROT_READ | PROT_EXEC | PROT_BTI);
where PROT_BTI enables branch tracking identification on arm64.
The choice for a DENY_WRITE_EXEC personality flag, inherited on fork()
and execve(), was made by analogy to READ_IMPLIES_EXEC.
Note that it is sufficient to check for VM_WAS_WRITE in
map_deny_write_exec() as this flag is always set on VM_WRITE mappings.
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
---
include/linux/mman.h | 10 ++++++++++
include/uapi/linux/personality.h | 1 +
mm/mmap.c | 3 +++
mm/mprotect.c | 5 +++++
4 files changed, 19 insertions(+)
diff --git a/include/linux/mman.h b/include/linux/mman.h
index 2d841ddae2aa..17e91a1bdfb3 100644
--- a/include/linux/mman.h
+++ b/include/linux/mman.h
@@ -166,4 +166,14 @@ calc_vm_flag_bits(unsigned long flags)
}
unsigned long vm_commit_limit(void);
+
+static inline bool map_deny_write_exec(unsigned long vm_flags)
+{
+ if (IS_ENABLED(CONFIG_ARCH_ENABLE_DENY_WRITE_EXEC) &&
+ (current->personality & DENY_WRITE_EXEC) &&
+ (vm_flags & VM_EXEC) && (vm_flags & VM_WAS_WRITE))
+ return true;
+ return false;
+}
+
#endif /* _LINUX_MMAN_H */
diff --git a/include/uapi/linux/personality.h b/include/uapi/linux/personality.h
index 49796b7756af..c8d924be3dcd 100644
--- a/include/uapi/linux/personality.h
+++ b/include/uapi/linux/personality.h
@@ -22,6 +22,7 @@ enum {
WHOLE_SECONDS = 0x2000000,
STICKY_TIMEOUTS = 0x4000000,
ADDR_LIMIT_3GB = 0x8000000,
+ DENY_WRITE_EXEC = 0x10000000,
};
/*
diff --git a/mm/mmap.c b/mm/mmap.c
index 3aa839f81e63..8e894270a80e 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1579,6 +1579,9 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
vm_flags |= VM_NORESERVE;
}
+ if (map_deny_write_exec(vm_flags))
+ return -EACCES;
+
addr = mmap_region(file, addr, len, vm_flags, pgoff, uf);
if (!IS_ERR_VALUE(addr) &&
((vm_flags & VM_LOCKED) ||
diff --git a/mm/mprotect.c b/mm/mprotect.c
index b69ce7a7b2b7..ff0d13a4c1ed 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -627,6 +627,11 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
goto out;
}
+ if (map_deny_write_exec(newflags)) {
+ error = -EACCES;
+ goto out;
+ }
+
/* Allow architectures to sanity-check the new flags */
if (!arch_validate_flags(newflags)) {
error = -EINVAL;
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-04-13 13:50 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-13 13:49 [PATCH RFC 0/4] mm, arm64: In-kernel support for memory-deny-write-execute (MDWE) Catalin Marinas
2022-04-13 13:49 ` Catalin Marinas
2022-04-13 13:49 ` [PATCH RFC 1/4] mm: Track previously writeable vma permission Catalin Marinas
2022-04-13 13:49 ` Catalin Marinas
2022-04-13 13:49 ` Catalin Marinas [this message]
2022-04-13 13:49 ` [PATCH RFC 2/4] mm, personality: Implement memory-deny-write-execute as a personality flag Catalin Marinas
2022-04-21 17:37 ` David Hildenbrand
2022-04-21 17:37 ` David Hildenbrand
2022-04-22 10:28 ` Catalin Marinas
2022-04-22 10:28 ` Catalin Marinas
2022-04-22 11:04 ` David Hildenbrand
2022-04-22 11:04 ` David Hildenbrand
2022-04-22 13:12 ` Catalin Marinas
2022-04-22 13:12 ` Catalin Marinas
2022-04-22 17:41 ` David Hildenbrand
2022-04-22 17:41 ` David Hildenbrand
2022-04-13 13:49 ` [PATCH RFC 3/4] fs/binfmt_elf: Tell user-space about the DENY_WRITE_EXEC " Catalin Marinas
2022-04-13 13:49 ` Catalin Marinas
2022-04-13 13:49 ` [PATCH RFC 4/4] arm64: Select ARCH_ENABLE_DENY_WRITE_EXEC Catalin Marinas
2022-04-13 13:49 ` Catalin Marinas
2022-04-13 18:39 ` [PATCH RFC 0/4] mm, arm64: In-kernel support for memory-deny-write-execute (MDWE) Topi Miettinen
2022-04-13 18:39 ` Topi Miettinen
2022-04-14 13:49 ` Catalin Marinas
2022-04-14 13:49 ` Catalin Marinas
2022-04-14 18:52 ` Kees Cook
2022-04-14 18:52 ` Kees Cook
2022-04-15 20:01 ` Topi Miettinen
2022-04-15 20:01 ` Topi Miettinen
2022-04-20 13:01 ` Catalin Marinas
2022-04-20 13:01 ` Catalin Marinas
2022-04-20 17:44 ` Kees Cook
2022-04-20 17:44 ` Kees Cook
2022-04-20 19:34 ` Topi Miettinen
2022-04-20 19:34 ` Topi Miettinen
2022-04-20 23:21 ` Kees Cook
2022-04-20 23:21 ` Kees Cook
2022-04-21 15:35 ` Catalin Marinas
2022-04-21 15:35 ` Catalin Marinas
2022-04-21 16:42 ` Kees Cook
2022-04-21 16:42 ` Kees Cook
2022-04-21 17:24 ` Catalin Marinas
2022-04-21 17:24 ` Catalin Marinas
2022-04-21 17:41 ` Kees Cook
2022-04-21 17:41 ` Kees Cook
2022-04-21 18:33 ` Catalin Marinas
2022-04-21 18:33 ` Catalin Marinas
2022-04-21 16:48 ` Topi Miettinen
2022-04-21 16:48 ` Topi Miettinen
2022-04-21 17:28 ` Catalin Marinas
2022-04-21 17:28 ` Catalin Marinas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220413134946.2732468-3-catalin.marinas@arm.com \
--to=catalin.marinas@arm.com \
--cc=akpm@linux-foundation.org \
--cc=broonie@kernel.org \
--cc=ebiederm@xmission.com \
--cc=hch@infradead.org \
--cc=jeremy.linton@arm.com \
--cc=keescook@chromium.org \
--cc=lennart@poettering.net \
--cc=linux-abi-devel@lists.sourceforge.net \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=szabolcs.nagy@arm.com \
--cc=toiwoton@gmail.com \
--cc=viro@zeniv.linux.org.uk \
--cc=will@kernel.org \
--cc=zbyszek@in.waw.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.