From: Catalin Marinas <catalin.marinas@arm.com>
To: Kees Cook <keescook@chromium.org>
Cc: "Topi Miettinen" <toiwoton@gmail.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Christoph Hellwig" <hch@infradead.org>,
"Lennart Poettering" <lennart@poettering.net>,
"Zbigniew Jędrzejewski-Szmek" <zbyszek@in.waw.pl>,
"Will Deacon" <will@kernel.org>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Eric Biederman" <ebiederm@xmission.com>,
"Szabolcs Nagy" <szabolcs.nagy@arm.com>,
"Mark Brown" <broonie@kernel.org>,
"Jeremy Linton" <jeremy.linton@arm.com>,
linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
linux-abi-devel@lists.sourceforge.net,
linux-hardening@vger.kernel.org, "Jann Horn" <jannh@google.com>,
"Salvatore Mesoraca" <s.mesoraca16@gmail.com>,
"Igor Zhbanov" <izh1979@gmail.com>
Subject: Re: [PATCH RFC 0/4] mm, arm64: In-kernel support for memory-deny-write-execute (MDWE)
Date: Thu, 21 Apr 2022 19:33:05 +0100 [thread overview]
Message-ID: <YmGjYYlcSVz38rOe@arm.com> (raw)
In-Reply-To: <202204211030.B0093CC14@keescook>
On Thu, Apr 21, 2022 at 10:41:43AM -0700, Kees Cook wrote:
> On Thu, Apr 21, 2022 at 06:24:21PM +0100, Catalin Marinas wrote:
> > On Thu, Apr 21, 2022 at 09:42:23AM -0700, Kees Cook wrote:
> > > On Thu, Apr 21, 2022 at 04:35:15PM +0100, Catalin Marinas wrote:
> > > > Do we want the "was PROT_WRITE" or we just reject mprotect(PROT_EXEC) if
> > > > the vma is not already PROT_EXEC? The latter is closer to the current
> > > > systemd approach. The former allows an mprotect(PROT_EXEC) if the
> > > > mapping was PROT_READ only for example.
> > > >
> > > > I'd drop the "was PROT_WRITE" for now if the aim is a drop-in
> > > > replacement for BPF MDWE.
> > >
> > > I think "was PROT_WRITE" is an important part of the defense that
> > > couldn't be done with a simple seccomp filter (which is why the filter
> > > ended up being a problem in the first place).
> >
> > I would say "was PROT_WRITE" is slightly more relaxed than "is not
> > already PROT_EXEC". The seccomp filter can't do "is not already
> > PROT_EXEC" either since it only checks the mprotect() arguments, not the
> > current vma flags.
> >
> > So we have (with sub-cases):
> >
> > 1. Current BPF filter:
> >
> > a) mmap(PROT_READ|PROT_WRITE|PROT_EXEC); // fails
> >
> > b) mmap(PROT_READ|PROT_EXEC);
> > mprotect(PROT_READ|PROT_EXEC|PROT_BTI); // fails
> >
> > c) mmap(PROT_READ);
> > mprotect(PROT_READ|PROT_EXEC); // fails
> >
> > d) mmap(PROT_READ|PROT_WRITE);
> > mprotect(PROT_READ);
> > mprotect(PROT_READ|PROT_EXEC); // fails
> >
> > 2. "is not already PROT_EXEC":
> >
> > a) mmap(PROT_READ|PROT_WRITE|PROT_EXEC); // fails
> >
> > b) mmap(PROT_READ|PROT_EXEC);
> > mprotect(PROT_READ|PROT_EXEC|PROT_BTI); // passes
> >
> > c) mmap(PROT_READ);
> > mprotect(PROT_READ|PROT_EXEC); // fails
> >
> > d) mmap(PROT_READ|PROT_WRITE);
> > mprotect(PROT_READ);
> > mprotect(PROT_READ|PROT_EXEC); // fails
> >
> > 3. "is or was not PROT_WRITE":
> >
> > a) mmap(PROT_READ|PROT_WRITE|PROT_EXEC); // fails
> >
> > b) mmap(PROT_READ|PROT_EXEC);
> > mprotect(PROT_READ|PROT_EXEC|PROT_BTI); // passes
> >
> > c) mmap(PROT_READ);
> > mprotect(PROT_READ|PROT_EXEC); // passes
> >
> > d) mmap(PROT_READ|PROT_WRITE);
> > mprotect(PROT_READ);
> > mprotect(PROT_READ|PROT_EXEC); // fails
>
> [edited above to show each case]
Thanks, I was in a rush to get home ;).
> restated what was already summarized:
> Problem is 1.b. 2 and 3 solve it. 3 is more relaxed (c passes).
>
> > If we don't care about 3.c, we might as well go for (2). I don't mind,
> > already went for (3) in this series. I think either of them would not be
> > a regression on MDWE, unless there is some test that attempts 3.c and
> > expects it to fail.
>
> I should stop arguing for a less restrictive mode. ;) It just feels weird
> that the combinations are API-mediated, rather than logically defined:
> I can do PROT_READ|PROT_EXEC with mmap but not mprotect under 2. As
> opposed to saying "the vma cannot be executable if it is or ever was
> writable". I find the latter much easier to reason about as far as the
> expectations of system state.
I had the same reasoning, hence option 3 in this series. I prefer to
treat mmap(PROT_READ|PROT_EXEC) and mprotect(PROT_READ|PROT_EXEC) in a
similar way.
--
Catalin
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Kees Cook <keescook@chromium.org>
Cc: "Topi Miettinen" <toiwoton@gmail.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Christoph Hellwig" <hch@infradead.org>,
"Lennart Poettering" <lennart@poettering.net>,
"Zbigniew Jędrzejewski-Szmek" <zbyszek@in.waw.pl>,
"Will Deacon" <will@kernel.org>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Eric Biederman" <ebiederm@xmission.com>,
"Szabolcs Nagy" <szabolcs.nagy@arm.com>,
"Mark Brown" <broonie@kernel.org>,
"Jeremy Linton" <jeremy.linton@arm.com>,
linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
linux-abi-devel@lists.sourceforge.net,
linux-hardening@vger.kernel.org, "Jann Horn" <jannh@google.com>,
"Salvatore Mesoraca" <s.mesoraca16@gmail.com>,
"Igor Zhbanov" <izh1979@gmail.com>
Subject: Re: [PATCH RFC 0/4] mm, arm64: In-kernel support for memory-deny-write-execute (MDWE)
Date: Thu, 21 Apr 2022 19:33:05 +0100 [thread overview]
Message-ID: <YmGjYYlcSVz38rOe@arm.com> (raw)
In-Reply-To: <202204211030.B0093CC14@keescook>
On Thu, Apr 21, 2022 at 10:41:43AM -0700, Kees Cook wrote:
> On Thu, Apr 21, 2022 at 06:24:21PM +0100, Catalin Marinas wrote:
> > On Thu, Apr 21, 2022 at 09:42:23AM -0700, Kees Cook wrote:
> > > On Thu, Apr 21, 2022 at 04:35:15PM +0100, Catalin Marinas wrote:
> > > > Do we want the "was PROT_WRITE" or we just reject mprotect(PROT_EXEC) if
> > > > the vma is not already PROT_EXEC? The latter is closer to the current
> > > > systemd approach. The former allows an mprotect(PROT_EXEC) if the
> > > > mapping was PROT_READ only for example.
> > > >
> > > > I'd drop the "was PROT_WRITE" for now if the aim is a drop-in
> > > > replacement for BPF MDWE.
> > >
> > > I think "was PROT_WRITE" is an important part of the defense that
> > > couldn't be done with a simple seccomp filter (which is why the filter
> > > ended up being a problem in the first place).
> >
> > I would say "was PROT_WRITE" is slightly more relaxed than "is not
> > already PROT_EXEC". The seccomp filter can't do "is not already
> > PROT_EXEC" either since it only checks the mprotect() arguments, not the
> > current vma flags.
> >
> > So we have (with sub-cases):
> >
> > 1. Current BPF filter:
> >
> > a) mmap(PROT_READ|PROT_WRITE|PROT_EXEC); // fails
> >
> > b) mmap(PROT_READ|PROT_EXEC);
> > mprotect(PROT_READ|PROT_EXEC|PROT_BTI); // fails
> >
> > c) mmap(PROT_READ);
> > mprotect(PROT_READ|PROT_EXEC); // fails
> >
> > d) mmap(PROT_READ|PROT_WRITE);
> > mprotect(PROT_READ);
> > mprotect(PROT_READ|PROT_EXEC); // fails
> >
> > 2. "is not already PROT_EXEC":
> >
> > a) mmap(PROT_READ|PROT_WRITE|PROT_EXEC); // fails
> >
> > b) mmap(PROT_READ|PROT_EXEC);
> > mprotect(PROT_READ|PROT_EXEC|PROT_BTI); // passes
> >
> > c) mmap(PROT_READ);
> > mprotect(PROT_READ|PROT_EXEC); // fails
> >
> > d) mmap(PROT_READ|PROT_WRITE);
> > mprotect(PROT_READ);
> > mprotect(PROT_READ|PROT_EXEC); // fails
> >
> > 3. "is or was not PROT_WRITE":
> >
> > a) mmap(PROT_READ|PROT_WRITE|PROT_EXEC); // fails
> >
> > b) mmap(PROT_READ|PROT_EXEC);
> > mprotect(PROT_READ|PROT_EXEC|PROT_BTI); // passes
> >
> > c) mmap(PROT_READ);
> > mprotect(PROT_READ|PROT_EXEC); // passes
> >
> > d) mmap(PROT_READ|PROT_WRITE);
> > mprotect(PROT_READ);
> > mprotect(PROT_READ|PROT_EXEC); // fails
>
> [edited above to show each case]
Thanks, I was in a rush to get home ;).
> restated what was already summarized:
> Problem is 1.b. 2 and 3 solve it. 3 is more relaxed (c passes).
>
> > If we don't care about 3.c, we might as well go for (2). I don't mind,
> > already went for (3) in this series. I think either of them would not be
> > a regression on MDWE, unless there is some test that attempts 3.c and
> > expects it to fail.
>
> I should stop arguing for a less restrictive mode. ;) It just feels weird
> that the combinations are API-mediated, rather than logically defined:
> I can do PROT_READ|PROT_EXEC with mmap but not mprotect under 2. As
> opposed to saying "the vma cannot be executable if it is or ever was
> writable". I find the latter much easier to reason about as far as the
> expectations of system state.
I had the same reasoning, hence option 3 in this series. I prefer to
treat mmap(PROT_READ|PROT_EXEC) and mprotect(PROT_READ|PROT_EXEC) in a
similar way.
--
Catalin
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-04-21 18:33 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-13 13:49 [PATCH RFC 0/4] mm, arm64: In-kernel support for memory-deny-write-execute (MDWE) Catalin Marinas
2022-04-13 13:49 ` Catalin Marinas
2022-04-13 13:49 ` [PATCH RFC 1/4] mm: Track previously writeable vma permission Catalin Marinas
2022-04-13 13:49 ` Catalin Marinas
2022-04-13 13:49 ` [PATCH RFC 2/4] mm, personality: Implement memory-deny-write-execute as a personality flag Catalin Marinas
2022-04-13 13:49 ` Catalin Marinas
2022-04-21 17:37 ` David Hildenbrand
2022-04-21 17:37 ` David Hildenbrand
2022-04-22 10:28 ` Catalin Marinas
2022-04-22 10:28 ` Catalin Marinas
2022-04-22 11:04 ` David Hildenbrand
2022-04-22 11:04 ` David Hildenbrand
2022-04-22 13:12 ` Catalin Marinas
2022-04-22 13:12 ` Catalin Marinas
2022-04-22 17:41 ` David Hildenbrand
2022-04-22 17:41 ` David Hildenbrand
2022-04-13 13:49 ` [PATCH RFC 3/4] fs/binfmt_elf: Tell user-space about the DENY_WRITE_EXEC " Catalin Marinas
2022-04-13 13:49 ` Catalin Marinas
2022-04-13 13:49 ` [PATCH RFC 4/4] arm64: Select ARCH_ENABLE_DENY_WRITE_EXEC Catalin Marinas
2022-04-13 13:49 ` Catalin Marinas
2022-04-13 18:39 ` [PATCH RFC 0/4] mm, arm64: In-kernel support for memory-deny-write-execute (MDWE) Topi Miettinen
2022-04-13 18:39 ` Topi Miettinen
2022-04-14 13:49 ` Catalin Marinas
2022-04-14 13:49 ` Catalin Marinas
2022-04-14 18:52 ` Kees Cook
2022-04-14 18:52 ` Kees Cook
2022-04-15 20:01 ` Topi Miettinen
2022-04-15 20:01 ` Topi Miettinen
2022-04-20 13:01 ` Catalin Marinas
2022-04-20 13:01 ` Catalin Marinas
2022-04-20 17:44 ` Kees Cook
2022-04-20 17:44 ` Kees Cook
2022-04-20 19:34 ` Topi Miettinen
2022-04-20 19:34 ` Topi Miettinen
2022-04-20 23:21 ` Kees Cook
2022-04-20 23:21 ` Kees Cook
2022-04-21 15:35 ` Catalin Marinas
2022-04-21 15:35 ` Catalin Marinas
2022-04-21 16:42 ` Kees Cook
2022-04-21 16:42 ` Kees Cook
2022-04-21 17:24 ` Catalin Marinas
2022-04-21 17:24 ` Catalin Marinas
2022-04-21 17:41 ` Kees Cook
2022-04-21 17:41 ` Kees Cook
2022-04-21 18:33 ` Catalin Marinas [this message]
2022-04-21 18:33 ` Catalin Marinas
2022-04-21 16:48 ` Topi Miettinen
2022-04-21 16:48 ` Topi Miettinen
2022-04-21 17:28 ` Catalin Marinas
2022-04-21 17:28 ` Catalin Marinas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YmGjYYlcSVz38rOe@arm.com \
--to=catalin.marinas@arm.com \
--cc=akpm@linux-foundation.org \
--cc=broonie@kernel.org \
--cc=ebiederm@xmission.com \
--cc=hch@infradead.org \
--cc=izh1979@gmail.com \
--cc=jannh@google.com \
--cc=jeremy.linton@arm.com \
--cc=keescook@chromium.org \
--cc=lennart@poettering.net \
--cc=linux-abi-devel@lists.sourceforge.net \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=s.mesoraca16@gmail.com \
--cc=szabolcs.nagy@arm.com \
--cc=toiwoton@gmail.com \
--cc=viro@zeniv.linux.org.uk \
--cc=will@kernel.org \
--cc=zbyszek@in.waw.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.