From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=vrBG=ND=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.7 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 89F49C4338F
	for <linux-mm@archiver.kernel.org>; Thu, 12 Aug 2021 17:35:55 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 1C9C9604DC
	for <linux-mm@archiver.kernel.org>; Thu, 12 Aug 2021 17:35:55 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 1C9C9604DC
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id 8DC418D0002; Thu, 12 Aug 2021 13:35:54 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 88C948D0001; Thu, 12 Aug 2021 13:35:54 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 754758D0002; Thu, 12 Aug 2021 13:35:54 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0064.hostedemail.com [216.40.44.64])
	by kanga.kvack.org (Postfix) with ESMTP id 5B2FB8D0001
	for <linux-mm@kvack.org>; Thu, 12 Aug 2021 13:35:54 -0400 (EDT)
Received: from smtpin02.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id 13F7E824C439
	for <linux-mm@kvack.org>; Thu, 12 Aug 2021 17:35:54 +0000 (UTC)
X-FDA: 78467131428.02.7B6378A
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf26.hostedemail.com (Postfix) with ESMTP id 9F19E2001517
	for <linux-mm@kvack.org>; Thu, 12 Aug 2021 17:35:53 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id 5B8356108C;
	Thu, 12 Aug 2021 17:35:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1628789752;
	bh=GqM0ozz1NAbZTPXXCXnrXZsPDaDtj/gRbiXe7cyjPKI=;
	h=In-Reply-To:References:Date:From:To:Cc:Subject:From;
	b=cDJxoy7hnGKUu/QDhDzsIRyxw2N5dR93dS5HcojhpJNlyb6Sr5JKzD36jOHYnHKwj
	 Z+vyRIIcsdplZCWXzD687um4CX56H3f7ZoYeSj/sdHd7QRKKxtfvS98rJ/Gw8ity1l
	 2GuVrcHcKTXdTkLnJaDczt+5HAWo1NvlHXZiz3L+IsWu5iMn/T720BJWmfWQDdl9Br
	 r+g36BCoekRfnC609uv4evENehK8VYfVf4qHCbLPBwjUQytXQiWKczqSWWNGumTR7p
	 VkQGy6Y5b4e7sBJXtAsWcD0uh3Bn07N5aWRyyz5MCVxyzsXg5S+yVQ3cPiB9oVsBCA
	 hcbKiicCLPGaw==
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46])
	by mailauth.nyi.internal (Postfix) with ESMTP id 8478D27C005A;
	Thu, 12 Aug 2021 13:35:48 -0400 (EDT)
Received: from imap2 ([10.202.2.52])
  by compute6.internal (MEProxy); Thu, 12 Aug 2021 13:35:48 -0400
X-ME-Sender: <xms:7lsVYab70tgtZizlPnDG_etzSFZKi1Ccca_9KjCtRfczspRlX4wtvQ>
    <xme:7lsVYdZl6hiGPDkCkS2XQRhdtKQvCwDuDR2bdy2nOB_MLqGuliuNfvreNQuaiP5pI
    YcroIq6Y7SJk0YUXt4>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrkeefgdduudegucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
    cujfgurhepofgfggfkjghffffhvffutgesthdtredtreertdenucfhrhhomhepfdetnhgu
    hicunfhuthhomhhirhhskhhifdcuoehluhhtoheskhgvrhhnvghlrdhorhhgqeenucggtf
    frrghtthgvrhhnpedthfehtedtvdetvdetudfgueeuhfdtudegvdelveelfedvteelfffg
    fedvkeegfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh
    hmpegrnhguhidomhgvshhmthhprghuthhhphgvrhhsohhnrghlihhthidqudduiedukeeh
    ieefvddqvdeifeduieeitdekqdhluhhtoheppehkvghrnhgvlhdrohhrgheslhhinhhugi
    drlhhuthhordhush
X-ME-Proxy: <xmx:7lsVYU_4859dwHCNrWtWq9aUcrp4c_qKQnU4rdWw6iTQtW1f4yuH6A>
    <xmx:7lsVYcofr_s4-AL1aEKXUuybD6C0nRtWL4_UtQqmb-s4tBorzjMS9A>
    <xmx:7lsVYVrJmzbsmKzZap6lsenSy7UCZo6M2YLkq6ycfeSAhys3KoGA-Q>
    <xmx:9FsVYVyk2tyoSyh0Ur5bV56UvcAhdxWJcbZNuULlTxM24tzY8QCFmXDrDf8>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 49C18A038A7; Thu, 12 Aug 2021 13:35:42 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-554-g53a5f93b7d-fm-20210809.002-g53a5f93b
Mime-Version: 1.0
Message-Id: <60db2e61-6b00-44fa-b718-e4361fcc238c@www.fastmail.com>
In-Reply-To: <87o8a2d0wf.fsf@disp2133>
References: <20210812084348.6521-1-david@redhat.com> <87o8a2d0wf.fsf@disp2133>
Date: Thu, 12 Aug 2021 10:35:18 -0700
From: "Andy Lutomirski" <luto@kernel.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
 "David Hildenbrand" <david@redhat.com>
Cc: "Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
 "Linus Torvalds" <torvalds@linux-foundation.org>,
 "Andrew Morton" <akpm@linux-foundation.org>,
 "Thomas Gleixner" <tglx@linutronix.de>, "Ingo Molnar" <mingo@redhat.com>,
 "Borislav Petkov" <bp@alien8.de>, "H. Peter Anvin" <hpa@zytor.com>,
 "Al Viro" <viro@zeniv.linux.org.uk>,
 "Alexey Dobriyan" <adobriyan@gmail.com>,
 "Steven Rostedt" <rostedt@goodmis.org>,
 "Peter Zijlstra (Intel)" <peterz@infradead.org>,
 "Arnaldo Carvalho de Melo" <acme@kernel.org>,
 "Mark Rutland" <mark.rutland@arm.com>,
 "Alexander Shishkin" <alexander.shishkin@linux.intel.com>,
 "Jiri Olsa" <jolsa@redhat.com>, "Namhyung Kim" <namhyung@kernel.org>,
 "Petr Mladek" <pmladek@suse.com>,
 "Sergey Senozhatsky" <sergey.senozhatsky@gmail.com>,
 "Andy Shevchenko" <andriy.shevchenko@linux.intel.com>,
 "Rasmus Villemoes" <linux@rasmusvillemoes.dk>,
 "Kees Cook" <keescook@chromium.org>,
 "Greg Ungerer" <gerg@linux-m68k.org>,
 "Geert Uytterhoeven" <geert@linux-m68k.org>,
 "Mike Rapoport" <rppt@kernel.org>, "Vlastimil Babka" <vbabka@suse.cz>,
 "Vincenzo Frascino" <vincenzo.frascino@arm.com>,
 "Chinwen Chang" <chinwen.chang@mediatek.com>,
 "Michel Lespinasse" <walken@google.com>,
 "Catalin Marinas" <catalin.marinas@arm.com>,
 "Matthew Wilcox (Oracle)" <willy@infradead.org>,
 "Huang Ying" <ying.huang@intel.com>, "Jann Horn" <jannh@google.com>,
 "Feng Tang" <feng.tang@intel.com>,
 "Kevin Brodsky" <Kevin.Brodsky@arm.com>,
 "Michael Ellerman" <mpe@ellerman.id.au>,
 "Shawn Anastasio" <shawn@anastas.io>,
 "Steven Price" <steven.price@arm.com>,
 "Nicholas Piggin" <npiggin@gmail.com>,
 "Christian Brauner" <christian.brauner@ubuntu.com>,
 "Jens Axboe" <axboe@kernel.dk>,
 "Gabriel Krisman Bertazi" <krisman@collabora.com>,
 "Peter Xu" <peterx@redhat.com>, "Suren Baghdasaryan" <surenb@google.com>,
 "Shakeel Butt" <shakeelb@google.com>, "Marco Elver" <elver@google.com>,
 "Daniel Jordan" <daniel.m.jordan@oracle.com>,
 "Nicolas Viennot" <Nicolas.Viennot@twosigma.com>,
 "Thomas Cedeno" <thomascedeno@google.com>,
 "Collin Fijalkovich" <cfijalkovich@google.com>,
 "Michal Hocko" <mhocko@suse.com>, "Miklos Szeredi" <miklos@szeredi.hu>,
 "Chengguang Xu" <cgxu519@mykernel.net>,
 =?UTF-8?Q?Christian_K=C3=B6nig?= <ckoenig.leichtzumerken@gmail.com>,
 linux-unionfs@vger.kernel.org, "Linux API" <linux-api@vger.kernel.org>,
 "the arch/x86 maintainers" <x86@kernel.org>,
 linux-fsdevel@vger.kernel.org, linux-mm@kvack.org
Subject: Re: [PATCH v1 0/7] Remove in-tree usage of MAP_DENYWRITE
Content-Type: text/plain
X-Rspamd-Queue-Id: 9F19E2001517
Authentication-Results: imf26.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=cDJxoy7h;
	spf=pass (imf26.hostedemail.com: domain of luto@kernel.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=luto@kernel.org;
	dmarc=pass (policy=none) header.from=kernel.org
X-Rspamd-Server: rspam01
X-Stat-Signature: 7yxwmopp64pyb1po56hxkqz6d76gc646
X-HE-Tag: 1628789753-837728
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>



On Thu, Aug 12, 2021, at 10:32 AM, Eric W. Biederman wrote:
> David Hildenbrand <david@redhat.com> writes:
> 
> > This series is based on v5.14-rc5 and corresponds code-wise to the
> > previously sent RFC [1] (the RFC still applied cleanly).
> >
> > This series removes all in-tree usage of MAP_DENYWRITE from the kernel
> > and removes VM_DENYWRITE. We stopped supporting MAP_DENYWRITE for
> > user space applications a while ago because of the chance for DoS.
> > The last renaming user is binfmt binary loading during exec and
> > legacy library loading via uselib().
> >
> > With this change, MAP_DENYWRITE is effectively ignored throughout the
> > kernel. Although the net change is small, I think the cleanup in mmap()
> > is quite nice.
> >
> > There are some (minor) user-visible changes with this series:
> > 1. We no longer deny write access to shared libaries loaded via legacy
> >    uselib(); this behavior matches modern user space e.g., via dlopen().
> > 2. We no longer deny write access to the elf interpreter after exec
> >    completed, treating it just like shared libraries (which it often is).
> > 3. We always deny write access to the file linked via /proc/pid/exe:
> >    sys_prctl(PR_SET_MM_EXE_FILE) will fail if write access to the file
> >    cannot be denied, and write access to the file will remain denied
> >    until the link is effectivel gone (exec, termination,
> >    PR_SET_MM_EXE_FILE) -- just as if exec'ing the file.
> >
> > I was wondering if we really care about permanently disabling write access
> > to the executable, or if it would be good enough to just disable write
> > access while loading the new executable during exec; but I don't know
> > the history of that -- and it somewhat makes sense to deny write access
> > at least to the main executable. With modern user space -- dlopen() -- we
> > can effectively modify the content of shared libraries while being
> > used.
> 
> So I think what we really want to do is to install executables with
> and shared libraries without write permissions and immutable.  So that
> upgrades/replacements of the libraries and executables are forced to
> rename or unlink them.  We need the immutable bit as CAP_DAC_OVERRIDE
> aka being root ignores the writable bits when a file is opened for
> write.  However CAP_DAC_OVERRIDE does not override the immutable state
> of a file.

If we really want to do this, I think we'd want a different flag that's more like sealed.  Non-root users should be able to do this, too.

Or we could just more gracefully handle users that overwrite running programs.

--Andy