mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-08-21 08:19:28 +00:00
6fd7353829
Patch series "mm/memfd: introduce MFD_NOEXEC_SEAL and MFD_EXEC", v8. Since Linux introduced the memfd feature, memfd have always had their execute bit set, and the memfd_create() syscall doesn't allow setting it differently. However, in a secure by default system, such as ChromeOS, (where all executables should come from the rootfs, which is protected by Verified boot), this executable nature of memfd opens a door for NoExec bypass and enables “confused deputy attack”. E.g, in VRP bug [1]: cros_vm process created a memfd to share the content with an external process, however the memfd is overwritten and used for executing arbitrary code and root escalation. [2] lists more VRP in this kind. On the other hand, executable memfd has its legit use, runc uses memfd’s seal and executable feature to copy the contents of the binary then execute them, for such system, we need a solution to differentiate runc's use of executable memfds and an attacker's [3]. To address those above, this set of patches add following: 1> Let memfd_create() set X bit at creation time. 2> Let memfd to be sealed for modifying X bit. 3> A new pid namespace sysctl: vm.memfd_noexec to control the behavior of X bit.For example, if a container has vm.memfd_noexec=2, then memfd_create() without MFD_NOEXEC_SEAL will be rejected. 4> A new security hook in memfd_create(). This make it possible to a new LSM, which rejects or allows executable memfd based on its security policy. This patch (of 5): The new F_SEAL_EXEC flag will prevent modification of the exec bits: written as traditional octal mask, 0111, or as named flags, S_IXUSR | S_IXGRP | S_IXOTH. Any chmod(2) or similar call that attempts to modify any of these bits after the seal is applied will fail with errno EPERM. This will preserve the execute bits as they are at the time of sealing, so the memfd will become either permanently executable or permanently un-executable. Link: https://lkml.kernel.org/r/20221215001205.51969-1-jeffxu@google.com Link: https://lkml.kernel.org/r/20221215001205.51969-2-jeffxu@google.com Signed-off-by: Daniel Verkamp <dverkamp@chromium.org> Co-developed-by: Jeff Xu <jeffxu@google.com> Signed-off-by: Jeff Xu <jeffxu@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com> Cc: Hugh Dickins <hughd@google.com> Cc: Jann Horn <jannh@google.com> Cc: Jorge Lucangeli Obes <jorgelo@chromium.org> Cc: Shuah Khan <skhan@linuxfoundation.org> Cc: David Herrmann <dh.herrmann@gmail.com> Cc: kernel test robot <lkp@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
115 lines
4.2 KiB
C
115 lines
4.2 KiB
C
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
|
|
#ifndef _UAPI_LINUX_FCNTL_H
|
|
#define _UAPI_LINUX_FCNTL_H
|
|
|
|
#include <asm/fcntl.h>
|
|
#include <linux/openat2.h>
|
|
|
|
#define F_SETLEASE (F_LINUX_SPECIFIC_BASE + 0)
|
|
#define F_GETLEASE (F_LINUX_SPECIFIC_BASE + 1)
|
|
|
|
/*
|
|
* Cancel a blocking posix lock; internal use only until we expose an
|
|
* asynchronous lock api to userspace:
|
|
*/
|
|
#define F_CANCELLK (F_LINUX_SPECIFIC_BASE + 5)
|
|
|
|
/* Create a file descriptor with FD_CLOEXEC set. */
|
|
#define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6)
|
|
|
|
/*
|
|
* Request nofications on a directory.
|
|
* See below for events that may be notified.
|
|
*/
|
|
#define F_NOTIFY (F_LINUX_SPECIFIC_BASE+2)
|
|
|
|
/*
|
|
* Set and get of pipe page size array
|
|
*/
|
|
#define F_SETPIPE_SZ (F_LINUX_SPECIFIC_BASE + 7)
|
|
#define F_GETPIPE_SZ (F_LINUX_SPECIFIC_BASE + 8)
|
|
|
|
/*
|
|
* Set/Get seals
|
|
*/
|
|
#define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
|
|
#define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
|
|
|
|
/*
|
|
* Types of seals
|
|
*/
|
|
#define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */
|
|
#define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
|
|
#define F_SEAL_GROW 0x0004 /* prevent file from growing */
|
|
#define F_SEAL_WRITE 0x0008 /* prevent writes */
|
|
#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
|
|
#define F_SEAL_EXEC 0x0020 /* prevent chmod modifying exec bits */
|
|
/* (1U << 31) is reserved for signed error codes */
|
|
|
|
/*
|
|
* Set/Get write life time hints. {GET,SET}_RW_HINT operate on the
|
|
* underlying inode, while {GET,SET}_FILE_RW_HINT operate only on
|
|
* the specific file.
|
|
*/
|
|
#define F_GET_RW_HINT (F_LINUX_SPECIFIC_BASE + 11)
|
|
#define F_SET_RW_HINT (F_LINUX_SPECIFIC_BASE + 12)
|
|
#define F_GET_FILE_RW_HINT (F_LINUX_SPECIFIC_BASE + 13)
|
|
#define F_SET_FILE_RW_HINT (F_LINUX_SPECIFIC_BASE + 14)
|
|
|
|
/*
|
|
* Valid hint values for F_{GET,SET}_RW_HINT. 0 is "not set", or can be
|
|
* used to clear any hints previously set.
|
|
*/
|
|
#define RWH_WRITE_LIFE_NOT_SET 0
|
|
#define RWH_WRITE_LIFE_NONE 1
|
|
#define RWH_WRITE_LIFE_SHORT 2
|
|
#define RWH_WRITE_LIFE_MEDIUM 3
|
|
#define RWH_WRITE_LIFE_LONG 4
|
|
#define RWH_WRITE_LIFE_EXTREME 5
|
|
|
|
/*
|
|
* The originally introduced spelling is remained from the first
|
|
* versions of the patch set that introduced the feature, see commit
|
|
* v4.13-rc1~212^2~51.
|
|
*/
|
|
#define RWF_WRITE_LIFE_NOT_SET RWH_WRITE_LIFE_NOT_SET
|
|
|
|
/*
|
|
* Types of directory notifications that may be requested.
|
|
*/
|
|
#define DN_ACCESS 0x00000001 /* File accessed */
|
|
#define DN_MODIFY 0x00000002 /* File modified */
|
|
#define DN_CREATE 0x00000004 /* File created */
|
|
#define DN_DELETE 0x00000008 /* File removed */
|
|
#define DN_RENAME 0x00000010 /* File renamed */
|
|
#define DN_ATTRIB 0x00000020 /* File changed attibutes */
|
|
#define DN_MULTISHOT 0x80000000 /* Don't remove notifier */
|
|
|
|
/*
|
|
* The constants AT_REMOVEDIR and AT_EACCESS have the same value. AT_EACCESS is
|
|
* meaningful only to faccessat, while AT_REMOVEDIR is meaningful only to
|
|
* unlinkat. The two functions do completely different things and therefore,
|
|
* the flags can be allowed to overlap. For example, passing AT_REMOVEDIR to
|
|
* faccessat would be undefined behavior and thus treating it equivalent to
|
|
* AT_EACCESS is valid undefined behavior.
|
|
*/
|
|
#define AT_FDCWD -100 /* Special value used to indicate
|
|
openat should use the current
|
|
working directory. */
|
|
#define AT_SYMLINK_NOFOLLOW 0x100 /* Do not follow symbolic links. */
|
|
#define AT_EACCESS 0x200 /* Test access permitted for
|
|
effective IDs, not real IDs. */
|
|
#define AT_REMOVEDIR 0x200 /* Remove directory instead of
|
|
unlinking file. */
|
|
#define AT_SYMLINK_FOLLOW 0x400 /* Follow symbolic links. */
|
|
#define AT_NO_AUTOMOUNT 0x800 /* Suppress terminal automount traversal */
|
|
#define AT_EMPTY_PATH 0x1000 /* Allow empty relative pathname */
|
|
|
|
#define AT_STATX_SYNC_TYPE 0x6000 /* Type of synchronisation required from statx() */
|
|
#define AT_STATX_SYNC_AS_STAT 0x0000 /* - Do whatever stat() does */
|
|
#define AT_STATX_FORCE_SYNC 0x2000 /* - Force the attributes to be sync'd with the server */
|
|
#define AT_STATX_DONT_SYNC 0x4000 /* - Don't sync attributes with the server */
|
|
|
|
#define AT_RECURSIVE 0x8000 /* Apply to the entire subtree */
|
|
|
|
#endif /* _UAPI_LINUX_FCNTL_H */
|