Message ID | 20221215001205.51969-4-jeffxu@google.com |
---|---|
State | New |
Headers | show |
Series | mm/memfd: introduce MFD_NOEXEC_SEAL and MFD_EXEC | expand |
jeffxu@chromium.org wrote on Thu, Dec 15, 2022 at 12:12:03AM +0000: > From: Jeff Xu <jeffxu@google.com> > > The new MFD_NOEXEC_SEAL and MFD_EXEC flags allows application to > set executable bit at creation time (memfd_create). > > When MFD_NOEXEC_SEAL is set, memfd is created without executable bit > (mode:0666), and sealed with F_SEAL_EXEC, so it can't be chmod to > be executable (mode: 0777) after creation. > > when MFD_EXEC flag is set, memfd is created with executable bit > (mode:0777), this is the same as the old behavior of memfd_create. > > The new pid namespaced sysctl vm.memfd_noexec has 3 values: > 0: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL acts like > MFD_EXEC was set. > 1: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL acts like > MFD_NOEXEC_SEAL was set. > 2: memfd_create() without MFD_NOEXEC_SEAL will be rejected. So, erm, I'm a bit late to the party but I was just looking at a way of blocking memfd_create+exec in a container and this sounded perfect: my reading is that this is a security feature meant to be set for container's namespaces that'd totally disable something like memfd_create followed by fexecve (because we don't want weird binaries coming from who knows where to be executed on a shiny secure system), but. . . is this actually supposed to work? (see below) > [...] > --- a/mm/memfd.c > +++ b/mm/memfd.c > @@ -263,12 +264,14 @@ long memfd_fcntl(struct file *file, unsigned int cmd, unsigned long arg) > #define MFD_NAME_PREFIX_LEN (sizeof(MFD_NAME_PREFIX) - 1) > #define MFD_NAME_MAX_LEN (NAME_MAX - MFD_NAME_PREFIX_LEN) > > -#define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_HUGETLB) > +#define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_HUGETLB | MFD_NOEXEC_SEAL | MFD_EXEC) > > SYSCALL_DEFINE2(memfd_create, > const char __user *, uname, > unsigned int, flags) > { > + char comm[TASK_COMM_LEN]; > + struct pid_namespace *ns; > unsigned int *file_seals; > struct file *file; > int fd, error; > @@ -285,6 +288,39 @@ SYSCALL_DEFINE2(memfd_create, > return -EINVAL; > } > > + /* Invalid if both EXEC and NOEXEC_SEAL are set.*/ > + if ((flags & MFD_EXEC) && (flags & MFD_NOEXEC_SEAL)) > + return -EINVAL; > + > + if (!(flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) { > + [code that checks the sysctl] If flags already has either MFD_EXEC or MFD_NOEXEC_SEAL, you don't check the sysctl at all. This can be verified easily: ----- $ cat > memfd_exec.c <<'EOF' #define _GNU_SOURCE #include <errno.h> #include <stdio.h> #include <sys/mman.h> #include <sys/types.h> #include <sys/wait.h> #ifndef MFD_EXEC #define MFD_EXEC 0x0010U #endif int main() { int fd = memfd_create("script", MFD_EXEC); if (fd == -1)l perror("memfd"); char prog[] = "#!/bin/sh\necho Ran script\n"; if (write(fd, prog, sizeof(prog)-1) != sizeof(prog)-1) perror("write"); char *const argv[] = { "script", NULL }; char *const envp[] = { NULL }; fexecve(fd, argv, envp); perror("fexecve"); } EOF $ gcc -o memfd_exec memfd_exec.c $ ./memfd_exec Ran script $ sysctl vm.memfd_noexec vm.memfd_noexec = 2 ----- (as opposed to failing hard on memfd_create if flag unset on sysctl=2, and failing on fexecve with flag unset and sysctl=1) What am I missing? BTW I find the current behaviour rather hard to use: setting this to 2 should still set NOEXEC by default in my opinion, just refuse anything that explicitly requested EXEC. Sure there's a warn_once that memfd_create was used without seal, but right now on my system it's "used up" 5 seconds after boot by systemd: [ 5.854378] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=1 'systemd' And anyway, older kernels will barf up EINVAL when calling memfd_create with MFD_NOEXEC_SEAL, so even if userspace will want to adapt they'll need to try calling memfd_create with the flag once and retry on EINVAL, which let's face it is going to take a while to happen. (Also, the flag has been added to glibc, but not in any release yet) Making calls default to noexec AND refuse exec does what you want (forbid use of exec in an app that wasn't in a namespace that allows exec) while allowing apps that require it to work; that sounds better than making all applications that haven't taken the pain of adding the new flag to me. Well, I guess an app that did require exec without setting the flag will fail in a weird place instead of failing at memfd_create and having a chance to fallback, so it's not like it doesn't make any sense; I don't have such strong feelings about this if the sysctl works, but for my use case I'm more likely to want to take a chance at memfd_create not needing exec than having the flag set. Perhaps a third value if I cared enough...
Dominique Martinet wrote on Wed, Jun 28, 2023 at 08:42:41PM +0900: > If flags already has either MFD_EXEC or MFD_NOEXEC_SEAL, you don't check > the sysctl at all. > [...repro snipped..] > > What am I missing? (Perhaps the intent is just to force people to use the flag so it is easier to check for memfd_create in seccomp or other LSM? But I don't see why such a check couldn't consider the absence of a flag as well, so I don't see the point.) > BTW I find the current behaviour rather hard to use: setting this to 2 > should still set NOEXEC by default in my opinion, just refuse anything > that explicitly requested EXEC. And I just noticed it's not possible to lower the value despite having CAP_SYS_ADMIN: what the heck?! I have never seen such a sysctl and it just forced me to reboot because I willy-nilly tested in the init pid namespace, and quite a few applications that don't require exec broke exactly as I described below. If the user has CAP_SYS_ADMIN there are more container escape methods than I can count, this is basically free pass to root on main namespace anyway, you're not protecting anything. Please let people set the sysctl to what they want. > Sure there's a warn_once that memfd_create was used without seal, but > right now on my system it's "used up" 5 seconds after boot by systemd: > [ 5.854378] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=1 'systemd' > > And anyway, older kernels will barf up EINVAL when calling memfd_create > with MFD_NOEXEC_SEAL, so even if userspace will want to adapt they'll > need to try calling memfd_create with the flag once and retry on EINVAL, > which let's face it is going to take a while to happen. > (Also, the flag has been added to glibc, but not in any release yet) > > Making calls default to noexec AND refuse exec does what you want > (forbid use of exec in an app that wasn't in a namespace that allows > exec) while allowing apps that require it to work; that sounds better > than making all applications that haven't taken the pain of adding the > new flag to me. > Well, I guess an app that did require exec without setting the flag will > fail in a weird place instead of failing at memfd_create and having a > chance to fallback, so it's not like it doesn't make any sense; > I don't have such strong feelings about this if the sysctl works, but > for my use case I'm more likely to want to take a chance at memfd_create > not needing exec than having the flag set. Perhaps a third value if I > cared enough...
Hello On Thu, Jun 29, 2023 at 3:30 AM Dominique Martinet <asmadeus@codewreck.org> wrote: > > Jeff Xu wrote on Wed, Jun 28, 2023 at 09:33:27PM -0700: > > > > BTW I find the current behaviour rather hard to use: setting this to 2 > > > > should still set NOEXEC by default in my opinion, just refuse anything > > > > that explicitly requested EXEC. > > > > > > And I just noticed it's not possible to lower the value despite having > > > CAP_SYS_ADMIN: what the heck?! I have never seen such a sysctl and it > > > just forced me to reboot because I willy-nilly tested in the init pid > > > namespace, and quite a few applications that don't require exec broke > > > exactly as I described below. > > > > > > If the user has CAP_SYS_ADMIN there are more container escape methods > > > than I can count, this is basically free pass to root on main namespace > > > anyway, you're not protecting anything. Please let people set the sysctl > > > to what they want. > > > > Yama has a similar setting, for example, 3 (YAMA_SCOPE_NO_ATTACH) > > will not allow downgrading at runtime. > > > > Since this is a security feature, not allowing downgrading at run time > > is part of the security consideration. I hope you understand. > > I didn't remember yama had this stuck bit; that still strikes me as > unusual, and if you require a custom LSM rule for memfd anyway I don't > see why it couldn't enforce that the sysctl is unchanged, but sure. > > Please, though: > - I have a hard time thinking of 1 as a security flag in general (even > if I do agree a sloppy LSM rule could require it); I would only lock 2 > - please make it clear, I don't see any entry in the sysctl > documentation[1] about memfd_noexec, there should be one and you can > copy the wording from yama's doc[2]: "Once set, this sysctl value cannot > be changed" > [1] Documentation/admin-guide/sysctl/vm.rst > [2] Documentation/admin-guide/LSM/Yama.rst > Thanks for the suggestion. Yes, it would be good to have some documentation. I will send patch to update Documentation/admin-guide/sysctl/vm.rst > > Either way as it stands I still don't think one can expect most > userspace applications to be converted until some libc wrapper takes > care of the retry logic and a couple of years, so I'll go look for > another way of filtering this (and eventually setting this to 1) as you > suggested. > I'll leave the follow-up up to you and won't bother you more. > Not bothered at all! and thanks for reporting the bug to improve the quality of memfd_noexec ! Much appreciated. -Jeff > Thanks, > -- > Dominique Martinet | Asmadeus
diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h index 07481bb87d4e..c758809d5bcf 100644 --- a/include/linux/pid_namespace.h +++ b/include/linux/pid_namespace.h @@ -16,6 +16,21 @@ struct fs_pin; +#if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) +/* + * sysctl for vm.memfd_noexec + * 0: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL + * acts like MFD_EXEC was set. + * 1: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL + * acts like MFD_NOEXEC_SEAL was set. + * 2: memfd_create() without MFD_NOEXEC_SEAL will be + * rejected. + */ +#define MEMFD_NOEXEC_SCOPE_EXEC 0 +#define MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL 1 +#define MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED 2 +#endif + struct pid_namespace { struct idr idr; struct rcu_head rcu; @@ -31,6 +46,10 @@ struct pid_namespace { struct ucounts *ucounts; int reboot; /* group exit code if this pidns was rebooted */ struct ns_common ns; +#if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) + /* sysctl for vm.memfd_noexec */ + int memfd_noexec_scope; +#endif } __randomize_layout; extern struct pid_namespace init_pid_ns; diff --git a/include/uapi/linux/memfd.h b/include/uapi/linux/memfd.h index 7a8a26751c23..273a4e15dfcf 100644 --- a/include/uapi/linux/memfd.h +++ b/include/uapi/linux/memfd.h @@ -8,6 +8,10 @@ #define MFD_CLOEXEC 0x0001U #define MFD_ALLOW_SEALING 0x0002U #define MFD_HUGETLB 0x0004U +/* not executable and sealed to prevent changing to executable. */ +#define MFD_NOEXEC_SEAL 0x0008U +/* executable */ +#define MFD_EXEC 0x0010U /* * Huge page size encoding when MFD_HUGETLB is specified, and a huge page diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c index f4f8cb0435b4..8a98b1af9376 100644 --- a/kernel/pid_namespace.c +++ b/kernel/pid_namespace.c @@ -23,6 +23,7 @@ #include <linux/sched/task.h> #include <linux/sched/signal.h> #include <linux/idr.h> +#include "pid_sysctl.h" static DEFINE_MUTEX(pid_caches_mutex); static struct kmem_cache *pid_ns_cachep; @@ -110,6 +111,8 @@ static struct pid_namespace *create_pid_namespace(struct user_namespace *user_ns ns->ucounts = ucounts; ns->pid_allocated = PIDNS_ADDING; + initialize_memfd_noexec_scope(ns); + return ns; out_free_idr: @@ -455,6 +458,8 @@ static __init int pid_namespaces_init(void) #ifdef CONFIG_CHECKPOINT_RESTORE register_sysctl_paths(kern_path, pid_ns_ctl_table); #endif + + register_pid_ns_sysctl_table_vm(); return 0; } diff --git a/kernel/pid_sysctl.h b/kernel/pid_sysctl.h new file mode 100644 index 000000000000..90a93161a122 --- /dev/null +++ b/kernel/pid_sysctl.h @@ -0,0 +1,59 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef LINUX_PID_SYSCTL_H +#define LINUX_PID_SYSCTL_H + +#include <linux/pid_namespace.h> + +#if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) +static inline void initialize_memfd_noexec_scope(struct pid_namespace *ns) +{ + ns->memfd_noexec_scope = + task_active_pid_ns(current)->memfd_noexec_scope; +} + +static int pid_mfd_noexec_dointvec_minmax(struct ctl_table *table, + int write, void *buf, size_t *lenp, loff_t *ppos) +{ + struct pid_namespace *ns = task_active_pid_ns(current); + struct ctl_table table_copy; + + if (write && !ns_capable(ns->user_ns, CAP_SYS_ADMIN)) + return -EPERM; + + table_copy = *table; + if (ns != &init_pid_ns) + table_copy.data = &ns->memfd_noexec_scope; + + /* + * set minimum to current value, the effect is only bigger + * value is accepted. + */ + if (*(int *)table_copy.data > *(int *)table_copy.extra1) + table_copy.extra1 = table_copy.data; + + return proc_dointvec_minmax(&table_copy, write, buf, lenp, ppos); +} + +static struct ctl_table pid_ns_ctl_table_vm[] = { + { + .procname = "memfd_noexec", + .data = &init_pid_ns.memfd_noexec_scope, + .maxlen = sizeof(init_pid_ns.memfd_noexec_scope), + .mode = 0644, + .proc_handler = pid_mfd_noexec_dointvec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_TWO, + }, + { } +}; +static struct ctl_path vm_path[] = { { .procname = "vm", }, { } }; +static inline void register_pid_ns_sysctl_table_vm(void) +{ + register_sysctl_paths(vm_path, pid_ns_ctl_table_vm); +} +#else +static inline void set_memfd_noexec_scope(struct pid_namespace *ns) {} +static inline void register_pid_ns_ctl_table_vm(void) {} +#endif + +#endif /* LINUX_PID_SYSCTL_H */ diff --git a/mm/memfd.c b/mm/memfd.c index 4ebeab94aa74..ec70675a7069 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -18,6 +18,7 @@ #include <linux/hugetlb.h> #include <linux/shmem_fs.h> #include <linux/memfd.h> +#include <linux/pid_namespace.h> #include <uapi/linux/memfd.h> /* @@ -263,12 +264,14 @@ long memfd_fcntl(struct file *file, unsigned int cmd, unsigned long arg) #define MFD_NAME_PREFIX_LEN (sizeof(MFD_NAME_PREFIX) - 1) #define MFD_NAME_MAX_LEN (NAME_MAX - MFD_NAME_PREFIX_LEN) -#define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_HUGETLB) +#define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_HUGETLB | MFD_NOEXEC_SEAL | MFD_EXEC) SYSCALL_DEFINE2(memfd_create, const char __user *, uname, unsigned int, flags) { + char comm[TASK_COMM_LEN]; + struct pid_namespace *ns; unsigned int *file_seals; struct file *file; int fd, error; @@ -285,6 +288,39 @@ SYSCALL_DEFINE2(memfd_create, return -EINVAL; } + /* Invalid if both EXEC and NOEXEC_SEAL are set.*/ + if ((flags & MFD_EXEC) && (flags & MFD_NOEXEC_SEAL)) + return -EINVAL; + + if (!(flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) { +#ifdef CONFIG_SYSCTL + int sysctl = MEMFD_NOEXEC_SCOPE_EXEC; + + ns = task_active_pid_ns(current); + if (ns) + sysctl = ns->memfd_noexec_scope; + + switch (sysctl) { + case MEMFD_NOEXEC_SCOPE_EXEC: + flags |= MFD_EXEC; + break; + case MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL: + flags |= MFD_NOEXEC_SEAL; + break; + default: + pr_warn_ratelimited( + "memfd_create(): MFD_NOEXEC_SEAL is enforced, pid=%d '%s'\n", + task_pid_nr(current), get_task_comm(comm, current)); + return -EINVAL; + } +#else + flags |= MFD_EXEC; +#endif + pr_warn_ratelimited( + "memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=%d '%s'\n", + task_pid_nr(current), get_task_comm(comm, current)); + } + /* length includes terminating zero */ len = strnlen_user(uname, MFD_NAME_MAX_LEN + 1); if (len <= 0) @@ -328,7 +364,15 @@ SYSCALL_DEFINE2(memfd_create, file->f_mode |= FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE; file->f_flags |= O_LARGEFILE; - if (flags & MFD_ALLOW_SEALING) { + if (flags & MFD_NOEXEC_SEAL) { + struct inode *inode = file_inode(file); + + inode->i_mode &= ~0111; + file_seals = memfd_file_seals_ptr(file); + *file_seals &= ~F_SEAL_SEAL; + *file_seals |= F_SEAL_EXEC; + } else if (flags & MFD_ALLOW_SEALING) { + /* MFD_EXEC and MFD_ALLOW_SEALING are set */ file_seals = memfd_file_seals_ptr(file); *file_seals &= ~F_SEAL_SEAL; }