Re: [PATCH v2 2/2] memfd:add MEMFD_NOEXEC_SEAL documentation

Hi Aleksa

On Thu, May 23, 2024 at 8:39 PM jeffxu@chromium.org wrote:

From: Jeff Xu jeffxu@google.com

Add documentation for MFD_NOEXEC_SEAL and MFD_EXEC

Cc: stable@vger.kernel.org Signed-off-by: Jeff Xu jeffxu@google.com

---

Documentation/userspace-api/index.rst | 1 + Documentation/userspace-api/mfd_noexec.rst | 90 ++++++++++++++++++++++ 2 files changed, 91 insertions(+) create mode 100644 Documentation/userspace-api/mfd_noexec.rst

diff --git a/Documentation/userspace-api/index.rst b/Documentation/userspace-api/index.rst index 5926115ec0ed..8a251d71fa6e 100644 --- a/Documentation/userspace-api/index.rst +++ b/Documentation/userspace-api/index.rst @@ -32,6 +32,7 @@ Security-related interfaces seccomp_filter landlock lsm

• mfd_noexec spec_ctrl tee

diff --git a/Documentation/userspace-api/mfd_noexec.rst b/Documentation/userspace-api/mfd_noexec.rst new file mode 100644 index 000000000000..6f11ad86b076 --- /dev/null +++ b/Documentation/userspace-api/mfd_noexec.rst @@ -0,0 +1,90 @@ +.. SPDX-License-Identifier: GPL-2.0

+================================== +Introduction of non executable mfd +================================== +:Author:

• Daniel Verkamp dverkamp@chromium.org
• Jeff Xu jeffxu@google.com

+:Contributor:

•   Aleksa Sarai <cyphar@cyphar.com>
  

•   Barnabás Pőcze <pobrn@protonmail.com>
  

•   David Rheinsberg <david@readahead.eu>
  

+Since Linux introduced the memfd feature, memfd have always had their +execute bit set, and the memfd_create() syscall doesn't allow setting +it differently.

+However, in a secure by default system, such as ChromeOS, (where all +executables should come from the rootfs, which is protected by Verified +boot), this executable nature of memfd opens a door for NoExec bypass +and enables “confused deputy attack”. E.g, in VRP bug [1]: cros_vm +process created a memfd to share the content with an external process, +however the memfd is overwritten and used for executing arbitrary code +and root escalation. [2] lists more VRP in this kind.

+On the other hand, executable memfd has its legit use, runc uses memfd’s +seal and executable feature to copy the contents of the binary then +execute them, for such system, we need a solution to differentiate runc's +use of executable memfds and an attacker's [3].

+To address those above.

• • Let memfd_create() set X bit at creation time.
• • Let memfd be sealed for modifying X bit when NX is set.
• • A new pid namespace sysctl: vm.memfd_noexec to help applications to
• migrating and enforcing non-executable MFD.

+User API +======== +``int memfd_create(const char *name, unsigned int flags)``

+``MFD_NOEXEC_SEAL``

•   When MFD_NOEXEC_SEAL bit is set in the ``flags``, memfd is created
  

•   with NX. F_SEAL_EXEC is set and the memfd can't be modified to
  

•   add X later.
  

•   This is the most common case for the application to use memfd.
  

+``MFD_EXEC``

•   When MFD_EXEC bit is set in the ``flags``, memfd is created with X.
  

+Note:

•   ``MFD_NOEXEC_SEAL`` and ``MFD_EXEC`` doesn't change the sealable
  

•   characteristic of memfd, which is controlled by ``MFD_ALLOW_SEALING``.
  

+Sysctl: +======== +``pid namespaced sysctl vm.memfd_noexec``

+The new pid namespaced sysctl vm.memfd_noexec has 3 values:

• • 0: MEMFD_NOEXEC_SCOPE_EXEC

•   memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL acts like
  

•   MFD_EXEC was set.
  

• • 1: MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL

•   memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL acts like
  

•   MFD_NOEXEC_SEAL was set.
  

• • 2: MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED

•   memfd_create() without MFD_NOEXEC_SEAL will be rejected.
  

+The sysctl allows finer control of memfd_create for old-software that +doesn't set the executable bit, for example, a container with +vm.memfd_noexec=1 means the old-software will create non-executable memfd +by default while new-software can create executable memfd by setting +MFD_EXEC.

+The value of memfd_noexec is passed to child namespace at creation time, +in addition, the setting is hierarchical, i.e. during memfd_create, +we will search from current ns to root ns and use the most restrictive +setting.

Can you please help to review the sysctl part to check if I captured your change correctly ?

Thanks -Jeff

+Reference: +========== +[1] https://crbug.com/1305267

+[2] https://bugs.chromium.org/p/chromium/issues/list?q=type%3Dbug-security%20mem...

+[3] https://lwn.net/Articles/781013/

2.45.1.288.g0e0cd299f1-goog