Re: [PATCH v2 1/2] mm: Implement memory-deny-write-execute as a prctl

From: David Hildenbrand
Date: Mon Jan 23 2023 - 06:46:46 EST

Next message: Conor.Dooley: "Re: [PATCH 06/15] soc: add Ambarella driver"
Previous message: Stefan Wahren: "Re: [PATCH v6 0/6] staging: vc04_services: vchiq: Register devices with a custom bus_type"
In reply to: Joey Gouly: "[PATCH v2 1/2] mm: Implement memory-deny-write-execute as a prctl"
Next in thread: Catalin Marinas: "Re: [PATCH v2 1/2] mm: Implement memory-deny-write-execute as a prctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 19.01.23 17:03, Joey Gouly wrote:

The aim of such policy is to prevent a user task from creating an
executable mapping that is also writeable.

An example of mmap() returning -EACCESS if the policy is enabled:

mmap(0, size, PROT_READ | PROT_WRITE | PROT_EXEC, flags, 0, 0);

Similarly, mprotect() would return -EACCESS below:

addr = mmap(0, size, PROT_READ | PROT_EXEC, flags, 0, 0);
mprotect(addr, size, PROT_READ | PROT_WRITE | PROT_EXEC);

The BPF filter that systemd MDWE uses is stateless, and disallows
mprotect() with PROT_EXEC completely. This new prctl allows PROT_EXEC to
be enabled if it was already PROT_EXEC, which allows the following case:

addr = mmap(0, size, PROT_READ | PROT_EXEC, flags, 0, 0);
mprotect(addr, size, PROT_READ | PROT_EXEC | PROT_BTI);

where PROT_BTI enables branch tracking identification on arm64.

Signed-off-by: Joey Gouly <joey.gouly@xxxxxxx>
Co-developed-by: Catalin Marinas <catalin.marinas@xxxxxxx>
Signed-off-by: Catalin Marinas <catalin.marinas@xxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
include/linux/mman.h | 34 ++++++++++++++++++++++++++++++++++
include/linux/sched/coredump.h | 6 +++++-
include/uapi/linux/prctl.h | 6 ++++++
kernel/sys.c | 33 +++++++++++++++++++++++++++++++++
mm/mmap.c | 10 ++++++++++
mm/mprotect.c | 5 +++++
6 files changed, 93 insertions(+), 1 deletion(-)

diff --git a/include/linux/mman.h b/include/linux/mman.h
index 58b3abd457a3..cee1e4b566d8 100644
--- a/include/linux/mman.h
+++ b/include/linux/mman.h
@@ -156,4 +156,38 @@ calc_vm_flag_bits(unsigned long flags)
}
unsigned long vm_commit_limit(void);
+
+/*
+ * Denies creating a writable executable mapping or gaining executable permissions.
+ *
+ * This denies the following:
+ *
+ * a) mmap(PROT_WRITE | PROT_EXEC)
+ *
+ * b) mmap(PROT_WRITE)
+ * mprotect(PROT_EXEC)
+ *
+ * c) mmap(PROT_WRITE)
+ * mprotect(PROT_READ)
+ * mprotect(PROT_EXEC)
+ *
+ * But allows the following:
+ *
+ * d) mmap(PROT_READ | PROT_EXEC)
+ * mmap(PROT_READ | PROT_EXEC | PROT_BTI)
+ */

Shouldn't we clear VM_MAYEXEC at mmap() time such that we cannot set VM_EXEC anymore? In an ideal world, there would be no further mprotect changes required.

--
Thanks,

David / dhildenb

Next message: Conor.Dooley: "Re: [PATCH 06/15] soc: add Ambarella driver"
Previous message: Stefan Wahren: "Re: [PATCH v6 0/6] staging: vc04_services: vchiq: Register devices with a custom bus_type"
In reply to: Joey Gouly: "[PATCH v2 1/2] mm: Implement memory-deny-write-execute as a prctl"
Next in thread: Catalin Marinas: "Re: [PATCH v2 1/2] mm: Implement memory-deny-write-execute as a prctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]