From: Jeff Xu <jeffxu(a)chromium.org>
Since Linux introduced the memfd feature, memfd have always had their execute bit set, and the memfd_create() syscall doesn't allow setting it differently.
However, in a secure by default system, such as ChromeOS, (where all executables should come from the rootfs, which is protected by Verified boot), this executable nature of memfd opens a door for NoExec bypass and enables “confused deputy attack”. E.g, in VRP bug [1]: cros_vm process created a memfd to share the content with an external process, however the memfd is overwritten and used for executing arbitrary code and root escalation. [2] lists more VRP in this kind.
On the other hand, executable memfd has its legit use, runc uses memfd’s seal and executable feature to copy the contents of the binary then execute them, for such system, we need a solution to differentiate runc's use of executable memfds and an attacker's [3].
To address those above, this set of patches add following:
1> Let memfd_create() set X bit at creation time.
2> Let memfd to be sealed for modifying X bit.
3> A new pid namespace sysctl: vm.memfd_noexec to control behavior of X bit. For example, if a container has vm.memfd_noexec=2, then memfd_create() without MFD_NOEXEC_SEAL will be rejected.
4> A new security hook in memfd_create(). This make it possible to a new LSM, which rejects or allows executable memfd based on its security policy.
This is V4 version of patch: see [4] [5] [6] for previous versions.
[1] https://crbug.com/1305411
[2] https://bugs.chromium.org/p/chromium/issues/list?q=type%3Dbug-security%20me…
[3] https://lwn.net/Articles/781013/
[4] https://lwn.net/Articles/890096/
[5] https://lore.kernel.org/lkml/20220805222126.142525-1-jeffxu@chromium.org/
[6] https://lore.kernel.org/lkml/20221202013404.163143-1-jeffxu@chromium.org/
Daniel Verkamp (2):
mm/memfd: add F_SEAL_EXEC
selftests/memfd: add tests for F_SEAL_EXEC
Jeff Xu (4):
mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC
mm/memfd: Add write seals when apply SEAL_EXEC to executable memfd
selftests/memfd: add tests for MFD_NOEXEC_SEAL MFD_EXEC
mm/memfd: security hook for memfd_create
include/linux/lsm_hook_defs.h | 1 +
include/linux/lsm_hooks.h | 4 +
include/linux/pid_namespace.h | 19 ++
include/linux/security.h | 6 +
include/uapi/linux/fcntl.h | 1 +
include/uapi/linux/memfd.h | 4 +
kernel/pid_namespace.c | 48 ++++
mm/memfd.c | 61 ++++-
mm/shmem.c | 6 +
security/security.c | 13 +
tools/testing/selftests/memfd/fuse_test.c | 1 +
tools/testing/selftests/memfd/memfd_test.c | 304 ++++++++++++++++++++-
12 files changed, 465 insertions(+), 3 deletions(-)
base-commit: eb7081409f94a9a8608593d0fb63a1aa3d6f95d8
--
2.39.0.rc0.267.gcb52ba06e7-goog
Currently in order to test a static function, tests must be included in the
same translation unit as the function. However, this can cause issues with
including implementation and test code in the same file. As an alternative,
the first patch in this series creates a macro that will set a function to
be static or not depending on whether CONFIG_KUNIT is enabled. This allows
the function to be visible during testing and static otherwise.
As an example, the current status quo to test static functions is:
=== test.c ===
static void test_case(struct kunit *test)
{
KUNIT_EXPECT_EQ(test, my_func_to_test(), 2);
}
Then the tests are included in the implementation file as a workaround to
the issue of testing static functions:
=== implementation.c ===
static int my_func_to_test() {...}
...
#include "test.c"
Instead, the function could be defined with this new macro:
=== implementation.c ===
VISIBLE_IF_KUNIT int my_func_to_test() {...}
The first patch also creates a macro that will export a symbol into a kunit
testing namespace only if CONFIG_KUNIT is enabled. This follows the logic
above and allows symbols to be conditionally exported based on the testing
status.
The second patch in the series updates the policy_unpack test in AppArmor
to show an example of how to use both of these macros in order to address
the issue of testing static functions.
Thanks!
-Rae
Changes since v1:
- Changed the namespace of exported symbols for the apparmor
policy_unpack_test by adding the aa_ prefix.
- Separated the documentation comments for macros in
include/kunit/visibility.h.
- Changed copyright date and author for include/kunit/visibility.h.
Rae Moar (2):
kunit: add macro to allow conditionally exposing static symbols to
tests
apparmor: test: make static symbols visible during kunit testing
include/kunit/visibility.h | 33 +++
security/apparmor/Kconfig | 4 +-
security/apparmor/Makefile | 2 +
security/apparmor/include/policy_unpack.h | 50 +++++
security/apparmor/policy_unpack.c | 238 ++++++++++------------
security/apparmor/policy_unpack_test.c | 69 ++++---
6 files changed, 228 insertions(+), 168 deletions(-)
create mode 100644 include/kunit/visibility.h
base-commit: 0f08f3e2a0186dfb8e33cb46105228eb18448a0e
--
2.39.0.rc0.267.gcb52ba06e7-goog
I finally had the time to run some of the selftests written by me
(especially "cow") on x86 PAE. I found some unexpected "surprises" :)
With these changes, and with [1] on top of mm-unstable, the "cow" tests and
the "ksm_functional_tests" compile and pass as expected (expected failures
with hugetlb in the "cow" tests). "madv_populate" has one expected test
failure -- x86 does not support softdirty tracking.
#1-#3 fix commits with stable commit ids. #4 fixes a test that is not in
mm-stable yet.
A note that there are many other compile errors/warnings when compiling
on 32bit and with older Linux headers ... something for another day.
[1] https://lkml.kernel.org/r/20221205150857.167583-1-david@redhat.com
Cc: Andrew Morton <akpm(a)linux-foundation.org>
Cc: Shuah Khan <shuah(a)kernel.org>
Cc: Yang Li <yang.lee(a)linux.alibaba.com>
David Hildenbrand (4):
mm/gup_test: fix PIN_LONGTERM_TEST_READ with highmem
selftests/vm: madv_populate: fix missing MADV_POPULATE_(READ|WRITE)
definitions
selftests/vm: cow: fix compile warning on 32bit
selftests/vm: ksm_functional_tests: fixes for 32bit
mm/gup_test.c | 10 +++++++---
tools/testing/selftests/vm/cow.c | 4 ++--
tools/testing/selftests/vm/ksm_functional_tests.c | 4 ++--
tools/testing/selftests/vm/madv_populate.c | 7 +++++++
tools/testing/selftests/vm/vm_util.c | 2 +-
5 files changed, 19 insertions(+), 8 deletions(-)
--
2.38.1
Hi there,
this is the v2 of the patchset. The v1 can be found at [1]. There is only one
change in patch 1, which changed the target directory to build the test modules.
All other changes happen in patch 2.
Thanks for reviewing!
Changes from v1:
# test_modules/Makefile
* Build the test modules targeting /lib/modules, instead of ksrc when building
from the kernel source.
# test_modules/test_klp_syscall.c
* Added a parameter array to receive the pids that should transition to the
new system call. (suggedted by Joe)
* Create a new sysfs file /sys/kernel/test_klp_syscall/npids to show how many
pids from the argument need to transition to the new state. (suggested by
Joe)
* Fix the PPC32 support by adding the syscall wrapper for archs that select it
by default, without erroring out. PPC does not set SYSCALL_WRAPPER, so
having it set in v1 was a mistake. (suggested by Joe)
* The aarch64 syscall prefix was added too, since the livepatch support will come soon.
# test_binaries/test_klp-call_getpid.c
* Change %d/%u in printf (suggested byu Joe)
* Change run -> stop variable name, and inverted the assignments (suggested by
* Joe).
# File test-syscall.sh
* Fixed test-syscall.sh to call test_klp-call-getpid in test_binaries dir
* Load test_klp_syscall passed the pids of the test_klp-call_getpid instances.
Check the sysfs file from test_klp_syscall module to check that all pids
transitioned correctly. (suggested by Joe)
* Simplified the loop that calls test_klp-call_getpid. (suggested by Joe)
* Removed the "success" comment from the script, as it's implicit that it
succeed. Otherwise load_lp would error out. (suggested by Joe)
* Changed the commit message of patch 2 to further detail what means "tricky"
when livepatching syscalls. (suggested by Joe)
[1]: 20220603143242.870-1-mpdesouza(a)suse.com
Marcos Paulo de Souza (2):
livepatch: Move tests from lib/livepatch to selftests/livepatch
selftests: livepatch: Test livepatching a heavily called syscall
arch/s390/configs/debug_defconfig | 1 -
arch/s390/configs/defconfig | 1 -
lib/Kconfig.debug | 22 ---
lib/Makefile | 2 -
lib/livepatch/Makefile | 14 --
tools/testing/selftests/livepatch/Makefile | 35 +++-
tools/testing/selftests/livepatch/README | 5 +-
tools/testing/selftests/livepatch/config | 1 -
.../testing/selftests/livepatch/functions.sh | 34 ++--
.../selftests/livepatch/test-callbacks.sh | 50 +++---
.../selftests/livepatch/test-ftrace.sh | 6 +-
.../selftests/livepatch/test-livepatch.sh | 10 +-
.../selftests/livepatch/test-shadow-vars.sh | 2 +-
.../testing/selftests/livepatch/test-state.sh | 18 +--
.../selftests/livepatch/test-syscall.sh | 52 ++++++
.../test_binaries/test_klp-call_getpid.c | 48 ++++++
.../selftests/livepatch/test_modules/Makefile | 20 +++
.../test_modules}/test_klp_atomic_replace.c | 0
.../test_modules}/test_klp_callbacks_busy.c | 0
.../test_modules}/test_klp_callbacks_demo.c | 0
.../test_modules}/test_klp_callbacks_demo2.c | 0
.../test_modules}/test_klp_callbacks_mod.c | 0
.../test_modules}/test_klp_livepatch.c | 0
.../test_modules}/test_klp_shadow_vars.c | 0
.../livepatch/test_modules}/test_klp_state.c | 0
.../livepatch/test_modules}/test_klp_state2.c | 0
.../livepatch/test_modules}/test_klp_state3.c | 0
.../livepatch/test_modules/test_klp_syscall.c | 150 ++++++++++++++++++
28 files changed, 360 insertions(+), 111 deletions(-)
delete mode 100644 lib/livepatch/Makefile
create mode 100755 tools/testing/selftests/livepatch/test-syscall.sh
create mode 100644 tools/testing/selftests/livepatch/test_binaries/test_klp-call_getpid.c
create mode 100644 tools/testing/selftests/livepatch/test_modules/Makefile
rename {lib/livepatch => tools/testing/selftests/livepatch/test_modules}/test_klp_atomic_replace.c (100%)
rename {lib/livepatch => tools/testing/selftests/livepatch/test_modules}/test_klp_callbacks_busy.c (100%)
rename {lib/livepatch => tools/testing/selftests/livepatch/test_modules}/test_klp_callbacks_demo.c (100%)
rename {lib/livepatch => tools/testing/selftests/livepatch/test_modules}/test_klp_callbacks_demo2.c (100%)
rename {lib/livepatch => tools/testing/selftests/livepatch/test_modules}/test_klp_callbacks_mod.c (100%)
rename {lib/livepatch => tools/testing/selftests/livepatch/test_modules}/test_klp_livepatch.c (100%)
rename {lib/livepatch => tools/testing/selftests/livepatch/test_modules}/test_klp_shadow_vars.c (100%)
rename {lib/livepatch => tools/testing/selftests/livepatch/test_modules}/test_klp_state.c (100%)
rename {lib/livepatch => tools/testing/selftests/livepatch/test_modules}/test_klp_state2.c (100%)
rename {lib/livepatch => tools/testing/selftests/livepatch/test_modules}/test_klp_state3.c (100%)
create mode 100644 tools/testing/selftests/livepatch/test_modules/test_klp_syscall.c
--
2.35.3
Currently in order to test a static function, tests must be included in the
same translation unit as the function. However, this can cause issues with
including implementation and test code in the same file. As an alternative,
the first patch in this series creates a macro that will set a function to
be static or not depending on whether CONFIG_KUNIT is enabled. This allows
the function to be visible during testing and static otherwise.
As an example, the current status quo to test static functions is:
=== test.c ===
static void test_case(struct kunit *test)
{
KUNIT_EXPECT_EQ(test, my_func_to_test(), 2);
}
Then the tests are included in the implementation file as a workaround to
the issue of testing static functions:
=== implementation.c ===
static int my_func_to_test() {...}
...
#include "test.c"
Instead, the function could be defined with this new macro:
=== implementation.c ===
VISIBLE_IF_KUNIT int my_func_to_test() {...}
The first patch also creates a macro that will export a symbol into a kunit
testing namespace only if CONFIG_KUNIT is enabled. This follows the logic
above and allows symbols to be conditionally exported based on the testing
status.
The second patch in the series updates the policy_unpack test in AppArmor
to show an example of how to use both of these macros in order to address
the issue of testing static functions.
Rae Moar (2):
kunit: add macro to allow conditionally exposing static symbols to
tests
apparmor: test: make static symbols visible during kunit testing
include/kunit/visibility.h | 32 ++++++++++
security/apparmor/Kconfig | 4 +-
security/apparmor/Makefile | 2 +
security/apparmor/include/policy_unpack.h | 50 ++++++++++++++++
security/apparmor/policy_unpack.c | 72 +++++++----------------
security/apparmor/policy_unpack_test.c | 5 ++
6 files changed, 112 insertions(+), 53 deletions(-)
create mode 100644 include/kunit/visibility.h
base-commit: 11e76194937b506caf1b49512c42d5c2588681d7
--
2.38.1.273.g43a17bfeac-goog
--
Guten tag,
Mein Name ist Philip Manul. Ich bin von Beruf Rechtsanwalt. Ich habe
einen verstorbenen Kunden, der zufällig denselben Namen mit Ihnen
teilt. Ich habe alle Papierdokumente in meinem Besitz. Ihr Verwandter,
mein verstorbener Kunde, hat hier in meinem Land einen nicht
beanspruchten Fonds zurückgelassen. Ich warte auf Ihre Antwort zum
Verfahren.
Philip Manul.