On Fri, Nov 9, 2018 at 10:06 PM Jann Horn jannh@google.com wrote:

On Fri, Nov 9, 2018 at 9:46 PM Joel Fernandes (Google) joel@joelfernandes.org wrote:

...

Android uses ashmem for sharing memory regions. We are looking forward to migrating all usecases of ashmem to memfd so that we can possibly remove the ashmem driver in the future from staging while also benefiting from using memfd and contributing to it. Note staging drivers are also not ABI and generally can be removed at anytime.

One of the main usecases Android has is the ability to create a region and mmap it as writeable, then add protection against making any "future" writes while keeping the existing already mmap'ed writeable-region active. This allows us to implement a usecase where receivers of the shared memory buffer can get a read-only view, while the sender continues to write to the buffer. See CursorWindow documentation in Android for more details: https://developer.android.com/reference/android/database/CursorWindow

This usecase cannot be implemented with the existing F_SEAL_WRITE seal. To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal which prevents any future mmap and write syscalls from succeeding while keeping the existing mmap active.

Please CC linux-api@ on patches like this. If you had done that, I might have criticized your v1 patch instead of your v3 patch...

...

The following program shows the seal working in action:

[...]

...

Cc: jreck@google.com Cc: john.stultz@linaro.org Cc: tkjos@google.com Cc: gregkh@linuxfoundation.org Cc: hch@infradead.org Reviewed-by: John Stultz john.stultz@linaro.org Signed-off-by: Joel Fernandes (Google) joel@joelfernandes.org

---

[...]

...

diff --git a/mm/memfd.c b/mm/memfd.c index 2bb5e257080e..5ba9804e9515 100644 --- a/mm/memfd.c +++ b/mm/memfd.c

[...]

...

@@ -219,6 +220,25 @@ static int memfd_add_seals(struct file *file, unsigned int seals) } }

•   if ((seals & F_SEAL_FUTURE_WRITE) &&
  

•       !(*file_seals & F_SEAL_FUTURE_WRITE)) {
  

•           /*
  

•            * The FUTURE_WRITE seal also prevents growing and shrinking
  

•            * so we need them to be already set, or requested now.
  

•            */
  

•           int test_seals = (seals | *file_seals) &
  

•                            (F_SEAL_GROW | F_SEAL_SHRINK);
  

•           if (test_seals != (F_SEAL_GROW | F_SEAL_SHRINK)) {
  

•                   error = -EINVAL;
  

•                   goto unlock;
  

•           }
  

•           spin_lock(&file->f_lock);
  

•           file->f_mode &= ~(FMODE_WRITE | FMODE_PWRITE);
  

•           spin_unlock(&file->f_lock);
  

•   }
  

So you're fiddling around with the file, but not the inode? How are you preventing code like the following from re-opening the file as writable?

$ cat memfd.c #define _GNU_SOURCE #include <unistd.h> #include <sys/syscall.h> #include <printf.h> #include <fcntl.h> #include <err.h> #include <stdio.h>

int main(void) { int fd = syscall(__NR_memfd_create, "testfd", 0); if (fd == -1) err(1, "memfd"); char path[100]; sprintf(path, "/proc/self/fd/%d", fd); int fd2 = open(path, O_RDWR); if (fd2 == -1) err(1, "reopen"); printf("reopen successful: %d\n", fd2); } $ gcc -o memfd memfd.c $ ./memfd reopen successful: 4 $

That aside: I wonder whether a better API would be something that allows you to create a new readonly file descriptor, instead of fiddling with the writability of an existing fd.

My favorite approach would be to forbid open() on memfds, hope that nobody notices the tiny API break, and then add an ioctl for "reopen this memfd with reduced permissions" - but that's just my personal opinion.

On Nov 9, 2018, at 7:20 PM, Joel Fernandes joel@joelfernandes.org wrote:

...

On Fri, Nov 09, 2018 at 10:19:03PM +0100, Jann Horn wrote:

...

On Fri, Nov 9, 2018 at 10:06 PM Jann Horn jannh@google.com wrote: On Fri, Nov 9, 2018 at 9:46 PM Joel Fernandes (Google) joel@joelfernandes.org wrote:

...

Android uses ashmem for sharing memory regions. We are looking forward to migrating all usecases of ashmem to memfd so that we can possibly remove the ashmem driver in the future from staging while also benefiting from using memfd and contributing to it. Note staging drivers are also not ABI and generally can be removed at anytime.

One of the main usecases Android has is the ability to create a region and mmap it as writeable, then add protection against making any "future" writes while keeping the existing already mmap'ed writeable-region active. This allows us to implement a usecase where receivers of the shared memory buffer can get a read-only view, while the sender continues to write to the buffer. See CursorWindow documentation in Android for more details: https://developer.android.com/reference/android/database/CursorWindow

This usecase cannot be implemented with the existing F_SEAL_WRITE seal. To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal which prevents any future mmap and write syscalls from succeeding while keeping the existing mmap active.

Please CC linux-api@ on patches like this. If you had done that, I might have criticized your v1 patch instead of your v3 patch...

...

The following program shows the seal working in action:

[...]

...

Cc: jreck@google.com Cc: john.stultz@linaro.org Cc: tkjos@google.com Cc: gregkh@linuxfoundation.org Cc: hch@infradead.org Reviewed-by: John Stultz john.stultz@linaro.org Signed-off-by: Joel Fernandes (Google) joel@joelfernandes.org

---

[...]

...

diff --git a/mm/memfd.c b/mm/memfd.c index 2bb5e257080e..5ba9804e9515 100644 --- a/mm/memfd.c +++ b/mm/memfd.c

[...]

...

@@ -219,6 +220,25 @@ static int memfd_add_seals(struct file *file, unsigned int seals) } }

•   if ((seals & F_SEAL_FUTURE_WRITE) &&
  

•       !(*file_seals & F_SEAL_FUTURE_WRITE)) {
  

•           /*
  

•            * The FUTURE_WRITE seal also prevents growing and shrinking
  

•            * so we need them to be already set, or requested now.
  

•            */
  

•           int test_seals = (seals | *file_seals) &
  

•                            (F_SEAL_GROW | F_SEAL_SHRINK);
  

•           if (test_seals != (F_SEAL_GROW | F_SEAL_SHRINK)) {
  

•                   error = -EINVAL;
  

•                   goto unlock;
  

•           }
  

•           spin_lock(&file->f_lock);
  

•           file->f_mode &= ~(FMODE_WRITE | FMODE_PWRITE);
  

•           spin_unlock(&file->f_lock);
  

•   }
  

So you're fiddling around with the file, but not the inode? How are you preventing code like the following from re-opening the file as writable?

$ cat memfd.c #define _GNU_SOURCE #include <unistd.h> #include <sys/syscall.h> #include <printf.h> #include <fcntl.h> #include <err.h> #include <stdio.h>

int main(void) { int fd = syscall(__NR_memfd_create, "testfd", 0); if (fd == -1) err(1, "memfd"); char path[100]; sprintf(path, "/proc/self/fd/%d", fd); int fd2 = open(path, O_RDWR); if (fd2 == -1) err(1, "reopen"); printf("reopen successful: %d\n", fd2); } $ gcc -o memfd memfd.c $ ./memfd reopen successful: 4 $

That aside: I wonder whether a better API would be something that allows you to create a new readonly file descriptor, instead of fiddling with the writability of an existing fd.

My favorite approach would be to forbid open() on memfds, hope that nobody notices the tiny API break, and then add an ioctl for "reopen this memfd with reduced permissions" - but that's just my personal opinion.

I did something along these lines and it fixes the issue, but I forbid open of memfd only when the F_SEAL_FUTURE_WRITE seal is in place. So then its not an ABI break because this is a brand new seal. That seems the least intrusive solution and it works. Do you mind testing it and I'll add your and Tested-by to the new fix? The patch is based on top of this series.

---8<----------- From: "Joel Fernandes (Google)" joel@joelfernandes.org Subject: [PATCH] mm/memfd: Fix possible promotion to writeable of sealed memfd

Jann Horn found that reopening an F_SEAL_FUTURE_WRITE sealed memfd through /proc/self/fd/N symlink as writeable succeeds. The simplest fix without causing ABI breakages and ugly VFS hacks is to simply deny all opens on F_SEAL_FUTURE_WRITE sealed fds.

Reported-by: Jann Horn jannh@google.com Signed-off-by: Joel Fernandes (Google) joel@joelfernandes.org

---

mm/shmem.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)

diff --git a/mm/shmem.c b/mm/shmem.c index 446942677cd4..5b378c486b8f 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -3611,7 +3611,25 @@ static const struct address_space_operations shmem_aops = { .error_remove_page = generic_error_remove_page, };

+/* Could arrive here for memfds opened through /proc/ */ +int shmem_open(struct inode *inode, struct file *file) +{

• struct shmem_inode_info *info = SHMEM_I(inode);
• /*

• * memfds for which future writes have been prevented
  

• * should not be reopened, say, through /proc/pid/fd/N
  

• * symlinks otherwise it can cause a sealed memfd to be
  

• * promoted to writable.
  

• */
  

• if (info->seals & F_SEAL_FUTURE_WRITE)

•    return -EACCES;
  

• return 0;

+}

The result of this series is very warty. We have a concept of seals, and they all work similarly, except the new future write seal. That one:

- causes a probably-observable effect in the file mode in F_GETFL.

- causes reopen to fail.

- does *not* affect other struct files that may already exist on the same inode.

- mysteriously malfunctions if you try to set it again on another struct file that already exists

- probably is insecure when used on hugetlbfs.

I see two reasonable solutions:

1. Don’t fiddle with the struct file at all. Instead make the inode flag work by itself.

2. Don’t call it a “seal”. Instead fix the /proc hole and add an API to drop write access on an existing struct file.

I personally prefer #2.

static const struct file_operations shmem_file_operations = {

• .open = shmem_open, .mmap = shmem_mmap, .get_unmapped_area = shmem_get_unmapped_area,

#ifdef CONFIG_TMPFS

2.19.1.930.g4563a0d9d0-goog

On Sat, Nov 10, 2018 at 10:24 AM, Joel Fernandes joel@joelfernandes.org wrote:

Thanks Andy for your thoughts, my comments below:

On Fri, Nov 09, 2018 at 10:05:14PM -0800, Andy Lutomirski wrote:

...

...

On Nov 9, 2018, at 7:20 PM, Joel Fernandes joel@joelfernandes.org wrote:

...

On Fri, Nov 09, 2018 at 10:19:03PM +0100, Jann Horn wrote:

...

On Fri, Nov 9, 2018 at 10:06 PM Jann Horn jannh@google.com wrote: On Fri, Nov 9, 2018 at 9:46 PM Joel Fernandes (Google) joel@joelfernandes.org wrote:

...

Android uses ashmem for sharing memory regions. We are looking forward to migrating all usecases of ashmem to memfd so that we can possibly remove the ashmem driver in the future from staging while also benefiting from using memfd and contributing to it. Note staging drivers are also not ABI and generally can be removed at anytime.

One of the main usecases Android has is the ability to create a region and mmap it as writeable, then add protection against making any "future" writes while keeping the existing already mmap'ed writeable-region active. This allows us to implement a usecase where receivers of the shared memory buffer can get a read-only view, while the sender continues to write to the buffer. See CursorWindow documentation in Android for more details: https://developer.android.com/reference/android/database/CursorWindow

This usecase cannot be implemented with the existing F_SEAL_WRITE seal. To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal which prevents any future mmap and write syscalls from succeeding while keeping the existing mmap active.

Please CC linux-api@ on patches like this. If you had done that, I might have criticized your v1 patch instead of your v3 patch...

...

The following program shows the seal working in action:

[...]

...

Cc: jreck@google.com Cc: john.stultz@linaro.org Cc: tkjos@google.com Cc: gregkh@linuxfoundation.org Cc: hch@infradead.org Reviewed-by: John Stultz john.stultz@linaro.org Signed-off-by: Joel Fernandes (Google) joel@joelfernandes.org

---

[...]

...

diff --git a/mm/memfd.c b/mm/memfd.c index 2bb5e257080e..5ba9804e9515 100644 --- a/mm/memfd.c +++ b/mm/memfd.c

[...]

...

@@ -219,6 +220,25 @@ static int memfd_add_seals(struct file *file, unsigned int seals) } }

•   if ((seals & F_SEAL_FUTURE_WRITE) &&
  

•       !(*file_seals & F_SEAL_FUTURE_WRITE)) {
  

•           /*
  

•            * The FUTURE_WRITE seal also prevents growing and shrinking
  

•            * so we need them to be already set, or requested now.
  

•            */
  

•           int test_seals = (seals | *file_seals) &
  

•                            (F_SEAL_GROW | F_SEAL_SHRINK);
  

•           if (test_seals != (F_SEAL_GROW | F_SEAL_SHRINK)) {
  

•                   error = -EINVAL;
  

•                   goto unlock;
  

•           }
  

•           spin_lock(&file->f_lock);
  

•           file->f_mode &= ~(FMODE_WRITE | FMODE_PWRITE);
  

•           spin_unlock(&file->f_lock);
  

•   }
  

So you're fiddling around with the file, but not the inode? How are you preventing code like the following from re-opening the file as writable?

$ cat memfd.c #define _GNU_SOURCE #include <unistd.h> #include <sys/syscall.h> #include <printf.h> #include <fcntl.h> #include <err.h> #include <stdio.h>

int main(void) { int fd = syscall(__NR_memfd_create, "testfd", 0); if (fd == -1) err(1, "memfd"); char path[100]; sprintf(path, "/proc/self/fd/%d", fd); int fd2 = open(path, O_RDWR); if (fd2 == -1) err(1, "reopen"); printf("reopen successful: %d\n", fd2); } $ gcc -o memfd memfd.c $ ./memfd reopen successful: 4 $

That aside: I wonder whether a better API would be something that allows you to create a new readonly file descriptor, instead of fiddling with the writability of an existing fd.

My favorite approach would be to forbid open() on memfds, hope that nobody notices the tiny API break, and then add an ioctl for "reopen this memfd with reduced permissions" - but that's just my personal opinion.

I did something along these lines and it fixes the issue, but I forbid open of memfd only when the F_SEAL_FUTURE_WRITE seal is in place. So then its not an ABI break because this is a brand new seal. That seems the least intrusive solution and it works. Do you mind testing it and I'll add your and Tested-by to the new fix? The patch is based on top of this series.

---8<----------- From: "Joel Fernandes (Google)" joel@joelfernandes.org Subject: [PATCH] mm/memfd: Fix possible promotion to writeable of sealed memfd

Jann Horn found that reopening an F_SEAL_FUTURE_WRITE sealed memfd through /proc/self/fd/N symlink as writeable succeeds. The simplest fix without causing ABI breakages and ugly VFS hacks is to simply deny all opens on F_SEAL_FUTURE_WRITE sealed fds.

Reported-by: Jann Horn jannh@google.com Signed-off-by: Joel Fernandes (Google) joel@joelfernandes.org

---

mm/shmem.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)

diff --git a/mm/shmem.c b/mm/shmem.c index 446942677cd4..5b378c486b8f 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -3611,7 +3611,25 @@ static const struct address_space_operations shmem_aops = { .error_remove_page = generic_error_remove_page, };

+/* Could arrive here for memfds opened through /proc/ */ +int shmem_open(struct inode *inode, struct file *file) +{

• struct shmem_inode_info *info = SHMEM_I(inode);
• /*

• * memfds for which future writes have been prevented
  

• * should not be reopened, say, through /proc/pid/fd/N
  

• * symlinks otherwise it can cause a sealed memfd to be
  

• * promoted to writable.
  

• */
  

• if (info->seals & F_SEAL_FUTURE_WRITE)

•    return -EACCES;
  

• return 0;

+}

The result of this series is very warty. We have a concept of seals, and they all work similarly, except the new future write seal. That one:

I don't see it as warty, different seals will work differently. It works quite well for our usecase, and since Linux is all about solving real problems in the real work, it would be useful to have it.

...

• causes a probably-observable effect in the file mode in F_GETFL.

Wouldn't that be the right thing to observe anyway?

...

• causes reopen to fail.

So this concern isn't true anymore if we make reopen fail only for WRITE opens as Daniel suggested. I will make this change so that the security fix is a clean one.

...

• does *not* affect other struct files that may already exist on the same inode.

TBH if you really want to block all writes to the file, then you want F_SEAL_WRITE, not this seal. The usecase we have is the fd is sent over IPC to another process and we want to prevent any new writes in the receiver side. There is no way this other receiving process can have an existing fd unless it was already sent one without the seal applied. The proposed seal could be renamed to F_SEAL_FD_WRITE if that is preferred.

...

• mysteriously malfunctions if you try to set it again on another struct

file that already exists

I didn't follow this, could you explain more?

...

• probably is insecure when used on hugetlbfs.

The usecase is not expected to prevent all writes, indeed the usecase requires existing mmaps to continue to be able to write into the memory map. So would you call that a security issue too? The use of the seal wants to allow existing mmap regions to be continue to be written into (I mentioned more details in the cover letter).

...

I see two reasonable solutions:

1. Don’t fiddle with the struct file at all. Instead make the inode flag

work by itself.

Currently, the various VFS paths check only the struct file's f_mode to deny writes of already opened files. This would mean more checking in all those paths (and modification of all those paths).

Anyway going with that idea, we could

1. call deny_write_access(file) from the memfd's seal path which decrements

the inode::i_writecount. 2. call get_write_access(inode) in the various VFS paths in addition to checking for FMODE_*WRITE and deny the write (incase i_writecount is negative)

That will prevent both reopens, and writes from succeeding. However I worry a bit about 2 not being too familiar with VFS internals, about what the consequences of doing that may be.

IMHO, modifying both the inode and the struct file separately is fine, since they mean different things. In regular filesystems, it's fine to have a read-write open file description for a file whose inode grants write permission to nobody. Speaking of which: is fchmod enough to prevent this attack?

...

2. Don’t call it a “seal”. Instead fix the /proc hole and add an API to

drop write access on an existing struct file.

I personally prefer #2.

So I don't think proc has a hole looking at the code yesterday. As I was saying in other thread, its just how symlinks work. If we were to apply this API to files in general, and we had symlinks to files and we tried to reopen the file, we would run into the same issue - that's why I believe it has nothing to do with proc, and the fix has to be in the underlying inode being pointed to. Does that make sense or did I miss something?

+1. Another point to consider is that even if we did somehow fix the "proc hole", any other means (perhaps in the future) of obtaining an inode reference would then be insecure, perhaps silently. For example --- is there a way to use open_by_handle_at(2) to open a memfd file?

On Sat, Nov 10, 2018 at 07:40:10PM -0800, Andy Lutomirski wrote: [...]

...

...

...

...

...

>> I see two reasonable solutions: >> >> 1. Don’t fiddle with the struct file at all. Instead make the inode flag >> work by itself. > > Currently, the various VFS paths check only the struct file's f_mode to deny > writes of already opened files. This would mean more checking in all those > paths (and modification of all those paths). > > Anyway going with that idea, we could > 1. call deny_write_access(file) from the memfd's seal path which decrements > the inode::i_writecount. > 2. call get_write_access(inode) in the various VFS paths in addition to > checking for FMODE_*WRITE and deny the write (incase i_writecount is negative) > > That will prevent both reopens, and writes from succeeding. However I worry a > bit about 2 not being too familiar with VFS internals, about what the > consequences of doing that may be.

IMHO, modifying both the inode and the struct file separately is fine, since they mean different things. In regular filesystems, it's fine to have a read-write open file description for a file whose inode grants write permission to nobody. Speaking of which: is fchmod enough to prevent this attack?

Well, yes and no. fchmod does prevent reopening the file RW, but anyone with permissions (owner, CAP_FOWNER) can just fchmod it back. A seal is supposed to be irrevocable, so fchmod-as-inode-seal probably isn't sufficient by itself. While it might be good enough for Android (in the sense that it'll prevent RW-reopens from other security contexts to which we send an open memfd file), it's still conceptually ugly, IMHO. Let's go with the original approach of just tweaking the inode so that open-for-write is permanently blocked.

Agreed with the idea of modifying both file and inode flags. I was thinking modifying i_mode may do the trick but as you pointed it probably could be reverted by chmod or some other attribute setting calls.

OTOH, I don't think deny_write_access(file) can be reverted from any user-facing path so we could do that from the seal to prevent the future opens in write mode. I'll double check and test that out tomorrow.

This seems considerably more complicated and more fragile than needed. Just add a new F_SEAL_WRITE_FUTURE. Grep for F_SEAL_WRITE and make the _FUTURE variant work exactly like it with two exceptions:

• shmem_mmap and maybe its hugetlbfs equivalent should check for it and act

accordingly.

There's more to it than that, we also need to block future writes through write syscall, so we have to hook into the write path too once the seal is set, not just the mmap. That means we have to add code in mm/shmem.c to do that in all those handlers, to check for the seal (and hope we didn't miss a file_operations handler). Is that what you are proposing?

The existing code already does this. That’s why I suggested grepping :)

...

Also, it means we have to keep CONFIG_TMPFS enabled so that the shmem_file_operations write handlers like write_iter are hooked up. Currently memfd works even with !CONFIG_TMPFS.

If so, that sounds like it may already be a bug.

...

...

• add_seals won’t need the wait_for_pins and mapping_deny_write logic.

That really should be all that’s needed.

It seems a fair idea what you're saying. But I don't see how its less complex.. IMO its far more simple to have VFS do the denial of the operations based on the flags of its datastructures.. and if it works (which I will test to be sure it will), then we should be good.

I agree it’s complicated, but the code is already written. You should just need to adjust some masks.

Its actually not that bad and a great idea, I did something like the following and it works pretty well. I would say its cleaner than the old approach for sure (and I also added a /proc/pid/fd/N reopen test to the selftest and made sure that issue goes away).

Side note: One subtelty I discovered from the existing selftests is once the F_SEAL_WRITE are active, an mmap of PROT_READ and MAP_SHARED region is expected to fail. This is also evident from this code in mmap_region: if (vm_flags & VM_SHARED) { error = mapping_map_writable(file->f_mapping); if (error) goto allow_write_and_free_vma; }

---8<-----------------------

From: "Joel Fernandes (Google)" joel@joelfernandes.org Subject: [PATCH] mm/memfd: implement future write seal using shmem ops

Signed-off-by: Joel Fernandes (Google) joel@joelfernandes.org --- fs/hugetlbfs/inode.c | 2 +- mm/memfd.c | 19 ------------------- mm/shmem.c | 13 ++++++++++--- 3 files changed, 11 insertions(+), 23 deletions(-)

diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 32920a10100e..1978581abfdf 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -530,7 +530,7 @@ static long hugetlbfs_punch_hole(struct inode *inode, loff_t offset, loff_t len) inode_lock(inode);

/* protected by i_mutex */ - if (info->seals & F_SEAL_WRITE) { + if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) { inode_unlock(inode); return -EPERM; } diff --git a/mm/memfd.c b/mm/memfd.c index 5ba9804e9515..a9ece5fab439 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -220,25 +220,6 @@ static int memfd_add_seals(struct file *file, unsigned int seals) } }

- if ((seals & F_SEAL_FUTURE_WRITE) && - !(*file_seals & F_SEAL_FUTURE_WRITE)) { - /* - * The FUTURE_WRITE seal also prevents growing and shrinking - * so we need them to be already set, or requested now. - */ - int test_seals = (seals | *file_seals) & - (F_SEAL_GROW | F_SEAL_SHRINK); - - if (test_seals != (F_SEAL_GROW | F_SEAL_SHRINK)) { - error = -EINVAL; - goto unlock; - } - - spin_lock(&file->f_lock); - file->f_mode &= ~(FMODE_WRITE | FMODE_PWRITE); - spin_unlock(&file->f_lock); - } - *file_seals |= seals; error = 0;

diff --git a/mm/shmem.c b/mm/shmem.c index 446942677cd4..7dad7efd8b99 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2163,6 +2163,12 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user)

static int shmem_mmap(struct file *file, struct vm_area_struct *vma) { + struct shmem_inode_info *info = SHMEM_I(file_inode(file)); + + /* New shared mmaps are not allowed when "future write" seal active. */ + if ((vma->vm_flags & VM_SHARED) && (info->seals & F_SEAL_FUTURE_WRITE)) + return -EPERM; + file_accessed(file); vma->vm_ops = &shmem_vm_ops; if (IS_ENABLED(CONFIG_TRANSPARENT_HUGE_PAGECACHE) && @@ -2391,8 +2397,9 @@ shmem_write_begin(struct file *file, struct address_space *mapping, pgoff_t index = pos >> PAGE_SHIFT;

/* i_mutex is held by caller */ - if (unlikely(info->seals & (F_SEAL_WRITE | F_SEAL_GROW))) { - if (info->seals & F_SEAL_WRITE) + if (unlikely(info->seals & (F_SEAL_GROW | + F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))) { + if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) return -EPERM; if ((info->seals & F_SEAL_GROW) && pos + len > inode->i_size) return -EPERM; @@ -2657,7 +2664,7 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq);

/* protected by i_mutex */ - if (info->seals & F_SEAL_WRITE) { + if (info->seals & F_SEAL_WRITE || info->seals & F_SEAL_FUTURE_WRITE) { error = -EPERM; goto out; }

On Nov 11, 2018, at 12:30 AM, Daniel Colascione dancol@google.com wrote:

...

On Sun, Nov 11, 2018 at 12:09 AM, Joel Fernandes joel@joelfernandes.org wrote: On Sat, Nov 10, 2018 at 07:40:10PM -0800, Andy Lutomirski wrote: [...]

...

...

...

...

>>>> I see two reasonable solutions: >>>> >>>> 1. Don’t fiddle with the struct file at all. Instead make the inode flag >>>> work by itself. >>> >>> Currently, the various VFS paths check only the struct file's f_mode to deny >>> writes of already opened files. This would mean more checking in all those >>> paths (and modification of all those paths). >>> >>> Anyway going with that idea, we could >>> 1. call deny_write_access(file) from the memfd's seal path which decrements >>> the inode::i_writecount. >>> 2. call get_write_access(inode) in the various VFS paths in addition to >>> checking for FMODE_*WRITE and deny the write (incase i_writecount is negative) >>> >>> That will prevent both reopens, and writes from succeeding. However I worry a >>> bit about 2 not being too familiar with VFS internals, about what the >>> consequences of doing that may be. >> >> IMHO, modifying both the inode and the struct file separately is fine, >> since they mean different things. In regular filesystems, it's fine to >> have a read-write open file description for a file whose inode grants >> write permission to nobody. Speaking of which: is fchmod enough to >> prevent this attack? > > Well, yes and no. fchmod does prevent reopening the file RW, but > anyone with permissions (owner, CAP_FOWNER) can just fchmod it back. A > seal is supposed to be irrevocable, so fchmod-as-inode-seal probably > isn't sufficient by itself. While it might be good enough for Android > (in the sense that it'll prevent RW-reopens from other security > contexts to which we send an open memfd file), it's still conceptually > ugly, IMHO. Let's go with the original approach of just tweaking the > inode so that open-for-write is permanently blocked.

Agreed with the idea of modifying both file and inode flags. I was thinking modifying i_mode may do the trick but as you pointed it probably could be reverted by chmod or some other attribute setting calls.

OTOH, I don't think deny_write_access(file) can be reverted from any user-facing path so we could do that from the seal to prevent the future opens in write mode. I'll double check and test that out tomorrow.

This seems considerably more complicated and more fragile than needed. Just add a new F_SEAL_WRITE_FUTURE. Grep for F_SEAL_WRITE and make the _FUTURE variant work exactly like it with two exceptions:

• shmem_mmap and maybe its hugetlbfs equivalent should check for it and act

accordingly.

There's more to it than that, we also need to block future writes through write syscall, so we have to hook into the write path too once the seal is set, not just the mmap. That means we have to add code in mm/shmem.c to do that in all those handlers, to check for the seal (and hope we didn't miss a file_operations handler). Is that what you are proposing?

The existing code already does this. That’s why I suggested grepping :)

...

Also, it means we have to keep CONFIG_TMPFS enabled so that the shmem_file_operations write handlers like write_iter are hooked up. Currently memfd works even with !CONFIG_TMPFS.

If so, that sounds like it may already be a bug.

Why shouldn't memfd work independently of CONFIG_TMPFS? In particular, write(2) on tmpfs FDs shouldn't work differently. If it does, that's a kernel implementation detail leaking out into userspace.

...

...

...

...

• add_seals won’t need the wait_for_pins and mapping_deny_write logic.

That really should be all that’s needed.

It seems a fair idea what you're saying. But I don't see how its less complex.. IMO its far more simple to have VFS do the denial of the operations based on the flags of its datastructures.. and if it works (which I will test to be sure it will), then we should be good.

I agree it’s complicated, but the code is already written. You should just need to adjust some masks.

Its actually not that bad and a great idea, I did something like the following and it works pretty well. I would say its cleaner than the old approach for sure (and I also added a /proc/pid/fd/N reopen test to the selftest and made sure that issue goes away).

Side note: One subtelty I discovered from the existing selftests is once the F_SEAL_WRITE are active, an mmap of PROT_READ and MAP_SHARED region is expected to fail. This is also evident from this code in mmap_region: if (vm_flags & VM_SHARED) { error = mapping_map_writable(file->f_mapping); if (error) goto allow_write_and_free_vma; }

This behavior seems like a bug. Why should MAP_SHARED writes be denied here? There's no semantic incompatibility between shared mappings and the seal. And I think this change would represent an ABI break using memfd seals for ashmem, since ashmem currently allows MAP_SHARED mappings after changing prot_mask.

Hmm. I’m guessing the intent is that the mmap count should track writable mappings in addition to mappings that could be made writable using mprotect. I think you could address this for SEAL_FUTURE in two ways:

1. In shmem_mmap, mask off VM_MAYWRITE if SEAL_FUTURE is set, or

2. Add a new vm operation that allows a vma to reject an mprotect attempt, like security_file_mprotect but per vma. Then give it reasonable semantics for shmem.

(1) probably gives the semantics you want for SEAL_FUTURE: old maps can be mprotected, but new maps can’t.

...

---8<-----------------------

From: "Joel Fernandes (Google)" joel@joelfernandes.org Subject: [PATCH] mm/memfd: implement future write seal using shmem ops

Signed-off-by: Joel Fernandes (Google) joel@joelfernandes.org

fs/hugetlbfs/inode.c | 2 +- mm/memfd.c | 19 ------------------- mm/shmem.c | 13 ++++++++++--- 3 files changed, 11 insertions(+), 23 deletions(-)

diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 32920a10100e..1978581abfdf 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -530,7 +530,7 @@ static long hugetlbfs_punch_hole(struct inode *inode, loff_t offset, loff_t len) inode_lock(inode);

           /* protected by i_mutex */

•           if (info->seals & F_SEAL_WRITE) {
  

•           if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
                   inode_unlock(inode);
                   return -EPERM;
           }
  

Maybe we can always set F_SEAL_FUTURE_WRITE when F_SEAL_WRITE so we can just test one bit except where the F_SEAL_WRITE behavior differs from F_SEAL_FUTURE_WRITE.

This could plausibly confuse existing users that read the seal mask.

On Nov 9, 2018, at 1:06 PM, Jann Horn jannh@google.com wrote:

+linux-api for API addition +hughd as FYI since this is somewhat related to mm/shmem

On Fri, Nov 9, 2018 at 9:46 PM Joel Fernandes (Google) joel@joelfernandes.org wrote:

...

Android uses ashmem for sharing memory regions. We are looking forward to migrating all usecases of ashmem to memfd so that we can possibly remove the ashmem driver in the future from staging while also benefiting from using memfd and contributing to it. Note staging drivers are also not ABI and generally can be removed at anytime.

One of the main usecases Android has is the ability to create a region and mmap it as writeable, then add protection against making any "future" writes while keeping the existing already mmap'ed writeable-region active. This allows us to implement a usecase where receivers of the shared memory buffer can get a read-only view, while the sender continues to write to the buffer. See CursorWindow documentation in Android for more details: https://developer.android.com/reference/android/database/CursorWindow

This usecase cannot be implemented with the existing F_SEAL_WRITE seal. To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal which prevents any future mmap and write syscalls from succeeding while keeping the existing mmap active.

Please CC linux-api@ on patches like this. If you had done that, I might have criticized your v1 patch instead of your v3 patch...

...

The following program shows the seal working in action:

[...]

...

Cc: jreck@google.com Cc: john.stultz@linaro.org Cc: tkjos@google.com Cc: gregkh@linuxfoundation.org Cc: hch@infradead.org Reviewed-by: John Stultz john.stultz@linaro.org Signed-off-by: Joel Fernandes (Google) joel@joelfernandes.org

---

[...]

...

diff --git a/mm/memfd.c b/mm/memfd.c index 2bb5e257080e..5ba9804e9515 100644 --- a/mm/memfd.c +++ b/mm/memfd.c

[...]

...

@@ -219,6 +220,25 @@ static int memfd_add_seals(struct file *file, unsigned int seals) } }

•   if ((seals & F_SEAL_FUTURE_WRITE) &&
  

•       !(*file_seals & F_SEAL_FUTURE_WRITE)) {
  

•           /*
  

•            * The FUTURE_WRITE seal also prevents growing and shrinking
  

•            * so we need them to be already set, or requested now.
  

•            */
  

•           int test_seals = (seals | *file_seals) &
  

•                            (F_SEAL_GROW | F_SEAL_SHRINK);
  

•           if (test_seals != (F_SEAL_GROW | F_SEAL_SHRINK)) {
  

•                   error = -EINVAL;
  

•                   goto unlock;
  

•           }
  

•           spin_lock(&file->f_lock);
  

•           file->f_mode &= ~(FMODE_WRITE | FMODE_PWRITE);
  

•           spin_unlock(&file->f_lock);
  

•   }
  

So you're fiddling around with the file, but not the inode? How are you preventing code like the following from re-opening the file as writable?

$ cat memfd.c #define _GNU_SOURCE #include <unistd.h> #include <sys/syscall.h> #include <printf.h> #include <fcntl.h> #include <err.h> #include <stdio.h>

int main(void) { int fd = syscall(__NR_memfd_create, "testfd", 0); if (fd == -1) err(1, "memfd"); char path[100]; sprintf(path, "/proc/self/fd/%d", fd); int fd2 = open(path, O_RDWR); if (fd2 == -1) err(1, "reopen"); printf("reopen successful: %d\n", fd2); } $ gcc -o memfd memfd.c $ ./memfd reopen successful: 4 $

That aside: I wonder whether a better API would be something that allows you to create a new readonly file descriptor, instead of fiddling with the writability of an existing fd.

Every now and then I try to write a patch to prevent using proc to reopen a file with greater permission than the original open.

I like your idea to have a clean way to reopen a a memfd with reduced permissions. But I would make it a syscall instead and maybe make it only work for memfd at first. And the proc issue would need to be fixed, too.

On Nov 9, 2018, at 2:20 PM, Daniel Colascione dancol@google.com wrote:

...

On Fri, Nov 9, 2018 at 1:06 PM, Jann Horn jannh@google.com wrote:

+linux-api for API addition +hughd as FYI since this is somewhat related to mm/shmem

On Fri, Nov 9, 2018 at 9:46 PM Joel Fernandes (Google) joel@joelfernandes.org wrote:

...

Android uses ashmem for sharing memory regions. We are looking forward to migrating all usecases of ashmem to memfd so that we can possibly remove the ashmem driver in the future from staging while also benefiting from using memfd and contributing to it. Note staging drivers are also not ABI and generally can be removed at anytime.

One of the main usecases Android has is the ability to create a region and mmap it as writeable, then add protection against making any "future" writes while keeping the existing already mmap'ed writeable-region active. This allows us to implement a usecase where receivers of the shared memory buffer can get a read-only view, while the sender continues to write to the buffer. See CursorWindow documentation in Android for more details: https://developer.android.com/reference/android/database/CursorWindow

This usecase cannot be implemented with the existing F_SEAL_WRITE seal. To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal which prevents any future mmap and write syscalls from succeeding while keeping the existing mmap active.

Please CC linux-api@ on patches like this. If you had done that, I might have criticized your v1 patch instead of your v3 patch...

...

The following program shows the seal working in action:

[...]

...

Cc: jreck@google.com Cc: john.stultz@linaro.org Cc: tkjos@google.com Cc: gregkh@linuxfoundation.org Cc: hch@infradead.org Reviewed-by: John Stultz john.stultz@linaro.org Signed-off-by: Joel Fernandes (Google) joel@joelfernandes.org

---

[...]

...

diff --git a/mm/memfd.c b/mm/memfd.c index 2bb5e257080e..5ba9804e9515 100644 --- a/mm/memfd.c +++ b/mm/memfd.c

[...]

...

@@ -219,6 +220,25 @@ static int memfd_add_seals(struct file *file, unsigned int seals) } }

•   if ((seals & F_SEAL_FUTURE_WRITE) &&
  

•       !(*file_seals & F_SEAL_FUTURE_WRITE)) {
  

•           /*
  

•            * The FUTURE_WRITE seal also prevents growing and shrinking
  

•            * so we need them to be already set, or requested now.
  

•            */
  

•           int test_seals = (seals | *file_seals) &
  

•                            (F_SEAL_GROW | F_SEAL_SHRINK);
  

•           if (test_seals != (F_SEAL_GROW | F_SEAL_SHRINK)) {
  

•                   error = -EINVAL;
  

•                   goto unlock;
  

•           }
  

•           spin_lock(&file->f_lock);
  

•           file->f_mode &= ~(FMODE_WRITE | FMODE_PWRITE);
  

•           spin_unlock(&file->f_lock);
  

•   }
  

So you're fiddling around with the file, but not the inode? How are you preventing code like the following from re-opening the file as writable?

Good catch. That's fixable too though, isn't it, just by fiddling with the inode, right?

True.

Another, more general fix might be to prevent /proc/pid/fd/N opens from "upgrading" access modes. But that'd be a bigger ABI break.

I think we should fix that, too. I consider it a bug fix, not an ABI break, personally.

...

That aside: I wonder whether a better API would be something that allows you to create a new readonly file descriptor, instead of fiddling with the writability of an existing fd.

That doesn't work, unfortunately. The ashmem API we're replacing with memfd requires file descriptor continuity. I also looked into opening a new FD and dup2(2)ing atop the old one, but this approach doesn't work in the case that the old FD has already leaked to some other context (e.g., another dup, SCM_RIGHTS). See https://developer.android.com/ndk/reference/group/memory. We can't break ASharedMemory_setProt.

Hmm. If we fix the general reopen bug, a way to drop write access from an existing struct file would do what Android needs, right? I don’t know if there are general VFS issues with that.

On Fri, Nov 09, 2018 at 10:06:31PM +0100, Jann Horn wrote:

+linux-api for API addition +hughd as FYI since this is somewhat related to mm/shmem

On Fri, Nov 9, 2018 at 9:46 PM Joel Fernandes (Google) joel@joelfernandes.org wrote:

...

Android uses ashmem for sharing memory regions. We are looking forward to migrating all usecases of ashmem to memfd so that we can possibly remove the ashmem driver in the future from staging while also benefiting from using memfd and contributing to it. Note staging drivers are also not ABI and generally can be removed at anytime.

One of the main usecases Android has is the ability to create a region and mmap it as writeable, then add protection against making any "future" writes while keeping the existing already mmap'ed writeable-region active. This allows us to implement a usecase where receivers of the shared memory buffer can get a read-only view, while the sender continues to write to the buffer. See CursorWindow documentation in Android for more details: https://developer.android.com/reference/android/database/CursorWindow

This usecase cannot be implemented with the existing F_SEAL_WRITE seal. To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal which prevents any future mmap and write syscalls from succeeding while keeping the existing mmap active.

Please CC linux-api@ on patches like this. If you had done that, I might have criticized your v1 patch instead of your v3 patch...

Ok, will do from next time.

...

The following program shows the seal working in action:

[...]

...

Cc: jreck@google.com Cc: john.stultz@linaro.org Cc: tkjos@google.com Cc: gregkh@linuxfoundation.org Cc: hch@infradead.org Reviewed-by: John Stultz john.stultz@linaro.org Signed-off-by: Joel Fernandes (Google) joel@joelfernandes.org

---

[...]

...

diff --git a/mm/memfd.c b/mm/memfd.c index 2bb5e257080e..5ba9804e9515 100644 --- a/mm/memfd.c +++ b/mm/memfd.c

[...]

...

@@ -219,6 +220,25 @@ static int memfd_add_seals(struct file *file, unsigned int seals) } }

•   if ((seals & F_SEAL_FUTURE_WRITE) &&
  

•       !(*file_seals & F_SEAL_FUTURE_WRITE)) {
  

•           /*
  

•            * The FUTURE_WRITE seal also prevents growing and shrinking
  

•            * so we need them to be already set, or requested now.
  

•            */
  

•           int test_seals = (seals | *file_seals) &
  

•                            (F_SEAL_GROW | F_SEAL_SHRINK);
  

•           if (test_seals != (F_SEAL_GROW | F_SEAL_SHRINK)) {
  

•                   error = -EINVAL;
  

•                   goto unlock;
  

•           }
  

•           spin_lock(&file->f_lock);
  

•           file->f_mode &= ~(FMODE_WRITE | FMODE_PWRITE);
  

•           spin_unlock(&file->f_lock);
  

•   }
  

So you're fiddling around with the file, but not the inode? How are you preventing code like the following from re-opening the file as writable?

$ cat memfd.c #define _GNU_SOURCE #include <unistd.h> #include <sys/syscall.h> #include <printf.h> #include <fcntl.h> #include <err.h> #include <stdio.h>

int main(void) { int fd = syscall(__NR_memfd_create, "testfd", 0); if (fd == -1) err(1, "memfd"); char path[100]; sprintf(path, "/proc/self/fd/%d", fd); int fd2 = open(path, O_RDWR); if (fd2 == -1) err(1, "reopen"); printf("reopen successful: %d\n", fd2); } $ gcc -o memfd memfd.c $ ./memfd reopen successful: 4

Great catch and this is indeed an issue :-(. I verified it too.

That aside: I wonder whether a better API would be something that allows you to create a new readonly file descriptor, instead of fiddling with the writability of an existing fd.

Android usecases cannot deal with a new fd number because it breaks the continuity of having the same old fd, as Dan also pointed out.

Also such API will have the same issues you brought up?

thanks,

- Joel