From nobody Fri Jun 19 15:47:29 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0E1E3C433F5 for ; Fri, 1 Apr 2022 22:08:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353240AbiDAWKq (ORCPT ); Fri, 1 Apr 2022 18:10:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47960 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353139AbiDAWKn (ORCPT ); Fri, 1 Apr 2022 18:10:43 -0400 Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 019C6338BC for ; Fri, 1 Apr 2022 15:08:51 -0700 (PDT) Received: by mail-pg1-x52d.google.com with SMTP id o13so3343129pgc.12 for ; Fri, 01 Apr 2022 15:08:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+DU/KAvneVMZvyUwbOBCXJHatvzCCAIN7Ytl6QwY8EU=; b=cqZTfaay5ukidSBjk5VJHj3uRfyXZLHu+6BwWg5igbNAypA7YFLzCM7eBGIELFcM41 TMpSn72s+uFhNhHvOAB5qYJ+5aFs9q6EzNHjfSH4UmWO2384Lw5KgI0KRaaf7mMmoWgG 0XsVQsuI9rNDYkg9VT4YJ+gREdqlf4ss9Jdkk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+DU/KAvneVMZvyUwbOBCXJHatvzCCAIN7Ytl6QwY8EU=; b=rbHKFhSv8nX/81ZckC3Qv2g/6rD+ZVX3gJmxc3TXSvW/eGan8ulM4Mt3KKs71ykIG+ cA3XTnO7+xvKakksWKDSLY9c/F0bvumgDnJosw8flmFMkvwI60H44ay4f04X0mT1O+yj H1xdIt0oJ0IqwhJjetwu5pGiUSr/SiaWG65KKhFKZ9FgNwoUlZE1D0guRiQSsUBRfvaR GNp925doMFz2/ctAnXvokmn/hN2lUqpRfYZBmFrNzDFw7CGh1AuJEaPgMX0B8b42Ppuc Mc9WqlZjK3xUOCtJvKcnQnXXFAUnN+MPQTVg63Txc8LUNAo/dzqViHLStW8pkdRLMUD+ CMfw== X-Gm-Message-State: AOAM5303yfR4uMiHkfg0l4wDC24g0xjMNQskXzXkSL75xOVHgex9lPKS qJtBtWGg+IBy/CA9aYkOR73DOA== X-Google-Smtp-Source: ABdhPJy2sy1C7CXcCxIY6R92ffiHpAxC/4GSwsnETPbbVJrLVIPp8s0futQO1QalpgQMGerY3kwZOw== X-Received: by 2002:a05:6a00:1702:b0:4fd:aae0:84a1 with SMTP id h2-20020a056a00170200b004fdaae084a1mr12964808pfc.12.1648850930427; Fri, 01 Apr 2022 15:08:50 -0700 (PDT) Received: from localhost ([2620:15c:202:201:72c9:527e:d936:c24b]) by smtp.gmail.com with UTF8SMTPSA id y3-20020a056a00190300b004fa2411bb92sm4331229pfi.93.2022.04.01.15.08.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 01 Apr 2022 15:08:50 -0700 (PDT) From: Daniel Verkamp To: linux-mm@kvack.org Cc: linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Andrew Morton , Hugh Dickins , Mattias Nissler , Dmitry Torokhov , Kees Cook , Daniel Verkamp Subject: [PATCH 1/4] mm/memfd: add F_SEAL_EXEC Date: Fri, 1 Apr 2022 15:08:31 -0700 Message-Id: <20220401220834.307660-2-dverkamp@chromium.org> X-Mailer: git-send-email 2.35.1.1094.g7c7d902a7c-goog In-Reply-To: <20220401220834.307660-1-dverkamp@chromium.org> References: <20220401220834.307660-1-dverkamp@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The new F_SEAL_EXEC flag will prevent modification of the exec bits: written as traditional octal mask, 0111, or as named flags, S_IXUSR | S_IXGRP | S_IXOTH. Any chmod(2) or similar call that attempts to modify any of these bits after the seal is applied will fail with errno EPERM. This will preserve the execute bits as they are at the time of sealing, so the memfd will become either permanently executable or permanently un-executable. Signed-off-by: Daniel Verkamp --- include/uapi/linux/fcntl.h | 1 + mm/memfd.c | 2 ++ mm/shmem.c | 6 ++++++ 3 files changed, 9 insertions(+) diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h index 2f86b2ad6d7e..a472ba69596c 100644 --- a/include/uapi/linux/fcntl.h +++ b/include/uapi/linux/fcntl.h @@ -43,6 +43,7 @@ #define F_SEAL_GROW 0x0004 /* prevent file from growing */ #define F_SEAL_WRITE 0x0008 /* prevent writes */ #define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped = */ +#define F_SEAL_EXEC 0x0020 /* prevent chmod modifying exec bits */ /* (1U << 31) is reserved for signed error codes */ =20 /* diff --git a/mm/memfd.c b/mm/memfd.c index 08f5f8304746..4ebeab94aa74 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -147,6 +147,7 @@ static unsigned int *memfd_file_seals_ptr(struct file *= file) } =20 #define F_ALL_SEALS (F_SEAL_SEAL | \ + F_SEAL_EXEC | \ F_SEAL_SHRINK | \ F_SEAL_GROW | \ F_SEAL_WRITE | \ @@ -175,6 +176,7 @@ static int memfd_add_seals(struct file *file, unsigned = int seals) * SEAL_SHRINK: Prevent the file from shrinking * SEAL_GROW: Prevent the file from growing * SEAL_WRITE: Prevent write access to the file + * SEAL_EXEC: Prevent modification of the exec bits in the file mode * * As we don't require any trust relationship between two parties, we * must prevent seals from being removed. Therefore, sealing a file diff --git a/mm/shmem.c b/mm/shmem.c index 529c9ad3e926..a5ca9675fc29 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -1083,6 +1083,12 @@ static int shmem_setattr(struct user_namespace *mnt_= userns, if (error) return error; =20 + if ((info->seals & F_SEAL_EXEC) && (attr->ia_valid & ATTR_MODE)) { + if ((inode->i_mode ^ attr->ia_mode) & 0111) { + return -EPERM; + } + } + if (S_ISREG(inode->i_mode) && (attr->ia_valid & ATTR_SIZE)) { loff_t oldsize =3D inode->i_size; loff_t newsize =3D attr->ia_size; --=20 2.35.1.1094.g7c7d902a7c-goog From nobody Fri Jun 19 15:47:29 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF901C433F5 for ; Fri, 1 Apr 2022 22:09:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353256AbiDAWKz (ORCPT ); Fri, 1 Apr 2022 18:10:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48052 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353230AbiDAWKo (ORCPT ); Fri, 1 Apr 2022 18:10:44 -0400 Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A136736E01 for ; Fri, 1 Apr 2022 15:08:52 -0700 (PDT) Received: by mail-pl1-x62b.google.com with SMTP id x2so3560282plm.7 for ; Fri, 01 Apr 2022 15:08:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=GGy12Ftw4loYyE/TAP1mAYq+WnfJrqLYyR2nxuIM2Fs=; b=SL+SlsZQoHtn/QL8/tkQm0FjSPuHuOxWUbuUxvj8p1fi5KcysZoVhJslgdNUIpCfdx xMaLuCHkzzhLEtjWry6xZ18Kd8ePrZ0yDFhYQrDIwtgMlcC0xLi8wlA+UmB3/v01zVJM 6kkF19DbqpacsUKj/Tf9vROFF0KI1KSVapvFw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=GGy12Ftw4loYyE/TAP1mAYq+WnfJrqLYyR2nxuIM2Fs=; b=qTp2eUI9jghjoBQMrdv1UUhyg0Ru6o7yHYghgVNqx1WgUMdFpSLHJME8WW50xXKuU3 TGahIturYjFOHtrqFC+1410V+VZBdn/oWCm85y1FhW/uiwKct+wQrHRsGjIivyrfCXAO x97P0g5c7w0yDqjSYUDj+pgpd2S9lc5Bvs83ZWUSQrj0L3bpMOrQC2PqiTERXro82q30 YFUaokAysLhgPDfY3H7Xyj0mWXxktmHSjfXOh7u4b5n3Hn2Jy5UsQ449lZ0jw2QL19AY 7oTH3EuW6OE7oHIJ79V2UAgIDYKoKqprJFqF3uNf48zF71S+57E5xO2+dZROR70JRVIj LjAA== X-Gm-Message-State: AOAM530Bwjglq7dmQ9hUJuk9psJ+B85cqkGh27E50nuqfWKKYb+uKTgW PIZhp+PxGusL0faUMrYqdWJayg== X-Google-Smtp-Source: ABdhPJxNkBtR9kNWdwRtqqtUAaRI/gzMa1PZ+fRs6SHZlkmeP7URvCbay+i9SC3t8N/U0ppDaev6ew== X-Received: by 2002:a17:902:db0f:b0:154:665e:af75 with SMTP id m15-20020a170902db0f00b00154665eaf75mr48318074plx.147.1648850932149; Fri, 01 Apr 2022 15:08:52 -0700 (PDT) Received: from localhost ([2620:15c:202:201:72c9:527e:d936:c24b]) by smtp.gmail.com with UTF8SMTPSA id k18-20020a056a00135200b004fb18fc6c78sm4219370pfu.31.2022.04.01.15.08.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 01 Apr 2022 15:08:51 -0700 (PDT) From: Daniel Verkamp To: linux-mm@kvack.org Cc: linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Andrew Morton , Hugh Dickins , Mattias Nissler , Dmitry Torokhov , Kees Cook , Daniel Verkamp Subject: [PATCH 2/4] mm/memfd: add MFD_NOEXEC flag to memfd_create Date: Fri, 1 Apr 2022 15:08:32 -0700 Message-Id: <20220401220834.307660-3-dverkamp@chromium.org> X-Mailer: git-send-email 2.35.1.1094.g7c7d902a7c-goog In-Reply-To: <20220401220834.307660-1-dverkamp@chromium.org> References: <20220401220834.307660-1-dverkamp@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The new MFD_NOEXEC flag allows the creation of a permanently non-executable memfd. This is accomplished by creating it with a different set of file mode bits (0666) than the default (0777) and applying the F_SEAL_EXEC seal at creation time, so there is no window between memfd creation and seal application. Unfortunately, the default for memfd must remain executable, since changing this would be an API break, and some programs depend on being able to exec code from a memfd directly. However, this new flag will allow programs to create non-executable memfds, and a distribution may choose to enforce use of this flag in memfd_create calls via other security mechanisms. Signed-off-by: Daniel Verkamp --- include/uapi/linux/memfd.h | 1 + mm/memfd.c | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/memfd.h b/include/uapi/linux/memfd.h index 7a8a26751c23..140e125c9f65 100644 --- a/include/uapi/linux/memfd.h +++ b/include/uapi/linux/memfd.h @@ -8,6 +8,7 @@ #define MFD_CLOEXEC 0x0001U #define MFD_ALLOW_SEALING 0x0002U #define MFD_HUGETLB 0x0004U +#define MFD_NOEXEC 0x0008U =20 /* * Huge page size encoding when MFD_HUGETLB is specified, and a huge page diff --git a/mm/memfd.c b/mm/memfd.c index 4ebeab94aa74..b841514eb0fd 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -263,7 +263,7 @@ long memfd_fcntl(struct file *file, unsigned int cmd, u= nsigned long arg) #define MFD_NAME_PREFIX_LEN (sizeof(MFD_NAME_PREFIX) - 1) #define MFD_NAME_MAX_LEN (NAME_MAX - MFD_NAME_PREFIX_LEN) =20 -#define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_HUGETLB) +#define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_HUGETLB | MFD= _NOEXEC) =20 SYSCALL_DEFINE2(memfd_create, const char __user *, uname, @@ -333,6 +333,14 @@ SYSCALL_DEFINE2(memfd_create, *file_seals &=3D ~F_SEAL_SEAL; } =20 + if (flags & MFD_NOEXEC) { + struct inode *inode =3D file_inode(file); + + inode->i_mode &=3D ~0111; + file_seals =3D memfd_file_seals_ptr(file); + *file_seals |=3D F_SEAL_EXEC; + } + fd_install(fd, file); kfree(name); return fd; --=20 2.35.1.1094.g7c7d902a7c-goog From nobody Fri Jun 19 15:47:29 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 26FD1C433FE for ; Fri, 1 Apr 2022 22:09:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353241AbiDAWKw (ORCPT ); Fri, 1 Apr 2022 18:10:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48058 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353234AbiDAWKo (ORCPT ); Fri, 1 Apr 2022 18:10:44 -0400 Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BCAEB3B564 for ; Fri, 1 Apr 2022 15:08:54 -0700 (PDT) Received: by mail-pf1-x42e.google.com with SMTP id bo5so3835668pfb.4 for ; Fri, 01 Apr 2022 15:08:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=W2dIS9P9cYggnNka+4k4Gn63M8GjebQJazBSK4gQ59E=; b=Cr8pY9ZyZkOJCluc/iz4NzKGM5yjTCERCc07lJqJ64lxXC8WM7aZ3lRaioUTSrh1uP fnNA8gzv7T3fB/mIuXCSe/fDWMjiR+M9lYmcB1a56kj/OmmUyAJKjnV/XNb8nJ4v2hbZ upohpJPABZs86wqi/TJXNyrjsZ+clUnpfPNhU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=W2dIS9P9cYggnNka+4k4Gn63M8GjebQJazBSK4gQ59E=; b=4C7E+u8yvIleBX0hKp1v/eAypkadLzvtQhKI40yfIt6syxzYjOEc+RTakkvLVuX5tV axriPu81tu8LJNKXQ167FPjfP6U5R+CeqXM439AkjBOfNvvcii6B38zryl9hlRLUeWoF 9JMetRgeagCmcHIxDCVnVMqaeEf45O1D3SnD/XR0J6nmHUIKqweYdz746xG4VGf9lLms SfiGjWeWkl7t06ydd3vP+QmBUBxYU8Ks3I9BnLqzdG1gqGpS+YR4Gjcg5w8KkeSOhapL sH2NduWkr4PKpPieAGJl55BfRZdgIEUYw6+nHs5+3+Qi1W7G+Q/jVHSH6dEbtgsGxQM7 FSqQ== X-Gm-Message-State: AOAM532mOkE9z8NkxxV3r6gTgmYblotzSgonZkncSoi3nnUkoVancA/7 mtLDUPlX1TuhAGskpJQpmqmZOA== X-Google-Smtp-Source: ABdhPJzxAVHoX6VACxIQgKkefSjLO46zf4cJLaQQXIcLa57xWR5jeIRu2USsxHabbOHOptJtDZDWeg== X-Received: by 2002:a05:6a00:1488:b0:4fa:ac61:8b11 with SMTP id v8-20020a056a00148800b004faac618b11mr13204273pfu.58.1648850934155; Fri, 01 Apr 2022 15:08:54 -0700 (PDT) Received: from localhost ([2620:15c:202:201:72c9:527e:d936:c24b]) by smtp.gmail.com with UTF8SMTPSA id oc10-20020a17090b1c0a00b001c7510ed0c8sm14841905pjb.49.2022.04.01.15.08.52 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 01 Apr 2022 15:08:53 -0700 (PDT) From: Daniel Verkamp To: linux-mm@kvack.org Cc: linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Andrew Morton , Hugh Dickins , Mattias Nissler , Dmitry Torokhov , Kees Cook , Daniel Verkamp Subject: [PATCH 3/4] selftests/memfd: add tests for F_SEAL_EXEC Date: Fri, 1 Apr 2022 15:08:33 -0700 Message-Id: <20220401220834.307660-4-dverkamp@chromium.org> X-Mailer: git-send-email 2.35.1.1094.g7c7d902a7c-goog In-Reply-To: <20220401220834.307660-1-dverkamp@chromium.org> References: <20220401220834.307660-1-dverkamp@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Basic tests to ensure that user/group/other execute bits cannot be changed after applying F_SEAL_EXEC to a memfd. Signed-off-by: Daniel Verkamp --- tools/testing/selftests/memfd/memfd_test.c | 80 ++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/sel= ftests/memfd/memfd_test.c index 94df2692e6e4..fdb0e46e9df9 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -28,6 +28,10 @@ #define MFD_DEF_SIZE 8192 #define STACK_SIZE 65536 =20 +#ifndef F_SEAL_EXEC +#define F_SEAL_EXEC 0x0020 +#endif + /* * Default is not to test hugetlbfs */ @@ -594,6 +598,48 @@ static void mfd_fail_grow_write(int fd) } } =20 +static void mfd_assert_mode(int fd, int mode) +{ + struct stat st; + + if (fstat(fd, &st) < 0) { + printf("fstat(%d) failed: %m\n", fd); + abort(); + } else if ((st.st_mode & 07777) !=3D mode) { + printf("wrong file mode 0%04o, but expected 0%04o\n", + (int)st.st_mode & 07777, mode); + abort(); + } +} + +static void mfd_assert_chmod(int fd, int mode) +{ + if (fchmod(fd, mode) < 0) { + printf("fchmod(0%04o) failed: %m\n", mode); + abort(); + } + + mfd_assert_mode(fd, mode); +} + +static void mfd_fail_chmod(int fd, int mode) +{ + struct stat st; + + if (fstat(fd, &st) < 0) { + printf("fstat(%d) failed: %m\n", fd); + abort(); + } + + if (fchmod(fd, mode) =3D=3D 0) { + printf("fchmod(0%04o) didn't fail as expected\n"); + abort(); + } + + /* verify that file mode bits did not change */ + mfd_assert_mode(fd, st.st_mode & 07777); +} + static int idle_thread_fn(void *arg) { sigset_t set; @@ -880,6 +926,39 @@ static void test_seal_resize(void) close(fd); } =20 +/* + * Test SEAL_EXEC + * Test that chmod() cannot change x bits after sealing + */ +static void test_seal_exec(void) +{ + int fd; + + printf("%s SEAL-EXEC\n", memfd_str); + + fd =3D mfd_assert_new("kern_memfd_seal_exec", + mfd_def_size, + MFD_CLOEXEC | MFD_ALLOW_SEALING); + + mfd_assert_mode(fd, 0777); + + mfd_assert_chmod(fd, 0644); + + mfd_assert_has_seals(fd, 0); + mfd_assert_add_seals(fd, F_SEAL_EXEC); + mfd_assert_has_seals(fd, F_SEAL_EXEC); + + mfd_assert_chmod(fd, 0600); + mfd_fail_chmod(fd, 0777); + mfd_fail_chmod(fd, 0670); + mfd_fail_chmod(fd, 0605); + mfd_fail_chmod(fd, 0700); + mfd_fail_chmod(fd, 0100); + mfd_assert_chmod(fd, 0666); + + close(fd); +} + /* * Test sharing via dup() * Test that seals are shared between dupped FDs and they're all equal. @@ -1059,6 +1138,7 @@ int main(int argc, char **argv) test_seal_shrink(); test_seal_grow(); test_seal_resize(); + test_seal_exec(); =20 test_share_dup("SHARE-DUP", ""); test_share_mmap("SHARE-MMAP", ""); --=20 2.35.1.1094.g7c7d902a7c-goog From nobody Fri Jun 19 15:47:29 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB6C0C433FE for ; Fri, 1 Apr 2022 22:09:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353267AbiDAWK7 (ORCPT ); Fri, 1 Apr 2022 18:10:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48288 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353243AbiDAWKs (ORCPT ); Fri, 1 Apr 2022 18:10:48 -0400 Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 46A5F46176 for ; Fri, 1 Apr 2022 15:08:56 -0700 (PDT) Received: by mail-pl1-x62b.google.com with SMTP id i11so3540589plg.12 for ; Fri, 01 Apr 2022 15:08:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=lOkjGfGfl98SeySdZvzcrWOJEVOKytJoGvUFiOZ1aAI=; b=k3QYjMQbIkpZJu+RzninncrAbEnag3EmGlo4bQTg2Fc2+RK1oPVHKalNH09F6XaLOx k24r7rfB5xVIZvuu0s2NKWZ3DovCWTvt6Y0Y9zbNT6yHqQFH7IA3fZLbuFyHZSQeurjy G+A9aaph7FDTPINrdzYeKwqcjp/tXVW3oDQfc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=lOkjGfGfl98SeySdZvzcrWOJEVOKytJoGvUFiOZ1aAI=; b=S9yigVbDHO9tiCfymRCyx2TXGlgVMOJCJPPyKyyIX9wGDbQI3x5h3vxnmmH9qFKdKR h7CQE7OliLbDJ0btpSIZ3qPI68O7ZKioybugWajkCqBQja9k7DldBbDAxzJ7xiqcgWJZ M3t8MQ+RDN93UyLYulu6M9icXPFCI5IIX4PGDEO45I2FI4KtYduivHpdr70ltT5cy9Cg ousDXoyAFJC/IuIrEbkne94ji7/PmDiyQaEB3WNEiyHVFGsx3IaNsFmKSHKQhIK8ylWz AANYu9T3R5KTlbocX2lDn+NzygPiCCi/2zLUm0jEWVLWJOnK7xgglvFLyRvEV/XHZthV YbUQ== X-Gm-Message-State: AOAM5318gFIr31fgS1zBrch6dQ6QQAg5XaNfoT+8H8JQbQSn26ve1UHz RcCFuGSNp5vlj6ttK7FzEyFOpw== X-Google-Smtp-Source: ABdhPJw/qfYgMATifUmtsmB46MXU37QSE6npLKOGpPlqsWgKaI76Pgjk/RohjePaQficI+4rGcFbvQ== X-Received: by 2002:a17:90b:30ca:b0:1c9:a577:5e8c with SMTP id hi10-20020a17090b30ca00b001c9a5775e8cmr14185468pjb.227.1648850935864; Fri, 01 Apr 2022 15:08:55 -0700 (PDT) Received: from localhost ([2620:15c:202:201:72c9:527e:d936:c24b]) by smtp.gmail.com with UTF8SMTPSA id b19-20020a17090ae39300b001ca070d9dafsm8369294pjz.19.2022.04.01.15.08.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 01 Apr 2022 15:08:55 -0700 (PDT) From: Daniel Verkamp To: linux-mm@kvack.org Cc: linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Andrew Morton , Hugh Dickins , Mattias Nissler , Dmitry Torokhov , Kees Cook , Daniel Verkamp Subject: [PATCH 4/4] selftests/memfd: add tests for MFD_NOEXEC Date: Fri, 1 Apr 2022 15:08:34 -0700 Message-Id: <20220401220834.307660-5-dverkamp@chromium.org> X-Mailer: git-send-email 2.35.1.1094.g7c7d902a7c-goog In-Reply-To: <20220401220834.307660-1-dverkamp@chromium.org> References: <20220401220834.307660-1-dverkamp@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Tests that ensure MFD_NOEXEC memfds have the appropriate mode bits and cannot be chmod-ed into being executable. Signed-off-by: Daniel Verkamp --- tools/testing/selftests/memfd/memfd_test.c | 34 ++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/sel= ftests/memfd/memfd_test.c index fdb0e46e9df9..a79567161cdf 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -32,6 +32,10 @@ #define F_SEAL_EXEC 0x0020 #endif =20 +#ifndef MFD_NOEXEC +#define MFD_NOEXEC 0x0008U +#endif + /* * Default is not to test hugetlbfs */ @@ -959,6 +963,35 @@ static void test_seal_exec(void) close(fd); } =20 +/* + * Test memfd_create with MFD_NOEXEC flag + * Test that MFD_NOEXEC applies F_SEAL_EXEC and prevents change of exec bi= ts + */ +static void test_noexec(void) +{ + int fd; + + printf("%s NOEXEC\n", memfd_str); + + /* Create with NOEXEC and ALLOW_SEALING */ + fd =3D mfd_assert_new("kern_memfd_noexec", + mfd_def_size, + MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_NOEXEC); + mfd_assert_mode(fd, 0666); + mfd_assert_has_seals(fd, F_SEAL_EXEC); + mfd_fail_chmod(fd, 0777); + close(fd); + + /* Create with NOEXEC but without ALLOW_SEALING */ + fd =3D mfd_assert_new("kern_memfd_noexec", + mfd_def_size, + MFD_CLOEXEC | MFD_NOEXEC); + mfd_assert_mode(fd, 0666); + mfd_assert_has_seals(fd, F_SEAL_EXEC | F_SEAL_SEAL); + mfd_fail_chmod(fd, 0777); + close(fd); +} + /* * Test sharing via dup() * Test that seals are shared between dupped FDs and they're all equal. @@ -1132,6 +1165,7 @@ int main(int argc, char **argv) =20 test_create(); test_basic(); + test_noexec(); =20 test_seal_write(); test_seal_future_write(); --=20 2.35.1.1094.g7c7d902a7c-goog