On Tue, May 23, 2023 at 6:36 PM Catalin Marinas <catalin.marinas@xxxxxxx> wrote: > > On Wed, May 17, 2023 at 05:03:20PM +0200, Florent Revest wrote: > > diff --git a/kernel/sys.c b/kernel/sys.c > > index 339fee3eff6a..320eae3b12ab 100644 > > --- a/kernel/sys.c > > +++ b/kernel/sys.c > > @@ -2368,9 +2368,25 @@ static inline int prctl_set_mdwe(unsigned long bits, unsigned long arg3, > > if (arg3 || arg4 || arg5) > > return -EINVAL; > > > > - if (bits & ~(PR_MDWE_REFUSE_EXEC_GAIN)) > > + if (bits & ~(PR_MDWE_REFUSE_EXEC_GAIN | PR_MDWE_NO_INHERIT)) > > return -EINVAL; > > > > + /* NO_INHERIT only makes sense with REFUSE_EXEC_GAIN */ > > + if (bits & PR_MDWE_NO_INHERIT && !(bits & PR_MDWE_REFUSE_EXEC_GAIN)) > > + return -EINVAL; > > + > > + /* Can't gain NO_INHERIT from !NO_INHERIT */ > > + if (bits & PR_MDWE_NO_INHERIT && > > + test_bit(MMF_HAS_MDWE, ¤t->mm->flags) && > > + !test_bit(MMF_HAS_MDWE_NO_INHERIT, ¤t->mm->flags)) > > + return -EPERM; > > + > > + if (bits & PR_MDWE_NO_INHERIT) > > + set_bit(MMF_HAS_MDWE_NO_INHERIT, ¤t->mm->flags); > > + else if (test_bit(MMF_HAS_MDWE_NO_INHERIT, ¤t->mm->flags) > > + && !(bits & PR_MDWE_REFUSE_EXEC_GAIN)) > > + return -EPERM; /* Cannot unset the flag */ Ugh, I had to proofread this 3 times to figure out what I was trying to do, not great. :( > Is this about not unsetting the MMF_HAS_MDWE bit? We already have a > check further down that covers this case. Actually, this was about not being able to unset _both_ NO_INHERIT and HAS_MDWE (this would gain capabilities)... While still being able to unset NO_INHERIT only (this reduces capabilities) > Related to this, do we want to allow unsetting MMF_HAS_MDWE_NO_INHERIT? > It looks like it can't be unset but no error either. But - sigh - as you point out, that second part wasn't implemented. It looks like I intended to add an: else clear_bit(MMF_HAS_MDWE_NO_INHERIT, ¤t->mm->flags); after that block but forgot... The idea was that: - setting no_inherit is always allowed - unsetting it is allowed iff we don't also unset REFUSE_EXEC_GAIN The "consecutive_prctl_flags" selftests in patch 5 were supposed to make the assumptions here easier to read and verify. This logic was meant to be covered by "cant_disable_mdwe_no_inherit" and "can_lower_privileges" but these tests only check that the "set" prctl succeeds and not that the end result is the expected one so I missed this. I'll improve the selftest in the next revision too so we can catch this more easily next time. > The above check, > IIUC, looks more like ensuring we don't clear MMF_HAS_MDWE. Indeed, without the else, it was useless. > Maybe we should tighten the logic here a bit and not allow any changes > after the initial flag setting: > > current->mm->flags == 0, we allow: > bits == 0 or > bits == PR_MDWE_REFUSE_EXEC_GAIN or > bits == PR_MDWE_REFUSE_EXEC_GAIN | PR_MDWE_NO_INHERIT > > current->mm->flags != 0 (some bits were set), we only allow the exactly > the same bit combination or -EPERM. > > So basically build the flags based on the PR_* input bits and compare > them with current->mm->flags when not 0, return -EPERM if different. I > think this preserves the ABI as we only have a single bit currently and > hopefully makes the logic here easier to parse. On one hand, I thought it would be nice to have the ability to transition from NO_INHERIT | REFUSE_EXEC_GAIN to REFUSE_EXEC_GAIN because, conceptually, it seems to me that we shouldn't prevent a process from dropping further capabilities. On the other hand, I don't think I have an actual need for that transition and I agree that if we don't try to handle it, the code here would become a lot easier to reason about. I'd certainly sleep better at night with the smaller likelihood of having screwed something up... :) Unless someone feels strongly otherwise, I'll do what you suggest in v3 > > @@ -2385,8 +2401,10 @@ static inline int prctl_get_mdwe(unsigned long arg2, unsigned long arg3, > > if (arg2 || arg3 || arg4 || arg5) > > return -EINVAL; > > > > - return test_bit(MMF_HAS_MDWE, ¤t->mm->flags) ? > > - PR_MDWE_REFUSE_EXEC_GAIN : 0; > > + return (test_bit(MMF_HAS_MDWE, ¤t->mm->flags) ? > > + PR_MDWE_REFUSE_EXEC_GAIN : 0) | > > + (test_bit(MMF_HAS_MDWE_NO_INHERIT, ¤t->mm->flags) ? > > + PR_MDWE_NO_INHERIT : 0); > > } > > Just personal preference, use explicit 'if' blocks and add bits to a > local variable variable than multiple ternary operators. Will do!
