On Sun, Aug 27, 2023 at 3:09 PM Catalin Marinas <catalin.marinas@xxxxxxx> wrote:
>
> On Fri, Aug 25, 2023 at 03:38:36PM -0700, Kees Cook wrote:
> > On Tue, Jul 04, 2023 at 05:36:28PM +0200, Florent Revest wrote:
> > > static inline int prctl_set_mdwe(unsigned long bits, unsigned long arg3,
> > > unsigned long arg4, unsigned long arg5)
> > > {
> > > + unsigned long current_bits;
> > > +
> > > if (arg3 || arg4 || arg5)
> > > return -EINVAL;
> > >
> > > - if (bits & ~(PR_MDWE_REFUSE_EXEC_GAIN))
> > > + if (bits & ~(PR_MDWE_REFUSE_EXEC_GAIN | PR_MDWE_NO_INHERIT))
> > > + return -EINVAL;
> > > +
> > > + /* NO_INHERIT only makes sense with REFUSE_EXEC_GAIN */
> > > + if (bits & PR_MDWE_NO_INHERIT && !(bits & PR_MDWE_REFUSE_EXEC_GAIN))
> > > return -EINVAL;
> > >
> > > + current_bits = get_current_mdwe();
> > > + if (current_bits && current_bits != bits)
> > > + return -EPERM; /* Cannot unset the flags */
> >
> > I was pondering why PR_MDWE_NO_INHERIT can't be unset, but I guess it
> > doesn't matter. Anything forked with have it off, and any process
> > wanting to launch stuff before locking down can just skip running the
> > prctl() until later.
>
> I had a similar doubt initially but then realised that the no-inherit
> mode won't be inherited and concluded it's ok.
Indeed. We previously discussed that in
https://lore.kernel.org/all/CABRcYmLt2KsCoD8WzyCTxuY=6ppuWEqyLSDRXSsmXSxPLHtEzQ@xxxxxxxxxxxxxx/
and I agreed this doesn't matter for our use case and this keeps the
code a lot more maintainable :)
