2fb18b5d30
This brings in several patches needed to add support for a memfd_create() syscall into kernel version 3.4 from kernel version 3.17. This is required for running lxc >= 3.1.0-r1 with security patch that fixes CVE-2019-5736. In short, security issue was: in a privileged container root process could overwrite lxc-start executable by opening its file descriptor and rewriting executable contents. This is where memfd comes to help: you can create an in-memory file, copy your executable there, and place a set of SEALS to protect it from modifying at a deep level. Then you fexecve() that fd and you're safe. For example, pulseaudio also can benefit from having memfd_create() implemented. This backports the following commits from upstream linux: - dd37978c50bc8b354e5c4633f69387f16572fdac: cache the value of file_inode() in struct file commit from linux-3.10 to have an f_inode member inside struct file and a helper function file_inode() that is used in some of the following commits - 40e041a2c858b3caefc757e26cb85bfceae5062b shm: add sealing API from 3.17: security measure called SEALS, that you can put on memfd file to restrict operations on it - 9183df25fe7b194563db3fec6dc3202a5855839c shm: add memfd_create() syscall also from 3.17 - 503e6636b6f96056210062be703356f4253b6db9 asm-generic: add memfd_create system call to unistd.h - e57e41931134e09fc6c03c8d4eb19d516cc6e59b ARM: wire up memfd_create syscall The last two are needed to make the syscall visible/usable from userspace, one in generic context, other for ARM arch. The test program (https://github.com/minlexx/test_memfd/) was written to verify that this works. [ci:skip-build]: already built successfully in CI
198 lines
6.5 KiB
Diff
198 lines
6.5 KiB
Diff
From 01fc0d7a8df67bd3a1f2cf7ffd5f74c6fadd7c85 Mon Sep 17 00:00:00 2001
|
|
From: David Herrmann <dh.herrmann@gmail.com>
|
|
Date: Tue, 2 Jul 2019 02:36:29 +0300
|
|
Subject: [PATCH 3/5] shm: add memfd_create() syscall
|
|
|
|
memfd_create() is similar to mmap(MAP_ANON), but returns a file-descriptor
|
|
that you can pass to mmap(). It can support sealing and avoids any
|
|
connection to user-visible mount-points. Thus, it's not subject to quotas
|
|
on mounted file-systems, but can be used like malloc()'ed memory, but with
|
|
a file-descriptor to it.
|
|
|
|
memfd_create() returns the raw shmem file, so calls like ftruncate() can
|
|
be used to modify the underlying inode. Also calls like fstat() will
|
|
return proper information and mark the file as regular file. If you want
|
|
sealing, you can specify MFD_ALLOW_SEALING. Otherwise, sealing is not
|
|
supported (like on all other regular files).
|
|
|
|
Compared to O_TMPFILE, it does not require a tmpfs mount-point and is not
|
|
subject to a filesystem size limit. It is still properly accounted to
|
|
memcg limits, though, and to the same overcommit or no-overcommit
|
|
accounting as all user memory.
|
|
|
|
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
|
|
Acked-by: Hugh Dickins <hughd@google.com>
|
|
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
|
|
Cc: Ryan Lortie <desrt@desrt.ca>
|
|
Cc: Lennart Poettering <lennart@poettering.net>
|
|
Cc: Daniel Mack <zonque@gmail.com>
|
|
Cc: Andy Lutomirski <luto@amacapital.net>
|
|
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
---
|
|
arch/x86/syscalls/syscall_32.tbl | 2 +
|
|
arch/x86/syscalls/syscall_64.tbl | 2 +
|
|
include/linux/syscalls.h | 1 +
|
|
include/uapi/linux/memfd.h | 8 ++++
|
|
kernel/sys_ni.c | 1 +
|
|
mm/shmem.c | 74 ++++++++++++++++++++++++++++++++
|
|
6 files changed, 88 insertions(+)
|
|
create mode 100644 include/uapi/linux/memfd.h
|
|
|
|
diff --git a/arch/x86/syscalls/syscall_32.tbl b/arch/x86/syscalls/syscall_32.tbl
|
|
index 64e55260fbc..498d12b9af8 100644
|
|
--- a/arch/x86/syscalls/syscall_32.tbl
|
|
+++ b/arch/x86/syscalls/syscall_32.tbl
|
|
@@ -356,3 +356,5 @@
|
|
347 i386 process_vm_readv sys_process_vm_readv compat_sys_process_vm_readv
|
|
348 i386 process_vm_writev sys_process_vm_writev compat_sys_process_vm_writev
|
|
354 i386 seccomp sys_seccomp
|
|
+# 355 i386 getrandom sys_getrandom
|
|
+356 i386 memfd_create sys_memfd_create
|
|
diff --git a/arch/x86/syscalls/syscall_64.tbl b/arch/x86/syscalls/syscall_64.tbl
|
|
index 33335d11d7b..4887a0fa042 100644
|
|
--- a/arch/x86/syscalls/syscall_64.tbl
|
|
+++ b/arch/x86/syscalls/syscall_64.tbl
|
|
@@ -319,6 +319,8 @@
|
|
310 64 process_vm_readv sys_process_vm_readv
|
|
311 64 process_vm_writev sys_process_vm_writev
|
|
317 common seccomp sys_seccomp
|
|
+# 318 common getrandom sys_getrandom
|
|
+319 common memfd_create sys_memfd_create
|
|
|
|
#
|
|
# x32-specific system call numbers start at 512 to avoid cache impact
|
|
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
|
|
index da352d5a271..c1cc0e12cf4 100644
|
|
--- a/include/linux/syscalls.h
|
|
+++ b/include/linux/syscalls.h
|
|
@@ -813,6 +813,7 @@ asmlinkage long sys_timerfd_settime(int ufd, int flags,
|
|
asmlinkage long sys_timerfd_gettime(int ufd, struct itimerspec __user *otmr);
|
|
asmlinkage long sys_eventfd(unsigned int count);
|
|
asmlinkage long sys_eventfd2(unsigned int count, int flags);
|
|
+asmlinkage long sys_memfd_create(const char __user *uname_ptr, unsigned int flags);
|
|
asmlinkage long sys_fallocate(int fd, int mode, loff_t offset, loff_t len);
|
|
asmlinkage long sys_old_readdir(unsigned int, struct old_linux_dirent __user *, unsigned int);
|
|
asmlinkage long sys_pselect6(int, fd_set __user *, fd_set __user *,
|
|
diff --git a/include/uapi/linux/memfd.h b/include/uapi/linux/memfd.h
|
|
new file mode 100644
|
|
index 00000000000..9a772654307
|
|
--- /dev/null
|
|
+++ b/include/uapi/linux/memfd.h
|
|
@@ -0,0 +1,8 @@
|
|
+#ifndef _UAPI_LINUX_MEMFD_H
|
|
+#define _UAPI_LINUX_MEMFD_H
|
|
+
|
|
+/* flags for memfd_create(2) (unsigned int) */
|
|
+#define MFD_CLOEXEC 0x0001U
|
|
+#define MFD_ALLOW_SEALING 0x0002U
|
|
+
|
|
+#endif /* _UAPI_LINUX_MEMFD_H */
|
|
diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c
|
|
index 026f30a8985..b97ab3a6dc9 100644
|
|
--- a/kernel/sys_ni.c
|
|
+++ b/kernel/sys_ni.c
|
|
@@ -191,6 +191,7 @@ cond_syscall(compat_sys_timerfd_settime);
|
|
cond_syscall(compat_sys_timerfd_gettime);
|
|
cond_syscall(sys_eventfd);
|
|
cond_syscall(sys_eventfd2);
|
|
+cond_syscall(sys_memfd_create);
|
|
|
|
/* performance counters: */
|
|
cond_syscall(sys_perf_event_open);
|
|
diff --git a/mm/shmem.c b/mm/shmem.c
|
|
index 1a232f8d8cb..3b9580b0808 100644
|
|
--- a/mm/shmem.c
|
|
+++ b/mm/shmem.c
|
|
@@ -63,7 +63,9 @@ static struct vfsmount *shm_mnt;
|
|
#include <linux/highmem.h>
|
|
#include <linux/seq_file.h>
|
|
#include <linux/magic.h>
|
|
+#include <linux/syscalls.h>
|
|
#include <linux/fcntl.h>
|
|
+#include <uapi/linux/memfd.h>
|
|
|
|
#include <asm/uaccess.h>
|
|
#include <asm/pgtable.h>
|
|
@@ -2492,6 +2494,78 @@ static int shmem_show_options(struct seq_file *seq, struct dentry *root)
|
|
shmem_show_mpol(seq, sbinfo->mpol);
|
|
return 0;
|
|
}
|
|
+
|
|
+
|
|
+#define MFD_NAME_PREFIX "memfd:"
|
|
+#define MFD_NAME_PREFIX_LEN (sizeof(MFD_NAME_PREFIX) - 1)
|
|
+#define MFD_NAME_MAX_LEN (NAME_MAX - MFD_NAME_PREFIX_LEN)
|
|
+
|
|
+#define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING)
|
|
+
|
|
+SYSCALL_DEFINE2(memfd_create,
|
|
+ const char __user *, uname,
|
|
+ unsigned int, flags)
|
|
+{
|
|
+ struct shmem_inode_info *info;
|
|
+ struct file *file;
|
|
+ int fd, error;
|
|
+ char *name;
|
|
+ long len;
|
|
+
|
|
+ if (flags & ~(unsigned int)MFD_ALL_FLAGS)
|
|
+ return -EINVAL;
|
|
+
|
|
+ /* length includes terminating zero */
|
|
+ len = strnlen_user(uname, MFD_NAME_MAX_LEN + 1);
|
|
+ if (len <= 0)
|
|
+ return -EFAULT;
|
|
+ if (len > MFD_NAME_MAX_LEN + 1)
|
|
+ return -EINVAL;
|
|
+
|
|
+ name = kmalloc(len + MFD_NAME_PREFIX_LEN, GFP_TEMPORARY);
|
|
+ if (!name)
|
|
+ return -ENOMEM;
|
|
+
|
|
+ strcpy(name, MFD_NAME_PREFIX);
|
|
+ if (copy_from_user(&name[MFD_NAME_PREFIX_LEN], uname, len)) {
|
|
+ error = -EFAULT;
|
|
+ goto err_name;
|
|
+ }
|
|
+
|
|
+ /* terminating-zero may have changed after strnlen_user() returned */
|
|
+ if (name[len + MFD_NAME_PREFIX_LEN - 1]) {
|
|
+ error = -EFAULT;
|
|
+ goto err_name;
|
|
+ }
|
|
+
|
|
+ fd = get_unused_fd_flags((flags & MFD_CLOEXEC) ? O_CLOEXEC : 0);
|
|
+ if (fd < 0) {
|
|
+ error = fd;
|
|
+ goto err_name;
|
|
+ }
|
|
+
|
|
+ file = shmem_file_setup(name, 0, VM_NORESERVE);
|
|
+ if (IS_ERR(file)) {
|
|
+ error = PTR_ERR(file);
|
|
+ goto err_fd;
|
|
+ }
|
|
+ info = SHMEM_I(file_inode(file));
|
|
+ file->f_mode |= FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE;
|
|
+ file->f_flags |= O_RDWR | O_LARGEFILE;
|
|
+ if (flags & MFD_ALLOW_SEALING)
|
|
+ info->seals &= ~F_SEAL_SEAL;
|
|
+
|
|
+ fd_install(fd, file);
|
|
+ kfree(name);
|
|
+ return fd;
|
|
+
|
|
+err_fd:
|
|
+ put_unused_fd(fd);
|
|
+err_name:
|
|
+ kfree(name);
|
|
+ return error;
|
|
+}
|
|
+
|
|
#endif /* CONFIG_TMPFS */
|
|
|
|
static void shmem_put_super(struct super_block *sb)
|
|
--
|
|
2.20.1
|
|
|