Skip to content

[1.2] exeseal: do not use F_SEAL_FUTURE_WRITE #4651

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 27, 2025
Merged

[1.2] exeseal: do not use F_SEAL_FUTURE_WRITE #4651

merged 1 commit into from
Feb 27, 2025

Conversation

kolyshkin
Copy link
Contributor

This is a backport of #4641 to release 1.2. Original description follows.

Prior to kernel Linux 5.5, F_SEAL_FUTURE_WRITE has a bug which maps memory as shared between processes even if it is set as private. See kernel commit 05d351102dbe ("mm, memfd: fix COW issue on MAP_PRIVATE and F_SEAL_FUTURE_WRITE mappings") for more details.

According to the fcntl(2) man pages, F_SEAL_WRITE is enough:

Furthermore, trying to create new shared, writable memory-mappings via
mmap(2) will also fail with EPERM.

Using the F_ADD_SEALS operation to set the F_SEAL_WRITE seal fails
with EBUSY if any writable, shared mapping exists. Such mappings must
be unmapped before you can add this seal.

F_SEAL_FUTURE_WRITE only makes sense if a read-write shared mapping in one process should be read-only in another process. This is not case for runc, especially not for the /proc/self/exe we are protecting.

(cyphar: improve the comment regarding F_SEAL_FUTURE_WRITE)
(cyphar: improve commit message)

(cherry picked from commit c43ea7d)

@tomaszduda23 @kolyshkin
exeseal: do not use F_SEAL_FUTURE_WRITE
e11430a 
Prior to kernel Linux 5.5, F_SEAL_FUTURE_WRITE has a bug which maps
memory as shared between processes even if it is set as private. See
kernel commit 05d351102dbe ("mm, memfd: fix COW issue on MAP_PRIVATE and
F_SEAL_FUTURE_WRITE mappings") for more details.

According to the fcntl(2) man pages, F_SEAL_WRITE is enough:

> Furthermore, trying to create new shared, writable memory-mappings via
> mmap(2) will also fail with EPERM.
>
> Using the F_ADD_SEALS operation to set the F_SEAL_WRITE seal fails
> with EBUSY if any writable, shared mapping exists. Such mappings must
> be unmapped before you can add this seal.

F_SEAL_FUTURE_WRITE only makes sense if a read-write shared mapping in
one process should be read-only in another process. This is not case for
runc, especially not for the /proc/self/exe we are protecting.

Signed-off-by: Tomasz Duda <tomaszduda23@gmail.com>
(cyphar: improve the comment regarding F_SEAL_FUTURE_WRITE)
(cyphar: improve commit message)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit c43ea7d)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin kolyshkin added the backport/1.2-pr A backport PR to release-1.2 label Feb 26, 2025
@kolyshkin kolyshkin added this to the 1.2.6 milestone Feb 26, 2025
@kolyshkin kolyshkin mentioned this pull request Feb 26, 2025
Merged
@lifubang lifubang merged commit 13d44fb into opencontainers:release-1.2 Feb 27, 2025
40 checks passed
@rata rata mentioned this pull request Mar 13, 2025
Merged
@austinvazquez austinvazquez mentioned this pull request Mar 18, 2025
Merged
@github-actions github-actions bot mentioned this pull request Mar 23, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lifubang lifubang lifubang approved these changes

@cyphar cyphar cyphar approved these changes

Assignees
No one assigned
Labels
backport/1.2-pr A backport PR to release-1.2
Projects
None yet
Milestone
1.2.6
Development

Successfully merging this pull request may close these issues.
4 participants
@kolyshkin @lifubang @cyphar @tomaszduda23