current

Deny further open for writing to files mmapped for execution

Commit 3d01ead65846 ("Allow mmap() for exec on owned and non reachable temp
files") allows files created with the O_TMPFILE and O_EXCL open flags to be
mmapped for execution without content check.

However, it wrongly assumed that nobody could write that file except for
its creator. A malicious program could perform a write with this simple
command:

echo content > /proc/<PID of victim>/fd/<fd of file opened with O_TMPFILE>

Let files created with O_TMPFILE and anonymous inodes residing in a tmpfs
filesystem mounted by the kernel (e.g. those created by memfd_create()) to
be mmapped for execution without content check.

For the former group require that no more than an open for writing is
performed, and for the latter group no open at all (memfd_create() does not
invoke the file_open LSM hook).

If the mmap for execution was granted without content check, deny any
further open for writing.

These conditions have been defined with the assumption that letting a
process to execute content that itself provides is safe.

Signed-off-by: Roberto Sassu <[email protected]>