From: Michal Hocko <mhocko@kernel.org>
To: Igor Stoppa <igor.stoppa@huawei.com>
Cc: linux-mm@kvack.org
Subject: Re: RFC: post-init-read-only protection for data allocated dynamically
Date: Fri, 28 Apr 2017 09:45:43 +0200 [thread overview]
Message-ID: <20170428074540.GB9399@dhcp22.suse.cz> (raw)
In-Reply-To: <3eba3df7-6694-5c47-48f4-30088845035b@huawei.com>
On Fri 21-04-17 11:30:04, Igor Stoppa wrote:
> Hello,
>
> I am looking for a mechanism to protect the kernel data which is allocated
> dynamically during system initialization and is later-on accessed only for
> reads.
>
> The functionality would be, in spirit, like the __read_only modifier, which
> can be used to mark static data as read-only, in the post-init phase. Only,
> it would apply to dynamically allocated data.
>
> I couldn't find any such feature (did I miss it?), so I started looking at
> what could be the best way to introduce it.
>
> The static post-init write protection is achieved by placing all the data
> into a page-aligned segment and then protecting the page from writes, using
> the MMU, once the data is in its final state.
>
> In my case, as example, I want to protect the SE Linux policy database,
> after the set of policy has been loaded from file.
> SE Linux uses fairly complex data structures, which are allocated
> dynamically, depending on what rules/policy are loaded into it.
>
> If I knew upfront, roughly, which sizes will be requested and how many
> requests will happen, for each size, I could use multiple pools of objects.
> However, I cannot assume upfront to know these parameters, because it's very
> likely that the set of policies & rules will evolve.
>
> I would also like to extend the write protection to other data structures,
> which means I would probably end up writing another memory allocator, if I
> started to generate on-demand object pools.
What is the expected life time of those objects? Are they ever freed? If
yes are they freed at once or some might outlive others?
> The alternative I'm considering is that, if I were to add a new memory zone
> (let's call it LOCKABLE), I could piggy back on the existing infrastructure
> for memory allocation.
No, please no new memory zones! This doesn't look like a good fit
anyway. I believe you need an allocator on top of the page allocator
which manages kernel page tables on top of pools of pages. You really do
not care about where the page is placed physically. I am not sure how
much you can reuse from the SL.B object management because that highly
depends on the life time of objects.
--
Michal Hocko
SUSE Labs
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2017-04-28 7:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-21 8:30 Igor Stoppa
2017-04-28 7:45 ` Michal Hocko [this message]
2017-05-02 16:47 ` Michal Hocko
2017-05-03 9:44 ` Igor Stoppa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170428074540.GB9399@dhcp22.suse.cz \
--to=mhocko@kernel.org \
--cc=igor.stoppa@huawei.com \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox