From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CD5F5C30654 for ; Mon, 3 Jul 2023 18:47:35 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 57E5A28002E; Mon, 3 Jul 2023 14:47:35 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 50796280001; Mon, 3 Jul 2023 14:47:35 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 380F028002E; Mon, 3 Jul 2023 14:47:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 26095280001 for ; Mon, 3 Jul 2023 14:47:35 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id E117A1203F3 for ; Mon, 3 Jul 2023 18:47:34 +0000 (UTC) X-FDA: 80971184028.13.3F14301 Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com [209.85.215.176]) by imf17.hostedemail.com (Postfix) with ESMTP id 0184B4001C for ; Mon, 3 Jul 2023 18:47:32 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=b9iCvxxH; spf=pass (imf17.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.176 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1688410053; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=kN9o72g+S+fr453o45UGKHe2553NpYDOTlk2hs27c8U=; b=NPBtFLasbsvdMTOdxiJgnxFF5pwhVyfOz/mUu4zcfjlIKxMlwTP9u/XhmPz/2hUS4H5mgP vtvexyPmkrmhwLwT2IzKp+PaYTJYhLGjmCBwI7xfDQYr2Yt9ode2ZdljbxfsWgKoz1ckPD kWWF7A/gB/mcHNplRj+7PFyI7QAP4xg= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=b9iCvxxH; spf=pass (imf17.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.176 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1688410053; a=rsa-sha256; cv=none; b=p+aPvRNxpUwOg9n4KoIitMe8TVq3QcSJWhvn3t/o1+XJIcV4GKeNhgXZYfrYQ+2DrtSZSV K0DJ2ggScx2vuAcLYSkcCFUifL5fLpcC/CVUGBKkqbG14Zd4kIYVdTrL5FnB3d25PSBapd 23R9QZrG6l2Cs+Xsn7Fy5SVaoWyOtFU= Received: by mail-pg1-f176.google.com with SMTP id 41be03b00d2f7-55ae51a45deso2366387a12.3 for ; Mon, 03 Jul 2023 11:47:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1688410052; x=1691002052; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=kN9o72g+S+fr453o45UGKHe2553NpYDOTlk2hs27c8U=; b=b9iCvxxHye8HsmgiBQdPV5wB3f1FHMfAOiUqp/E9CmOP7x6AhyW5/oynel97W2sEmn FvScJKeTY17iuoxKWd3fJHBDoV3jQ5VhDZhAiDH7gJxV6cBYtNcXXCFvQiJuShNtQGJA 4z03TR4FvqYVUbHwqT8AyLfVintdaAK9d5apw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688410052; x=1691002052; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=kN9o72g+S+fr453o45UGKHe2553NpYDOTlk2hs27c8U=; b=by3QT0dFNm5UA/WHi9kfcjln4tCZ5V/HMmJRatxuyEqjfaQwsP/NRr9JnW+ug5rm9Z ZfEwoFhc2uK98pIe7j3H2qeAJIpen/tt6Zan5zQk73I7aAPEnaH1M5+3oy1+H+9pDSaI m6u5W1U/YprFc8gNwQbXLBk3rIyrGokIO65meJtpK9bkAYrjpLHl5zAJ4CS8ynevZvo2 iz6JbrLvPVzJ5APuNtzaxFOS8Vr9Tr/OQ94Hm0gSLDV0G5vW6vmSR+eRwDS+G3SfwIoH Nwc928IFxRs2y1fV191SvJ19aUBBaMVlFY/zL2SO5QSs9VA6D5k9amsUBO3cKqqL1phV qewQ== X-Gm-Message-State: AC+VfDxeZ71JQTnE5cRg9yWsByeidXIL+GGNspV0ZJmPWg/XIwomU+Rl ZZtJr3VQckqc3UU2m7Tn6lqYKQ== X-Google-Smtp-Source: ACHHUZ7Uw6JIzie0IqBbLm1Jpta+I6oauYqzRMNr4YquzVcV9CbMBRcoIqPoHfkBX5hGG4i8DnEZeA== X-Received: by 2002:a05:6a20:6a0f:b0:126:f64b:668e with SMTP id p15-20020a056a206a0f00b00126f64b668emr11925154pzk.5.1688410051738; Mon, 03 Jul 2023 11:47:31 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id jf5-20020a170903268500b001b7eeffbdbfsm14742165plb.261.2023.07.03.11.47.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Jul 2023 11:47:31 -0700 (PDT) Date: Mon, 3 Jul 2023 11:47:30 -0700 From: Kees Cook To: Jann Horn Cc: Roberto Sassu , Oleg Nesterov , Paul Moore , James Morris , "Serge E. Hallyn" , Stephen Smalley , Eric Paris , Andrew Morton , Mimi Zohar , Casey Schaufler , David Howells , LuisChamberlain , Eric Biederman , Petr Tesarik , Christoph Hellwig , Petr Mladek , Peter Zijlstra , Thomas Gleixner , Tejun Heo , linux-mm@kvack.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [QUESTION] Full user space process isolation? Message-ID: <202307031140.D52C63D46@keescook> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 0184B4001C X-Rspam-User: X-Stat-Signature: sw6tm9wfocuhy7938m476tm17ecsn1ky X-Rspamd-Server: rspam01 X-HE-Tag: 1688410052-214876 X-HE-Meta: U2FsdGVkX19S0d5gckxTxuQs3M7JfkaEg8GCb7bP13l+5IeZmuabcD5PVn2SgCm52iSj8KnCmg8dNZ67giPC4LPrsQHBGSsq8WDyRNGCogsok+qZ/P0VFPyodoVO/af6HUeirl4u6vrbK28mHcKfYNIx+8lCisfGgvgjLHGMF1t2zsZh2PnlQflksT1nMDUnipjz1R5lMwkLQCVQPyTXnk/RcwRb/AXWSB14WBDBf7NDEgsw/Zp8KXOaSbAcWj3Oaz7Tz5EY4d5zsvSV2DHzIPGytnKkdwjathxQmiBRAzXRjuBBU81lshjxpB3ruNqgbWKM+urm5NpIhFw9hrJAQLqw7VKrAPrC86bg0GYHFBjZAMJoWBgf3yg0obWAARp8eQBkOQmNbnFcCuhqvhLLSjjLKS3jwdHFoPESZHGc7Y4fW6ftOeUdmA85MVfIAQHCo81biPLI32jm3SaoHPuPQo00JjKvr093Ldz6FINOenou4npRVi/X8B5fUyUy5nE5S1mJbdytdL0yLMRPWi0vZQQwC1jEwuZjvlzqBEBZ54bbMrA/iodLV99GGOCv5/Cyn+a1ucpg6hdf98Cp0WxDjo90XLdQwwhf+CfnHE3KdfvJWQ38pcKrgRk8w48fL+f05bEQtaxXhCrV7kd7iIoJITX2z4t94PR9Mv4+kkMpZU3wFGNIpsXJUawqEK6o0p2dNreXYppieHvTL4Ourj4UrPDWIAryE/9UKIBS8pY2tCEOsTOcrqtiqdipvZqneBZETH/lBzN+I4pEAt/Cla4WXoTP8dHHVBELTTpXn9S1R1+8bYXw7yngPnkJJLcA8bfIEX6BohfN0hrtYL2A/QHgSVyKSpAWx2s8Zt83lFsmfxPyrm91fvT6umRhHD2a9TJ0yL4/QS4zdIO5dC16isQNxu0mdaCQG81npn1wqKjb/2UWgoCqAb3GEKLsgOZn8wCagkR//Gx533SbcJZ0ZUr /D8V0R4u R7ouip//yQHl1j8bdN5IUx40wSanYSxNZY64ReRl9GDsT2c/Fr10XEePd0MI3PAhoaF4ZjgrPGB1P0J3tDLfMQVbBV/TbXSx//VPoXo9SKShuBi0wkxlZA7B0n50ViiHrDP8DFmNLPWkxTWl540o/iQ61x4pa1xaulZjKGqKDQvOWo7aEvWrz8LCnPcQhqWch1Wo7sBHFvwVjKGVjnIuPwuWIGOqbKct/ktDRhvIXk/O9SydiVssjj4Cq15+xOrF6ev4FJxDR2+sAMRsDjxtb+EeotXIAXZvw7rUVGvYmfvwXzz4r9/9vHbXLVv29iuTjM1S2lxqB5hqXOCueFW8Pdj75vECwNgqM9LDYqTUq9tgOvVcFktL1IdSO22BdR1788Ra/y9sZbPsmbT1ZFFQ0kyvcmbX59EqgfrMBv7KwHzFqCX9rcb0Juej2O3+Oe05YPvGtFBzldU2ZGIntJ+WKDiu6fLPZW1Tn6eOxED4nICV3g1w= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Jul 03, 2023 at 05:06:42PM +0200, Jann Horn wrote: > But I'm not convinced that it makes sense to try to draw a security > boundary between fully-privileged root (with the ability to mount > things and configure swap and so on) and the kernel - my understanding > is that some kernel subsystems don't treat root-to-kernel privilege > escalation issues as security bugs that have to be fixed. There are certainly arguments to be made about this, but efforts continue to provide a separation between full-cap uid 0 and kernel memory. LSMs like Lockdown, IMA, and LoadPin, for example, seek to close these gaps, and systems are designed with this bright line existing between kernel and root (e.g. Chrome OS). I'm sure there are gaps in attack surface coverage, but since work continues on this kind of hardening, I'd hate to knowingly create new attack surface. Providing uid 0 with kernel memory access should continue to be mediated by at least Lockdown, and if there are gaps in coverage, let's get them recorded[1] to be fixed. -Kees [1] https://github.com/KSPP/linux/issues -- Kees Cook