From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2A12BCFB42C for ; Sat, 5 Oct 2024 20:21:12 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9FA926B01F7; Sat, 5 Oct 2024 16:21:11 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9AB026B01F8; Sat, 5 Oct 2024 16:21:11 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 899986B0317; Sat, 5 Oct 2024 16:21:11 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 69F906B01F7 for ; Sat, 5 Oct 2024 16:21:11 -0400 (EDT) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 68620A0193 for ; Sat, 5 Oct 2024 20:21:10 +0000 (UTC) X-FDA: 82640667900.08.2057A6C Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf12.hostedemail.com (Postfix) with ESMTP id 7988D40007 for ; Sat, 5 Oct 2024 20:21:08 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=ekf47AXE; spf=pass (imf12.hostedemail.com: domain of oleg@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=oleg@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1728159627; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Hds8gsArPdIf+pvdxK6o6yfAbf3VijCTl4UpFIAf7HA=; b=Lx9dZ1ujMxeKGEEEgenMZV6CVNlCz7R88QFK4UGamzJfrHptM+OLelLVKXktkSJuAMmHQ0 wd8n2/Se3UBVLMvD/5tt6ktAWCuxxCubavODsWooblot8ATK6WqZA6NamsQzmHt1ByHqco ecAZVaqRqTgGahkNx3+BybztifdvZ0U= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=ekf47AXE; spf=pass (imf12.hostedemail.com: domain of oleg@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=oleg@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1728159627; a=rsa-sha256; cv=none; b=I+r50BtMCukP0BG6Za6fh5M87X7OELrbJh1iTKK2DRaGSvgGaL3HF3ZZ2dkSOLbXyvjaFw yI9iv008YCQTP86aUUaHfVmXZnj+01KpcYw490fYTllWJ+ngbLqz7HlLfpRcH3JBODJTuw dhelEm4p+AJo/kaHQ+YMKSPeKq0N16c= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1728159667; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Hds8gsArPdIf+pvdxK6o6yfAbf3VijCTl4UpFIAf7HA=; b=ekf47AXEek8M6JOLIKuorvXVaeFyWg39EBBIcXNPX16Tl/DucXnposI8udkGMCu9ouu3tQ s3B3SF7u/OKVS1cq1lJksENJBVfleM3BP1rUk8sj1mrKy4lKmf73FsHoxwF28aI5QRnRD0 oB1R6gb3bcAzRw2MkrLWVjoZFD8H7Mk= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-631-dNeJWzNMNTqjoTrd6pKcLA-1; Sat, 05 Oct 2024 16:21:01 -0400 X-MC-Unique: dNeJWzNMNTqjoTrd6pKcLA-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8131A1954235; Sat, 5 Oct 2024 20:20:54 +0000 (UTC) Received: from dhcp-27-174.brq.redhat.com (unknown [10.45.224.51]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with SMTP id 8B55019560A3; Sat, 5 Oct 2024 20:20:40 +0000 (UTC) Received: by dhcp-27-174.brq.redhat.com (nbSMTP-1.00) for uid 1000 oleg@redhat.com; Sat, 5 Oct 2024 22:20:40 +0200 (CEST) Date: Sat, 5 Oct 2024 22:20:25 +0200 From: Oleg Nesterov To: jeffxu@chromium.org Cc: akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, torvalds@linux-foundation.org, adhemerval.zanella@linaro.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, jorgelo@chromium.org, sroettger@google.com, ojeda@kernel.org, adobriyan@gmail.com, anna-maria@linutronix.de, mark.rutland@arm.com, linus.walleij@linaro.org, mike.kravetz@oracle.com, Jason@zx2c4.com, deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net, hch@lst.de, peterx@redhat.com, hca@linux.ibm.com, f.fainelli@gmail.com, gerg@kernel.org, dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org, nathan_lynch@mentor.com, dsafonov@virtuozzo.com, Liam.Howlett@Oracle.com, mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org, ardb@google.com, enh@google.com, rientjes@google.com, groeck@chromium.org, lorenzo.stoakes@oracle.com Subject: Re: [RFC PATCH v1 1/1] exec: seal system mappings Message-ID: <20241005202025.GB24353@redhat.com> References: <20241004163155.3493183-1-jeffxu@google.com> <20241004163155.3493183-2-jeffxu@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20241004163155.3493183-2-jeffxu@google.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Rspam-User: X-Stat-Signature: 4iq6odrznq1demqsjgxr17ixhd1iy7ch X-Rspamd-Queue-Id: 7988D40007 X-Rspamd-Server: rspam11 X-HE-Tag: 1728159668-729368 X-HE-Meta: U2FsdGVkX1/xUdJdp7pLLGzEh0SAsOZJYmOMOCY6OY71j1wKD+vQBqa47rErBAbAqfW/oSh1POuj4OJVxhTxG2nROKOnGSQMilFaWnouio4zSw7V068/NSqrYGj1c0lD2M0gPk6LUrUBX3Upwhxlx0YiDN7juiiKnbDUyWfZzprBOr91ZUk+KPL6hsC7A0hAL0xsCjP3O/6Ky9d2LYDOUEhCU1HQDf7ziX4lt9MW0VJ/LQP9C1wfgp5Ks/88JCq3RnAUeBjjb+nJOHvWPer0B9DpOTjGv8hZmBwIbqcBWAO/t90fVbwOzSEXe5mLR/NQgy/OodB0ROM8wh1kfsp+FF6d/8JGzH1l6JMKRKiNttinN8NUgUL1BLQoUZYItu5c2eQZiOWYTG05h1AGVf8THqex/IEKFe6z4PLvQgsyJvtkySHot6gKBZLqsj/UzsMGfi18tCEC0oaydCpcXKz7YgrqOzkN8z8EF/jwiLtWSD1t8idwbQHxPTO0zxEW1G/MFij7XTFGSS5P4KNufHjsH2gBljBkU8/P3IGV9OSloNxD6BeL/+VCKOuRYhiBif2kNKhTyF8L7f1su0iLp1dKNzbvgB9652v9TL3a5BvkIBu7Lp2iQl0WOcscAXjqHsy/ILcwVuwewyUev3JbEkjt4RVs5meG0RmqnNizCgFvmJAM/8LNTYHY+cG0yysjiv1QhXVUxWi6xNIIWc1Pgyyy9yYJEWCCwk0HDKAIOwiA4GuvoaUY+kOzdyysuvBHI6hN7o/2MjpdyY80blMeeLznm4h7qbywz8sopoBVHeL6yOmhObPWxx5alh3YQVlRZTtl32YSqNMfpMHCwrT7xaYxY0GMpiCWx0uiILJ2mLmqAj0rew5gqESCVG06S2MnLhMuEMwUFiH+fHuuXMIH6XO8a/cfY3FvWw+PHvYr2knOjPsNgr5y3C3SJYGSrWVnA1LYUXIZcYKm9JA04kUyFMO ckjSyD+Z EIcvEQrRYP0dAd14OBVPs7+/ee2/ut99TCKCoJcKzZzl53hBMlcSCtHPb2xbVI8Y6Rubg9Rl+LsvdF75KRustAFrZLcOoeNNX8HbN2alRhuGVuIoMvsx13gEeQVnlcjQPWI+o96ohSjeMFhJF7p3sWe7IuvKiyVQVIL1JeIiKkvQguAajekwMg5qed2goC4HlxfRfbz8OxmYJykxo3tafRc+PGNvcEUPK/+4ozDRcaKyucn1F4BtUGyvgaLcoaqfXxbqiws2D6Wm2oa5EpVeP0tqhsamrBV3xBZuy/O3Kox8AhrusfKKec2fIrVnRGe83uhdWwK1bpKHJxgj/2OugxUkN605VO8YgSxCFj0JurjU5dkvl3B6X0huBhBOdKi6y6AqUQfztpFPH5m9Rl2GNLPaVDmEfkUnC53X4oRVsZIWW0Js= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000114, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Sorry for the noise, forgot to mention... On 10/04, jeffxu@chromium.org wrote: > > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -1535,6 +1535,15 @@ > Permit 'security.evm' to be updated regardless of > current integrity status. > > + exec.seal_system_mappings = [KNL] > + Format: { never | always } > + Seal system mappings: vdso, vvar, sigpage, uprobes, > + vsyscall. > + This overwrites KCONFIG CONFIG_SEAL_SYSTEM_MAPPINGS_* > + - 'never': never seal system mappings. > + - 'always': always seal system mappings. > + If not specified or invalid, default is the KCONFIG value. perhaps the documentation should also mention that this new parameter has no effect if CONFIG_64BIT=n. Oleg.