From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 997CFD21243 for ; Thu, 17 Oct 2024 08:38:35 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2B0A76B008C; Thu, 17 Oct 2024 04:38:35 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2398F6B0092; Thu, 17 Oct 2024 04:38:35 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0B3806B0093; Thu, 17 Oct 2024 04:38:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id DE3F36B008C for ; Thu, 17 Oct 2024 04:38:34 -0400 (EDT) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 42728AC67A for ; Thu, 17 Oct 2024 08:38:13 +0000 (UTC) X-FDA: 82682442612.06.4DAF01E Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf18.hostedemail.com (Postfix) with ESMTP id 969681C0018 for ; Thu, 17 Oct 2024 08:38:28 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="WYSi/1eH"; spf=pass (imf18.hostedemail.com: domain of oleg@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=oleg@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1729154264; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=qXbmRI+FXFGUGtJncLieyIIoT0CwT8u+yPXsRgVVfmc=; b=cu+9rb+3EBO9ONwMKMJkz3V01x7Us3WIdloD61H3tl/wFYCKdE5b2TqDNfDPV0r16pYLn6 /l6lriQiSUFDR1QGLIrA+owPAxP0+k/v9lvgFNMLkrpgIC4fdpY5qVq63A9RBQeBc8MxXs 9Qs8X9HyJv6NlIlPoJX29DbihRInq/U= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="WYSi/1eH"; spf=pass (imf18.hostedemail.com: domain of oleg@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=oleg@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1729154264; a=rsa-sha256; cv=none; b=E6RHIt3qwj0CpErrcPLpyM5DIObc0faGlOdNHZDzb9QoOd9ilik5AbKhRXOcavxqwnYKfm ESpes7QF4hhYb7elYV9KaXkcFhEyTHkIotWbQmFjKa12zsvCU/9hLuZd5VBOiVWv8NZ715 g5zEDkJdQNVXmHhzab59B/zX3hutspY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1729154312; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qXbmRI+FXFGUGtJncLieyIIoT0CwT8u+yPXsRgVVfmc=; b=WYSi/1eHSJyPKUPHsDe+JsaXDe5pA6TkytD1COt7aRsdShS87ztuxX8bdoxLfBGhwSnCV3 U0tZFOeH0L+jvUQH7LAxviwGviT+5uHLUDBhXeNbWc4MZV1tv/dS+cfs1we71+3uOcNErk fQjCz661z6g64tWMJ6az5Xfq01SfJyw= Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-307-qRqxaJYdPs-4g8GzylWjxQ-1; Thu, 17 Oct 2024 04:38:28 -0400 X-MC-Unique: qRqxaJYdPs-4g8GzylWjxQ-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 00DBC19560AD; Thu, 17 Oct 2024 08:38:23 +0000 (UTC) Received: from dhcp-27-174.brq.redhat.com (unknown [10.45.225.147]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with SMTP id 6F9901956056; Thu, 17 Oct 2024 08:38:09 +0000 (UTC) Received: by dhcp-27-174.brq.redhat.com (nbSMTP-1.00) for uid 1000 oleg@redhat.com; Thu, 17 Oct 2024 10:38:07 +0200 (CEST) Date: Thu, 17 Oct 2024 10:37:53 +0200 From: Oleg Nesterov To: Jeff Xu Cc: "Liam R. Howlett" , akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, torvalds@linux-foundation.org, adhemerval.zanella@linaro.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, jorgelo@chromium.org, sroettger@google.com, ojeda@kernel.org, adobriyan@gmail.com, anna-maria@linutronix.de, mark.rutland@arm.com, linus.walleij@linaro.org, Jason@zx2c4.com, deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net, hch@lst.de, peterx@redhat.com, hca@linux.ibm.com, f.fainelli@gmail.com, gerg@kernel.org, dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org, mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org, ardb@google.com, enh@google.com, rientjes@google.com, groeck@chromium.org, lorenzo.stoakes@oracle.com Subject: Re: [RFC PATCH v2 1/1] exec: seal system mappings Message-ID: <20241017083752.GA15167@redhat.com> References: <20241014215022.68530-1-jeffxu@google.com> <20241014215022.68530-2-jeffxu@google.com> <6r5sxlhfujr2expiscsfpdjtraqlvy6k3cznmv25lo6usmyw7x@igmuywngc5xi> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Rspam-User: X-Stat-Signature: dgag4c8nyxmbterkx4yiwybwm1tnok48 X-Rspamd-Queue-Id: 969681C0018 X-Rspamd-Server: rspam11 X-HE-Tag: 1729154308-407980 X-HE-Meta: U2FsdGVkX1/glW+/hRESe6Xvv2BDcB1U0b6eAvk/4F6aPJ9yl3mB5uZUK5ztmNdEqIV81xeQdVNzhaCXUm1F3RPFoRNqhuMKskeC1j9gdVwWELAfonqgDnCS7IIszZWQYyL5zaOmgyLegS5tHXq1y+A0PqzkIRSIm5mBnvxjq/4cBEE8nLdBeywfg99tsLBs38rtUBFdSkk7cuxvHmYHtPeVtSmnqcS7A2uhwlCpkxkb+rQ2u36JCFzKh6N3Th8ko2PsDH7stWENHQ6zinJSBhSRixf/n0h5QdnARdM+hodJtUtAlMmJZxwWX3t4Ty65+kBb2pt0/2lCpmn2S+axc1C5oATYb7lbypRDEmB8Re1HSVGcvQUH33LDE96YnsS9aQyAwCTLN4xnIarhK4+pM0uD/Bis6zbSTxSBk9HPT7/Qfko3HOwD/QEvkJQttP6ZWkWHqIOoesvSRH9TnRY0qJ+r/QrvwWSXz8w4HLmZVRVotv/xIYzF8o9r8HR0RQn//mbTygk+RNwTxKn02QHal/ht1wZ8bfWPl+GnO+Vq058Rr+uP+20bx2G+m6Ilua5G3Y9rQFwLTQtotb9PZ5TTQuaVKNE/cGlgbHqzeM33Lji/z+A/kT50x0LJFoDcjshOYer/qIMQL4MFpIknRJa5kZC4hRTr1TUmsKwGIlRQatorrXXDKtn01bsY7grqUhICqLByJmR032wjEdCrzUzhvVJ7z3g5+9GC9eigpac9V8IO/ygnbV2nYMNN+nCKcmqkEeEFtbyAjpCDlx0UfMvBk3jBTXnWlxrGsoK6DVYike4qcGiJwdC6drc7ZyhQgvdBROOsbBN2jJJ4tngIP7IwjBYn947oPQK4JFQhCkM2riox8UE3OmnUACUyMWTi/udkCN9dXTYXj71A/VerWPZmwQRgOalYxF4obzINPlDNgZPBNIzOzgTwyMD0V/SCieTBqzoyMrkX/CV16sQg0Ud QYieXijr zP6bL42fj6f5mRFbD4XbIUl4b3G/SGMwiSyHY1BpKfXjEFR000wxo+8avL8y4/SMlNW3a4XSEM3J8KlEhx/AQdJWRBDYvIiK5sNABu0zE6HWH8ujM0tmK3Qabk8YZsLqMH54I2q6bPbg5GQTsmbNEl1jvbg+Xm0WLqLzm75Hc8VDFFrCYWsjGgIiYo5w+i4uXwaktPHggNQs3e4PhscxOWn+dZ42D/ZHLK5EykB+FWH30lbICMD/IyckMpldBpRvRTgx/nQ3OvRFQ8398JUahP1PxFowdqhBNrsvI4sUJtIQQPn/N/DgBYQMAIwmBXt9ME/m21KiX3f/pbnNGgimd1f4X7EDPGZRW6lIPPZ1bDp9B/WBvtY8b/oAyMD+6JK/2Yu9sA9fcUXV3aDyKvqYInHJftD6vgI0zDFlt+NkIQn/0nQQ= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000994, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 10/16, Jeff Xu wrote: > > On Wed, Oct 16, 2024 at 6:10 PM Liam R. Howlett wrote: > > > > > + exec.seal_system_mappings = [KNL] > > > + Format: { never | always } > > > + Seal system mappings: vdso, vvar, sigpage, uprobes, > > > + vsyscall. > > > + This overwrites KCONFIG CONFIG_SEAL_SYSTEM_MAPPINGS_* > > > + - 'never': never seal system mappings. > > > > Not true, uprobes are sealed when 'never' is selected. > > > Thanks. I forgot to uprobes from the description in Kconfig and > kernel-parameters.txt, will update. Jeff, I am sorry for confusion. No need to make uprobes "special" and complicate the logic/documentation. I just meant that, unlike vdso, it is always safe/good to mseal the "[uprobes]" vma, regardless of config/boot options. Please do what you think is right, I am fine either way. Oleg.