From: Kees Cook <kees@kernel.org>
To: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: jeffxu@chromium.org, akpm@linux-foundation.org, jannh@google.com,
torvalds@linux-foundation.org, adhemerval.zanella@linaro.org,
oleg@redhat.com, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org, linux-mm@kvack.org,
jorgelo@chromium.org, sroettger@google.com, ojeda@kernel.org,
adobriyan@gmail.com, anna-maria@linutronix.de,
mark.rutland@arm.com, linus.walleij@linaro.org, Jason@zx2c4.com,
deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net,
hch@lst.de, peterx@redhat.com, hca@linux.ibm.com,
f.fainelli@gmail.com, gerg@kernel.org,
dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org,
Liam.Howlett@oracle.com, mhocko@suse.com, 42.hyeyoo@gmail.com,
peterz@infradead.org, ardb@google.com, enh@google.com,
rientjes@google.com, groeck@chromium.org, mpe@ellerman.id.au,
Vlastimil Babka <vbabka@suse.cz>, Andrei Vagin <avagin@gmail.com>,
Dmitry Safonov <0x7f454c46@gmail.com>,
Mike Rapoport <mike.rapoport@gmail.com>,
Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Subject: Re: [PATCH v4 1/1] exec: seal system mappings
Date: Mon, 6 Jan 2025 17:12:46 -0800 [thread overview]
Message-ID: <202501061647.6C8F34CB1A@keescook> (raw)
In-Reply-To: <a0a3b26b-2222-478c-a1cb-56514ec8d6ff@lucifer.local>
On Fri, Jan 03, 2025 at 09:38:10PM +0000, Lorenzo Stoakes wrote:
> On Tue, Dec 17, 2024 at 02:18:53PM -0800, Kees Cook wrote:
> > On Mon, Nov 25, 2024 at 08:20:21PM +0000, jeffxu@chromium.org wrote:
> > > Seal vdso, vvar, sigpage, uprobes and vsyscall.
> > >
> > > Those mappings are readonly or executable only, sealing can protect
> > > them from ever changing or unmapped during the life time of the process.
> > > For complete descriptions of memory sealing, please see mseal.rst [1].
> > >
> > > System mappings such as vdso, vvar, and sigpage (for arm) are
> > > generated by the kernel during program initialization, and are
> > > sealed after creation.
> > > [...]
> > >
> > > + exec.seal_system_mappings = [KNL]
> > > + Format: { no | yes }
> > > + Seal system mappings: vdso, vvar, sigpage, vsyscall,
> > > + uprobe.
> > > + - 'no': do not seal system mappings.
> > > + - 'yes': seal system mappings.
> > > + This overrides CONFIG_SEAL_SYSTEM_MAPPINGS=(y/n)
> > > + If not specified or invalid, default is the value set by
> > > + CONFIG_SEAL_SYSTEM_MAPPINGS.
> > > + This option has no effect if CONFIG_64BIT=n
> >
> > I know there is a v5 coming, but I wanted to give my thoughts to help
> > shape it based on the current discussion threads.
> >
> > The callers of _install_special_mapping() cover what is mentioned here.
> > The vdso is very common (arm, arm64, csky, hexagon, loongarch, mips,
> > parisc, powerpc, riscv, s390, sh, sparc, x86, um). For those with vdso,
> > some also have vvar (arm, arm64, loongarch, mips, powerpc, riscv, s390,
> > sparc, x86). After that, I see a few extra things, in addition to
> > sigpage and uprobes as mentioned already in the patch:
> >
> > arm sigpage
> > arm64 compat vectors (what is this for arm?)
> > arm64 compat sigreturn (what is this for arm?)
> > nios2 kuser helpers
> > uprobes
>
> OK let's not get ahead of ourselves :)
>
> VDSOs/gate VMAs are treated quite differently by different arches. So we
> have to tread _very_ carefully here.
>
> I believe PPC doe some 'tricky' things and may actually want to unmap, for
> instance.
>
> The problem with this kind of change is we're doing something fundamental
> that impacts _every possible combinatorial combination of configs, arches,
> and use cases_ for each of these which we seeming - just assume - will have
> no issue with this.
>
> This is insufficient, deeply. We need:
>
> 1. Strong justification (hand waving won't suffice).
> 2. Very extensive testing and checking, and _proof_ of this testing being
> performed.
> 3. Buy-in from arch maintainers.
>
> So far this series has provided none of those. This is why I am cautious
> and pushing back here.
Sure, I agree. This is why I was suggested the ...ARCH_HAS... Kconfig.
That will provide the way for 3) to happen. 1) just needs a little more
details in the commit log, I guess? The goal is attack surface reduction
in userspace, and remapping shenanigans have become a recent avenue of
attack.
For 2) there are limits. As you say we may have "every possible
combinatorial combination", which may not be feasible to test. But
making it available for the common cases (and of course testing those)
makes sense.
> And I absolutely will not accept a user being able to turn on a switch in a
> known-broken configuration. This is absolutely unacceptable.
Sure, of course.
> It's equally unacceptable for a user to enable a feature that is
> untested/confirmed on an architecture.
Agreed.
> So let's be careful about Linus's edict here - the operative part being 'if
> it doesn't break things'.
Right -- I should clarify: I don't mean to say "it should be enabled by
default", I meant to say that we have a common pattern for making these
kinds of features available without hiding them behind a build-time
Kconfig that would have put the features out of reach for system owners
that only use distro kernels, etc. I was pushing back on an earlier
comment that I interpreted as rejecting boot params. A boot param (when
other aspects of the system are sane) is needed for this kind of thing,
and is the pattern we use for providing optional features that distros
can make available without enabling them by default.
> > So, if we want to have a CONFIG_MSEAL_SYSTEM_MAPPINGS at all, it should
> > be "default y" since we have the ...ARCH_HAS... config already, and then
> > add a CONFIG_MSEAL_SYSTEM_MAPPINGS_DEFAULT that is off by default (since
> > we expect there may be userspace impact) and tie _that_ to the kernel
> > command-line so that end users can use it, or system builders can enable
> > CONFIG_MSEAL_SYSTEM_MAPPINGS_DEFAULT.
>
> Again, I hate to push on this, but I am simply not going to allow users to
> enable features we know break things.
>
> Users might not be aware this feature is broken for CRIU, and X, and Y and
> whatever else we've not thought about and enable it thinking it helps
> security, and end up with a broken system.
This will never be a bright line, and I think choice is more important.
For example, Ubuntu builds with CRIU, but only a tiny set of tools
actually use it. (I've actually been considering adding a boot param to
disable CRIU features since they undermine some aspects of userspace
security.)
Regardless, yes, if we can make this work with CRIU (which I thought
there seem to be consensus on), let's do it.
> This seems like putting the onus on CRIU users to deal with a known-broken
> thing? That seems really unreasonable? And people would just have to have
> the right userland code to work in the kernel with mseal?
>
> Yeah I oppose entirely this unless I'm missing something?
Hm, well, the primary goal is for Chrome OS and Android to use this. If
there is honestly no path forward with CRIU, then hard Kconfig conflict
it is. I'd much rather have it available for anyone who wants it, just
like we do with lots of other features. Why force people who want this
and not CRIU to build their own kernels? We have all kinds of boot params
that if you set you get a broken system.
-Kees
--
Kees Cook
next prev parent reply other threads:[~2025-01-07 1:12 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-25 20:20 [PATCH v4 0/1] Seal " jeffxu
2024-11-25 20:20 ` [PATCH v4 1/1] exec: seal " jeffxu
2024-11-25 20:40 ` Matthew Wilcox
2024-12-02 17:22 ` Jeff Xu
2024-12-02 17:57 ` Lorenzo Stoakes
2024-12-02 20:05 ` Jeff Xu
2024-12-02 19:57 ` Jeff Xu
2024-12-02 18:29 ` Lorenzo Stoakes
2024-12-02 20:38 ` Jeff Xu
2024-12-03 7:35 ` Lorenzo Stoakes
2024-12-03 18:19 ` Jeff Xu
2024-12-03 20:16 ` Lorenzo Stoakes
2024-12-04 14:04 ` Benjamin Berg
2024-12-04 17:43 ` Jeff Xu
2024-12-04 18:24 ` Benjamin Berg
2024-12-10 4:12 ` Andrei Vagin
2024-12-11 22:46 ` Jeff Xu
2024-12-13 6:33 ` Andrei Vagin
2024-12-16 18:35 ` Jeff Xu
2024-12-16 18:56 ` Liam R. Howlett
2024-12-16 20:20 ` Jeff Xu
2024-12-17 22:18 ` Kees Cook
2025-01-02 19:15 ` Andrei Vagin
2025-01-03 20:48 ` Liam R. Howlett
2025-01-07 1:17 ` Kees Cook
2025-02-04 18:17 ` Johannes Berg
2025-01-03 21:38 ` Lorenzo Stoakes
2025-01-07 1:12 ` Kees Cook [this message]
2025-01-13 21:26 ` Jeff Xu
2025-01-14 4:19 ` Matthew Wilcox
2025-01-15 19:02 ` Jeff Xu
2025-01-15 19:46 ` Lorenzo Stoakes
2025-01-15 20:20 ` Jeff Xu
2025-01-16 15:48 ` Lorenzo Stoakes
2025-01-16 17:01 ` Benjamin Berg
2025-01-16 17:16 ` Lorenzo Stoakes
2025-01-16 17:18 ` Pedro Falcato
2025-01-17 18:20 ` Jeff Xu
2025-01-17 19:35 ` enh
2025-01-17 20:15 ` Jeff Xu
2025-01-17 22:08 ` Liam R. Howlett
2025-01-21 15:38 ` enh
2025-01-22 17:23 ` Liam R. Howlett
2025-01-22 22:29 ` enh
2025-01-23 8:40 ` Vlastimil Babka
2025-01-23 21:50 ` enh
2025-01-23 22:38 ` Matthew Wilcox
2025-02-06 14:19 ` enh
2025-02-06 13:20 ` Thomas Weißschuh
2025-02-06 14:38 ` enh
2025-02-06 15:28 ` Thomas Weißschuh
2025-02-06 15:51 ` enh
2025-02-06 16:37 ` Thomas Weißschuh
2025-01-17 18:08 ` Jeff Xu
2025-01-15 23:52 ` Kees Cook
2025-01-16 5:26 ` Christoph Hellwig
2025-01-16 19:40 ` Kees Cook
2025-01-17 10:14 ` Heiko Carstens
2025-01-16 15:34 ` Lorenzo Stoakes
2025-01-16 19:44 ` Kees Cook
2024-11-26 16:39 ` [PATCH v4 0/1] Seal " Lorenzo Stoakes
2024-12-02 17:28 ` Jeff Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202501061647.6C8F34CB1A@keescook \
--to=kees@kernel.org \
--cc=0x7f454c46@gmail.com \
--cc=42.hyeyoo@gmail.com \
--cc=Jason@zx2c4.com \
--cc=Liam.Howlett@oracle.com \
--cc=adhemerval.zanella@linaro.org \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=aleksandr.mikhalitsyn@canonical.com \
--cc=anna-maria@linutronix.de \
--cc=ardb@google.com \
--cc=ardb@kernel.org \
--cc=avagin@gmail.com \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=deller@gmx.de \
--cc=enh@google.com \
--cc=f.fainelli@gmail.com \
--cc=gerg@kernel.org \
--cc=groeck@chromium.org \
--cc=hca@linux.ibm.com \
--cc=hch@lst.de \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=jorgelo@chromium.org \
--cc=linus.walleij@linaro.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mark.rutland@arm.com \
--cc=mhocko@suse.com \
--cc=mike.rapoport@gmail.com \
--cc=mingo@kernel.org \
--cc=mpe@ellerman.id.au \
--cc=ojeda@kernel.org \
--cc=oleg@redhat.com \
--cc=peterx@redhat.com \
--cc=peterz@infradead.org \
--cc=rdunlap@infradead.org \
--cc=rientjes@google.com \
--cc=sroettger@google.com \
--cc=torvalds@linux-foundation.org \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox