From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7CED9CDB47E for ; Wed, 18 Oct 2023 03:37:26 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DA37B8D011E; Tue, 17 Oct 2023 23:37:25 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D2C528D0016; Tue, 17 Oct 2023 23:37:25 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BCCF38D011E; Tue, 17 Oct 2023 23:37:25 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id A9D5E8D0016 for ; Tue, 17 Oct 2023 23:37:25 -0400 (EDT) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 7D9D0161159 for ; Wed, 18 Oct 2023 03:37:25 +0000 (UTC) X-FDA: 81357172050.21.ED61267 Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by imf03.hostedemail.com (Postfix) with ESMTP id 79A8D20006 for ; Wed, 18 Oct 2023 03:37:23 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=openbsd.org header.s=selector1 header.b=jsDMH0m7; spf=pass (imf03.hostedemail.com: domain of deraadt@openbsd.org designates 199.185.137.3 as permitted sender) smtp.mailfrom=deraadt@openbsd.org; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1697600244; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=4vtlE7KI4uiB+xqM4CucouATaHWHdAhIXSC+BUi3raA=; b=In+07hQrMEiZCfQ9+2bRgXMG8JD83LTTgtujrxoin5FeJW0n29ZGyj42b4wdgg+W63MLF7 tXkbs6QTljFQswS3cONqKCah9Phl9hwOTe3bZCqmlFEEhPtfGMqrMzeH92TclCyQ/Hd2da od6vY8JRzZ/99orBuUe/MnNV24ITX6Y= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=openbsd.org header.s=selector1 header.b=jsDMH0m7; spf=pass (imf03.hostedemail.com: domain of deraadt@openbsd.org designates 199.185.137.3 as permitted sender) smtp.mailfrom=deraadt@openbsd.org; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697600244; a=rsa-sha256; cv=none; b=xhwiEYO/4mLZioXesHmE60cSvERHlGC6RxHqSG6Ktu/oY85xSNSIaM2p2PezSfyXVfka2G +dlywOR9KyFLg1cThLNY0kX3VKxGFFiCmdrna49U7ONKYla0ApLPcm7ZBbxxrG9b+Kyi3q QgN4dvUcRsVAZqICXDagr1HH/Y8DFtQ= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=selector1; bh=TeLxSCjetO scvlEvELbRNGiU7p09LOhnflOe0RLiFYk=; h=date:references:in-reply-to: subject:cc:to:from; d=openbsd.org; b=jsDMH0m7ttDB4eio1pdXKIv+PU40k6qiw zsw3444aBI1uB65saDcHHuqszFN9VO6n8OjKIQf2Ts7V9vzWhYc1vorKp6BAjYJ5TybDHZ BvWDWj9zEYgWVYL6omIAh/g+WzNcryLAjXHgWMehKATTgnxao7mv8QxH/6QA2PKvsSplxP fWnsNhsy+y29yxNnZezm4MZL/Yv1HQEOk+V2Db/K2nwyV9n8ufjhKDkEBwLfLGNbg+gxvH ItZxcvH+FnzT0uMHkfDndP/1RIZXXTgHIp6rerLNbc+kRja6BSjkcT/kI0IVyBB4QnT2m0 AXylmYHuBgrppQukB35Lv8sbd+w+g== Received: from cvs.openbsd.org (localhost [127.0.0.1]) by cvs.openbsd.org (OpenSMTPD) with ESMTP id f1e58267; Tue, 17 Oct 2023 21:37:20 -0600 (MDT) From: "Theo de Raadt" To: Jeff Xu cc: Linus Torvalds , jeffxu@chromium.org, akpm@linux-foundation.org, keescook@chromium.org, sroettger@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, jannh@google.com, surenb@google.com, alex.sierra@amd.com, apopple@nvidia.com, aneesh.kumar@linux.ibm.com, axelrasmussen@google.com, ben@decadent.org.uk, catalin.marinas@arm.com, david@redhat.com, dwmw@amazon.co.uk, ying.huang@intel.com, hughd@google.com, joey.gouly@arm.com, corbet@lwn.net, wangkefeng.wang@huawei.com, Liam.Howlett@oracle.com, lstoakes@gmail.com, willy@infradead.org, mawupeng1@huawei.com, linmiaohe@huawei.com, namit@vmware.com, peterx@redhat.com, peterz@infradead.org, ryan.roberts@arm.com, shr@devkernel.io, vbabka@suse.cz, xiujianfeng@huawei.com, yu.ma@intel.com, zhangpeng362@huawei.com, dave.hansen@intel.com, luto@kernel.org, linux-hardening@vger.kernel.org Subject: Re: [RFC PATCH v1 0/8] Introduce mseal() syscall In-reply-to: References: <20231016143828.647848-1-jeffxu@chromium.org> <55960.1697566804@cvs.openbsd.org> <95482.1697587015@cvs.openbsd.org> Comments: In-reply-to Jeff Xu message dated "Tue, 17 Oct 2023 20:18:47 -0700." MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <45247.1697600240.1@cvs.openbsd.org> Date: Tue, 17 Oct 2023 21:37:20 -0600 Message-ID: <53481.1697600240@cvs.openbsd.org> X-Rspamd-Queue-Id: 79A8D20006 X-Rspam-User: X-Stat-Signature: u9k3idajr4byb7b9uc7godx9x1pifxei X-Rspamd-Server: rspam01 X-HE-Tag: 1697600243-295000 X-HE-Meta: U2FsdGVkX1/kgYJCjkRzfLbUkH6N5smkwnPAn6rleR2LCE1UrJSIcgnU6/lUn/ndSiow+JeuHal6BYPE+JGUAOQ+oXDQ7thdC6ayi3+GDSks5Vr+44A+zNpoS+v3Ya6x8ZIkmeNdw4M24rtcsGNdGevaHh0XomN/Qdj8I9jMnqpyktDc283opKuOTLCzpSnGq2FD+4HQOE3p6p37JGYHC5WDWsSwGJ5iOtCzJkwzf5JYvVi0YGp+5dmSO7enCRqsiqhtT3sCwzW2rwjBvC1fD1K4S70ah5DxW5wBUFp97pyrQ7Q3pSTMiA716BgWjuuYv9v0E3e9C4+TNJvqMr8bssx1vTev1ibhwQpa/MDPQPfTBpW1zDB7o+9U53AHZQI09Xqa6oDH/YTasAWV8d9IhjRV1nqgG9gfolbt/baZTsKA7cuYqTyjo8DqnHNnDKwSSxtjfDQrX2bAQRHtBQMRV3mJkLdiZyAAj1IeHARNyQ3Ah/wg9buJbdJZqQaAMSC/5sPhlASoQZgsgvHiZg/hVA4aGt3kZdMj3fNsLrWciQ0hzZ65B1O0s+OX5RC+VxUzk7U5QuF538tNVUP12AEZD++0s/bMZ1PumWwybrgSb8J4jpp6fSM81TDkfg+n78qTU9x3O6ySBVul7t+nlTlnFGQZYShY9lE/3YQ1Z+nQu87d/sQYJYBgQTiTypnSd0+yTygFytOX57hH/kmIIPUwJpxnlpcuzH/rtRsyO3QscmCOeF4Cs8E4IPQi8BVOqVAl7vkY3iDNk4q41JgvDORNW7WwxS/BB6hHFXiJfcf+eu+O7PI6BuYsbGXLHBDhXtA0dBh+md+MnzFLDb1a+0CUa2iwnDthOiLehUB0vU5Z0Du5ia73o+qsYCyUuiyYhqijbUD6XyqfDXCItgqCrjASEVDH1Q2wIlov1F3acN71tg+J0/748lI09sxwYY1SRvrEO+QgHyie7rBabBskQBy H6u8yzel vHfhj9VOytxtfRLZw2mBLZO89ThPlnvC6sQO+oDtkZqS+DdvpGAR6N5eqGtO2TnUo4z/8lJOsUSIpbVrBZy1rPYKjKonr/lnm3gEGXmm+lmQC96uL/D6gVTsSWTudUYQ4befC8NXkkjmfPOTKhcRWNX30YaQ6JF+jbQxa X-Bogosity: Ham, tests=bogofilter, spamicity=0.001471, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Jeff Xu wrote: > In linux cases, I think, eventually, mseal() will have a bigger scope than > BSD's mimmutable(). I don't believe that, considering noone needed this behaviour from the VM system in the last 4 decades. > VMA's metadata(vm_area_struct) contains a lot > of control info, depending on application's needs, mseal() can be > expanded to seal individual control info. > For example, in madvice(2) case: > As Jann point out in [1] and I quote: > "you'd probably also want to block destructive madvise() operations > that can effectively alter region contents by discarding pages and > such, ..." Then prohibit madvise(MADV_FREE) on all non-writeable mappings that are immutable. Just include this in the set of behaviours. Or make it the default. Don't make it an option that a program needs to set on pages! Noone is going to call it. Most programs don't know the addresses of the *REGIONS* they would want to do this for. Does your program know where libc's text segment starts and ends? No your program does not know these addresses, so the parts of the 'system' which do know this needs to do it (which would be ld.so or the libc init constructors). If madvise(MADV_FREE) is so dangerous.. say you have a program that would call through abort(), but you know a zero there can make the abort not abort but return, then is it bad to let the attacker do: madvise(&abort, pagesize, MADV_FREE) If that is bad, then block it in a smart way! Don't make a programmer of an application figure out how to do this. That results in a defense methodology where a handful of programs self-protect, but everything else is unprotected or unprotectable. That is shortsighted. > Another example: if an application wants to keep a memory always > present in RAM, for whatever the reason, it can call seal the mlock(). Please explain the attack surface. > I think I explained the logic of using bitmasks in the mseal() > interface clearly with the example of madvice() and mlock(). It is clear as mud.