From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 60345C4332F
	for <linux-mm@archiver.kernel.org>; Thu, 14 Dec 2023 15:04:29 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id E8FAF8D00C8; Thu, 14 Dec 2023 10:04:28 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id E3E808D00C7; Thu, 14 Dec 2023 10:04:28 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id D064A8D00C8; Thu, 14 Dec 2023 10:04:28 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17])
	by kanga.kvack.org (Postfix) with ESMTP id BE8388D00C7
	for <linux-mm@kvack.org>; Thu, 14 Dec 2023 10:04:28 -0500 (EST)
Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id 80522A2330
	for <linux-mm@kvack.org>; Thu, 14 Dec 2023 15:04:28 +0000 (UTC)
X-FDA: 81565745016.01.26FF176
Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3])
	by imf08.hostedemail.com (Postfix) with ESMTP id BABC416002C
	for <linux-mm@kvack.org>; Thu, 14 Dec 2023 15:04:24 +0000 (UTC)
Authentication-Results: imf08.hostedemail.com;
	dkim=pass header.d=openbsd.org header.s=selector1 header.b=PLBrEZS7;
	spf=pass (imf08.hostedemail.com: domain of deraadt@openbsd.org designates 199.185.137.3 as permitted sender) smtp.mailfrom=deraadt@openbsd.org;
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1702566265;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=gknNQKGWicqnPtTyVrZrbLAwR3hIDB1ayLRPXlU++D4=;
	b=BUkbNU0KdQjSMjUE79xvnVN6cqdP7A+E3yGqt/FD5syaKdQ9oR0AVexoYPqAhdY/EoEEKM
	HKKksRfElIZxmZQWwic8kITvALm6SYUvn7KU82g6XmTqRf4fg/CzSPhliCnWPMJIC7N9in
	PQW+84HX6wU/Vpeo1uCc5yK/O4Biz+g=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1702566265; a=rsa-sha256;
	cv=none;
	b=VJkpUzLavUYnwRI7R7pwNs3yflOAd4UeP0i3wruJGzbvyu7miyKpuvNmCt1rnpiePXNVjd
	NyNjhgEuyZMuXrmD+fZymSKdzw7F19a4BO8R5i1UAeF0tf8LJs6NgYj+B4CbPsiRJT2W75
	fgwcDNTIWm/bZRor6RNsvODbAXgJI2g=
ARC-Authentication-Results: i=1;
	imf08.hostedemail.com;
	dkim=pass header.d=openbsd.org header.s=selector1 header.b=PLBrEZS7;
	spf=pass (imf08.hostedemail.com: domain of deraadt@openbsd.org designates 199.185.137.3 as permitted sender) smtp.mailfrom=deraadt@openbsd.org;
	dmarc=none
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=selector1; bh=lCD3+ezRCh
	upqVYtTsaKKo9VlIgR426K/Lj3+3UW9Lk=; h=date:references:in-reply-to:
	subject:cc:to:from; d=openbsd.org; b=PLBrEZS7k+fCdGI14dJhB2v1zvxNnsWk9
	IRwAQdeRVII3pH1g8hvSp+4wXgOErhxma+bYwWSm5xauaUQ7o3ffHh9OwSJzgvv2i/oDYi
	VneeJ/r+5fLESiWCho3NPSaIEg6rUw+rjBNVz4k66s1r3y1wCdshT9EKiPlkNE4mbXJjX/
	SEWhtsxcFVJeJ9VkAIHz3IHXHnCGM+/CR6YeSCNq93e96JeAcu30WBjiCFdN0lHJdV98la
	hs2BPr3p9m/QblAm7HJWcF+fkLeiryOsxRzUdb1oxWVACdHezLgxWljow4bGg4NxJx2zfO
	ZJN7G4XowUUmBY/c7b9ZyrP2GrDzg==
Received: from cvs.openbsd.org (localhost [127.0.0.1])
	by cvs.openbsd.org (OpenSMTPD) with ESMTP id fdf4dfe5;
	Thu, 14 Dec 2023 08:04:23 -0700 (MST)
From: "Theo de Raadt" <deraadt@openbsd.org>
To: Jeff Xu <jeffxu@google.com>
cc: Linus Torvalds <torvalds@linux-foundation.org>, jeffxu@chromium.org,
    akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com,
    sroettger@google.com, willy@infradead.org,
    gregkh@linuxfoundation.org, jorgelo@chromium.org,
    groeck@chromium.org, linux-kernel@vger.kernel.org,
    linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
    pedro.falcato@gmail.com, dave.hansen@intel.com,
    linux-hardening@vger.kernel.org
Subject: Re: [RFC PATCH v3 11/11] mseal:add documentation
In-reply-to: <CALmYWFu39nzHvBmRsA326GcmV9u=eM-2aCGOvLK31rrb2R9NEw@mail.gmail.com>
References: <20231212231706.2680890-1-jeffxu@chromium.org> <20231212231706.2680890-12-jeffxu@chromium.org> <CAHk-=wgn02cpoFEDQGgS+5BUqA2z-=Ks9+PNd-pEJy8h+NOs5g@mail.gmail.com> <CALmYWFu39nzHvBmRsA326GcmV9u=eM-2aCGOvLK31rrb2R9NEw@mail.gmail.com>
Comments: In-reply-to Jeff Xu <jeffxu@google.com>
   message dated "Wed, 13 Dec 2023 16:35:26 -0800."
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <63611.1702566263.1@cvs.openbsd.org>
Date: Thu, 14 Dec 2023 08:04:23 -0700
Message-ID: <56221.1702566263@cvs.openbsd.org>
X-Rspamd-Queue-Id: BABC416002C
X-Rspam-User: 
X-Stat-Signature: zoik5n3tkj4hmao6bzifpydmug1446qg
X-Rspamd-Server: rspam03
X-HE-Tag: 1702566264-619337
X-HE-Meta: U2FsdGVkX1/wn1zxCABP55PI9vhwKR/FP2ge7nBONZOBZrHdNVX6f5hEDKo1p3VsmwoRQb8PzBTHUlUr0UfaYikA9QsJuvDIFXqBRFyduf94qTaAqV6zHj2d6TkgxhsWm6NyPDM1n7ZtAxMEBNDGfvhLm5jGtv0iyqp+uFEXzLzR/whVBlm+zTbtnrkvHUsQV5a4iZIFbhLBiPJ/gj7QcayuCAu7teIrbXsbTn/oxA+2k9xpHEwU1LTvAt9AQagtjVUhDyjezJJ3rOyXVzIUj765gLwuPi7ra08rbm0B8cfeEQAGkTICKPTyn4ozLa00FRUrurlt3fJd/e0M5qoRHPdaRXS4m+fG1mzZDw2bK//LpGH9RJ9uz/OdUXl/bq70dqUJpaZ5Je1yRLwjd35kovFzFWZvOe3lbQed/3sRIBJVN2Oy2PxxymThACVnT1vExbShpH1bJqxzB0EQxbICLVuLgONl81Nck98vk8xXzjXxPXxyIY96Ub2cxqpMif0pcqQ0AFqq4d/K8cDbCpr2oNxD52zsu5T/hs1VaieNKANaqJEdfdWKo5l6ZtFWXT9G4ETsgFbmteMTItSwgKEObSEUNzHR2nvV8J9zZQ36fFXO87xT4WBPk9Madg2Swvafb8YV4RnzY2/Ei0SqgmAHU341kQ61+1VvqpqQyhX0G6RW+Rym3VsieL5uRv28IYwrlaBJFbZEfpN+mpS8iAtXwytHC+nfh0gLuKAIF47YWgJwLUbSybZ0Eii/yoLOJgRYH2Ot6pKZC0vDw4EMgBzDB5mF7KvEoWYgOgIQpqaI+hJYJO3v43K6G4GUUt3r9N2hkjxuSS+08tykm5vfBe04HQbmys0ZXVOJsBVkzKbaDDNIhiCyOJyA3WUt8GIGvcbL6LAMbNR2b4MUEywq1jfoVN7WkRgaPMevDBanscqFqukFLRmuYdUHAihO8W8nBwkQON5iLWTZf8kjEWbQoj0
 IP33/ozU
 H3ip7KlVpoMiwqIzBQ6Ov+B6hIjwKYhl7WxpZc/VeI4VirghgzY5VqaAH5O0ZUrG5dEN4ksoZ7hM9QPkSMYXy//WXJbTyoOgrHtdC5SSC1XFjvujBp5Xm4/4LtAJYgCf8g7AzFmUa/bqiY1dagsJTHWFkw7nebEHni+bYBQbsI0leL1Y34H1gFEFHGiE5qqPieBcx89PpwyTeXzoLSOKJStnvMIA3nv3jf0y7
X-Bogosity: Ham, tests=bogofilter, spamicity=0.018870, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Jeff Xu <jeffxu@google.com> wrote:

> In short, BSD's immutable is designed specific for libc case, and Chrome
> case is just different (e.g. the lifetime of those mappings and requirement of
> free/discard unused memory).

That is not true.  During the mimmutable design I took the entire
software ecosystem into consideration.  Not just libc.  That is either
uncharitable or uninformed.

In OpenBSD, pretty much the only thing which calls mimmutable() is the
shared library linker, which does so on all possible regions of all DSO
objects, not just libc.

For example, chrome loads 96 libraries, and all their text/data/bss/etc
are immutable. All the static address space is immutable.  It's the same
for all other programs running in OpenBSD -- only transient heap and
mmap spaces remain permission mutable.

It is not just libc.

What you are trying to do here with chrome is bring some sort of
soft-immutable management to regions of memory, so that trusted parts of
chrome can still change the permissions, but untrusted / gadgetry parts
of chrome cannot change the permissions.  That's a very different thing
than what I set out to do with mimmutable().  I'm not aware of any other
piece of software that needs this.  I still can't wrap my head around
the assurance model of the design. 

Maybe it is time to stop comparing mseal() to mimmutable().

Also, maybe this proposal should be using the name chromesyscall()
instead -- then it could be extended indefinitely in the future...