linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
From: "Liam R. Howlett" <Liam.Howlett@oracle.com>
To: Theo de Raadt <deraadt@openbsd.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Matthew Wilcox <willy@infradead.org>,
	Jonathan Corbet <corbet@lwn.net>,
	Andrew Morton <akpm@linux-foundation.org>,
	jeffxu@chromium.org, keescook@chromium.org, jannh@google.com,
	sroettger@google.com, gregkh@linuxfoundation.org,
	usama.anjum@collabora.com, surenb@google.com, merimus@google.com,
	rdunlap@infradead.org, jeffxu@google.com, jorgelo@chromium.org,
	groeck@chromium.org, linux-kernel@vger.kernel.org,
	linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
	pedro.falcato@gmail.com, dave.hansen@intel.com,
	linux-hardening@vger.kernel.org
Subject: Re: [PATCH v10 0/5] Introduce mseal
Date: Wed, 15 May 2024 00:53:47 -0400	[thread overview]
Message-ID: <6wtyezhn7spm4ehpo7jyi6xy3ywznkztjpzlafodpwj6x4wldx@rjia2otxbcxu> (raw)
In-Reply-To: <75628.1715740958@cvs.openbsd.org>

* Theo de Raadt <deraadt@openbsd.org> [240514 22:42]:
> Linus Torvalds <torvalds@linux-foundation.org> wrote:
> 
> > On Tue, 14 May 2024 at 18:47, Theo de Raadt <deraadt@openbsd.org> wrote:
> > >
> > > Linus Torvalds <torvalds@linux-foundation.org> wrote:
> > >
> > > Regarding mprotect(), POSIX also says:
> > >
> > >     An implementation may permit accesses other than those specified by
> > >     prot; however, no implementation shall permit a write to succeed where
> > >     PROT_WRITE has not been set or shall permit any access where PROT_NONE
> > >     alone has been set.
> > 
> > Why do you quote entirely irrelevant issues?
> > 
> > If the mprotect didn't succeed, then clearly the above is irrelevant.
> 
> Imagine the following region:
> 
> 
>     <--------------------------------------------- len
>     [region PROT_READ] [region PROT_READ + sealed] 
> addr ^
> 
> then perform
>     mprotect(addr, len, PROT_WRITE | PROT_READ);
> 
> This will return -1, with EPERM, when it encounters the sealed region.
> 
> I believe in Linux, since it has not checked for errors as a first
> phase, this changes the first region of memory to PROT_READ |
> PROT_WRITE.  Liam, is that correct?

I really don't want to fight about this - I just want to have reliable
code that is maintainable.  I think the correctness argument is always
going to be unclear because we're all going to interpret the
documentation from our point of view - which is probably how we got here
in the first place.  My opinion of the matter of correctness is,
obviously, the least important.

My problem right now is that we're changing it so that we are not
consistent in when we should check.  I'm not sure how doing both fits
into either model, but it increases the next change going to the 'wrong'
side of the argument (whatever side that happens to be from your view).

If there isn't a technical reason to keep the check before, then we
should treat mseal the same as all other checks.

If we are going to have an up-front check, then it makes sense to keep
the checks that we can (reasonably) do at the same time together.
Linus, you said up front checks is a good thing to aim for.

That said, I don't think the example above will allow the madvise to
succeed at all.  mseal checks the entire region up front while most
other checks occur during the loop across vmas.

Thanks,
Liam


  reply	other threads:[~2024-05-15  4:54 UTC|newest]

Thread overview: 55+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-15 16:35 jeffxu
2024-04-15 16:35 ` [PATCH v10 1/5] mseal: Wire up mseal syscall jeffxu
2024-04-15 18:12   ` Muhammad Usama Anjum
2024-04-15 18:21     ` Linus Torvalds
2024-04-15 19:06       ` Jeff Xu
2024-04-15 16:35 ` [PATCH v10 2/5] mseal: add " jeffxu
2024-04-16 14:59   ` Liam R. Howlett
2024-04-16 15:17     ` Jann Horn
2024-04-16 16:42     ` Theo de Raadt
2024-04-15 16:35 ` [PATCH v10 3/5] selftest mm/mseal memory sealing jeffxu
2024-04-15 18:32   ` Muhammad Usama Anjum
2024-04-15 20:27     ` Jeff Xu
2024-04-16  0:34       ` Kees Cook
2024-05-02 11:24   ` Ryan Roberts
2024-05-02 15:18     ` Jeff Xu
2024-05-02 22:39     ` Jeff Xu
2024-05-03  8:30       ` Ryan Roberts
2024-04-15 16:35 ` [PATCH v10 4/5] mseal:add documentation jeffxu
2024-04-15 16:35 ` [PATCH v10 5/5] selftest mm/mseal read-only elf memory segment jeffxu
2024-04-16 15:13 ` [PATCH v10 0/5] Introduce mseal Liam R. Howlett
2024-04-16 19:40   ` Jeff Xu
2024-04-18 20:19     ` Suren Baghdasaryan
2024-04-19  1:22       ` Jeff Xu
2024-04-19 14:57         ` Suren Baghdasaryan
2024-04-19 15:14           ` Jeff Xu
2024-04-19 16:54             ` Suren Baghdasaryan
2024-04-19 17:59         ` Pedro Falcato
2024-04-20  1:23           ` Jeff Xu
2024-05-14 17:46 ` Andrew Morton
2024-05-14 19:52   ` Kees Cook
2024-05-23 23:32     ` Kees Cook
2024-05-23 23:54       ` Andrew Morton
2024-05-24 15:19         ` Linus Torvalds
2024-05-14 20:59   ` Jonathan Corbet
2024-05-14 21:28     ` Matthew Wilcox
2024-05-14 22:48       ` Theo de Raadt
2024-05-14 23:01         ` Andrew Morton
2024-05-14 23:47           ` Theo de Raadt
2024-05-15  2:58             ` Willy Tarreau
2024-05-15  3:36               ` Linus Torvalds
2024-05-15  4:14                 ` Linus Torvalds
2024-05-15  6:14                   ` Willy Tarreau
2024-05-15  0:43         ` Linus Torvalds
2024-05-15  0:57           ` Theo de Raadt
2024-05-15  1:20             ` Linus Torvalds
2024-05-15  1:47               ` Theo de Raadt
2024-05-15  2:28                 ` Linus Torvalds
2024-05-15  2:42                   ` Theo de Raadt
2024-05-15  4:53                     ` Liam R. Howlett [this message]
2024-05-14 21:28   ` Liam R. Howlett
2024-05-15 17:18     ` Jeff Xu
2024-05-15 22:19       ` Liam R. Howlett
2024-05-16  0:59         ` Jeff Xu
2024-05-21 16:00           ` Liam R. Howlett
2024-05-21 20:55             ` Jeff Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6wtyezhn7spm4ehpo7jyi6xy3ywznkztjpzlafodpwj6x4wldx@rjia2otxbcxu \
    --to=liam.howlett@oracle.com \
    --cc=akpm@linux-foundation.org \
    --cc=corbet@lwn.net \
    --cc=dave.hansen@intel.com \
    --cc=deraadt@openbsd.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=groeck@chromium.org \
    --cc=jannh@google.com \
    --cc=jeffxu@chromium.org \
    --cc=jeffxu@google.com \
    --cc=jorgelo@chromium.org \
    --cc=keescook@chromium.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=merimus@google.com \
    --cc=pedro.falcato@gmail.com \
    --cc=rdunlap@infradead.org \
    --cc=sroettger@google.com \
    --cc=surenb@google.com \
    --cc=torvalds@linux-foundation.org \
    --cc=usama.anjum@collabora.com \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox