From: Igor Stoppa <igor.stoppa@huawei.com>
To: Dave Chinner <dchinner@redhat.com>
Cc: Matthew Wilcox <willy@infradead.org>,
Kees Cook <keescook@chromium.org>,
Randy Dunlap <rdunlap@infradead.org>,
Jonathan Corbet <corbet@lwn.net>,
Michal Hocko <mhocko@kernel.org>,
Laura Abbott <labbott@redhat.com>,
Jerome Glisse <jglisse@redhat.com>,
Christoph Hellwig <hch@infradead.org>,
Christoph Lameter <cl@linux.com>,
linux-security-module <linux-security-module@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [RFC PATCH v16 0/6] mm: security: ro protection for dynamic data
Date: Thu, 22 Feb 2018 10:58:58 +0200 [thread overview]
Message-ID: <77b1e91b-ca65-f13c-ada5-b24c55c87cb3@huawei.com> (raw)
In-Reply-To: <20180221213629.GF3728@rh>
On 21/02/18 23:36, Dave Chinner wrote:
> On Wed, Feb 21, 2018 at 11:56:22AM +0200, Igor Stoppa wrote:
[...]
> It seems lots of people get confused when discussing concepts vs
> implementation... :)
IMHO, if possible, it's better to use unambiguous terms at every point.
__ro_after_init is already taken :-P
In this specific case, I wanted to be absolutely sure I understood
correctly what you need. I think I have now, thanks.
>> is this something that is readonly from the beginning and then shared
>> among mount points or is it specific to each mount point?
>
> It's dynamically allocated for each mount point, made read-only
> before the mount completes and lives for the length of the mount
> point.
ok. And destroyed when the mount point is unmounted, I expect.
[...]
>> The "const" modifier is a nice way to catch errors through the compiler,
>> iff the ro data will not be initialized through this handle, when it's
>> still writable.
>
> That's kinda implied by the const, isn't it? If we don't do it that
> way, then the compiler will throw errors....
I might be splitting the hair, but since I'm advertising something I
worte, I don't want to look like a peddler of snake oil, in hindsight :-P
To clarify my previous comment:
* const can mean the world to the compiler, but that doesn't
automatically translate into write-protected memory, yet I do appreciate
the advantage of teaching the compiler what should not be altered.
And I have nothing against doing it.
* even if some handle will be const, it still needs to be aliased to
some other pointer that is not const, at the beginning, because it must
be initialized and it's anyway writable. So, this cannot be avoided.
--
igor
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
prev parent reply other threads:[~2018-02-22 8:59 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-12 16:52 Igor Stoppa
2018-02-12 16:52 ` [PATCH 1/6] genalloc: track beginning of allocations Igor Stoppa
2018-02-12 23:52 ` Kees Cook
2018-02-20 17:07 ` Igor Stoppa
2018-02-21 22:29 ` Kees Cook
2018-02-21 22:35 ` Jonathan Corbet
2018-02-12 16:52 ` [PATCH 2/6] genalloc: selftest Igor Stoppa
2018-02-12 23:50 ` Kees Cook
2018-02-20 16:59 ` Igor Stoppa
2018-02-21 22:28 ` Kees Cook
2018-02-22 9:14 ` Igor Stoppa
2018-02-22 18:28 ` Igor Stoppa
2018-02-12 16:52 ` [PATCH 3/6] struct page: add field for vm_struct Igor Stoppa
2018-02-12 16:52 ` [PATCH 4/6] Protectable Memory Igor Stoppa
2018-02-12 16:53 ` [PATCH 5/6] Pmalloc: self-test Igor Stoppa
2018-02-12 23:43 ` Kees Cook
2018-02-20 16:40 ` Igor Stoppa
2018-02-21 22:24 ` Kees Cook
2018-02-22 9:01 ` Igor Stoppa
2018-02-12 16:53 ` [PATCH 6/6] Documentation for Pmalloc Igor Stoppa
2018-02-12 23:32 ` [RFC PATCH v16 0/6] mm: security: ro protection for dynamic data Kees Cook
2018-02-20 1:21 ` Dave Chinner
2018-02-20 18:03 ` Igor Stoppa
2018-02-20 21:36 ` Dave Chinner
2018-02-20 23:56 ` Matthew Wilcox
2018-02-21 1:36 ` Dave Chinner
2018-02-21 9:56 ` Igor Stoppa
2018-02-21 21:36 ` Dave Chinner
2018-02-22 8:58 ` Igor Stoppa [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=77b1e91b-ca65-f13c-ada5-b24c55c87cb3@huawei.com \
--to=igor.stoppa@huawei.com \
--cc=cl@linux.com \
--cc=corbet@lwn.net \
--cc=dchinner@redhat.com \
--cc=hch@infradead.org \
--cc=jglisse@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mhocko@kernel.org \
--cc=rdunlap@infradead.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox