From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
To: Jeff Xu <jeffxu@chromium.org>
Cc: Kees Cook <kees@kernel.org>,
akpm@linux-foundation.org, vbabka@suse.cz,
Liam.Howlett@oracle.com, broonie@kernel.org,
skhan@linuxfoundation.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-mm@kvack.org, jorgelo@chromium.org,
pedro.falcato@gmail.com, rdunlap@infradead.org, jannh@google.com
Subject: Re: [RFC PATCH v1 2/2] mseal: allow noop mprotect
Date: Thu, 13 Mar 2025 05:29:30 +0000 [thread overview]
Message-ID: <79b1b6bf-e916-45d4-b20a-0f9041ca36bf@lucifer.local> (raw)
In-Reply-To: <CABi2SkUs3bXB2jw+1CUQPtWfZ6-kZDunQweOSSw6j_8JALUfAQ@mail.gmail.com>
On Wed, Mar 12, 2025 at 04:29:50PM -0700, Jeff Xu wrote:
> On Wed, Mar 12, 2025 at 9:45 AM Kees Cook <kees@kernel.org> wrote:
> >
> > On Wed, Mar 12, 2025 at 03:50:40PM +0000, Lorenzo Stoakes wrote:
> > > What about madvise() with MADV_DONTNEED on a r/o VMA that's not faulted in?
> > > That's a no-op right? But it's not permitted.
> >
> Madvise's semantics are about behavior, while mprotect is about
> attributes. To me: madvise is like "make this VMA do that" while
> mprotect is about "update this VMA's attributes to a new value".
>
> It is more difficult to determine if a behavior is no-op, so I don't
> intend to apply the same no-op concept to madvise().
>
> > Hmm, yes, that's a good example. Thank you!
> >
> > > So now we have an inconsistency between the two calls.
> >
> > Yeah, I see your concern now.
> >
> > > I don't know what you mean by 'ergonomic'?
> >
> > I was thinking about idempotent-ness. Like, some library setting up a
> > memory region, it can't call its setup routine twice if the second time
> > through (where no changes are made) it gets rejected. But I think this
> > is likely just a userspace problem: check for the VMAs before blindly
> > trying to do it again. (This is strictly an imagined situation.)
> >
> Yes.
>
> We also don't have a system call to query the "mprotect" attributes,
> so it is understandable that userspace can rely on idempotents of the
> mprotect.
PROCMAP_QUERY ioctl, /proc/$pid/pagemap :) I mean hey - these are somewhat
diagnostic-y, racey, un-fun interfaces that we'd rather you not use in
anger when mapping stuff - but they do at least exist :)
(an aside, been playing with PROCMAP_QUERY recently and very cool - we plan
to make this useable under RCU lock rather than mmap lock which will make
it _even more_ useful in future... exciting times :)
It's possible, but it seems that it would be relying upon it purely because
in some cases it would be modifying the mapping, right?
It strikes me as very unlikely that an application would be looking to
modify the attributes of a series of VMAs including ones that have a
security feature enabled which says 'until this is unmapped do not modify
the attributes of this VMA'.
Yes it's _theoretically_ possible but that'd be quite silly no?
>
> > > My reply seemed to get truncated at the end here :) So let me ask again -
> > > do you have a practical case in mind for this?
> >
> I noticed there were idempotent mprotects last year while working on
> applying mseal on stack in Android. I assume this might not be the
> only instance since mprotect gets called a lot in general.
>
> Blocking this won't improve security, it could actually hinder the
> adoption of mseal, i.e. force apps to make code change.
Thanks for the explanation it's appreciated!
But I feel the drawbacks I mentioned previously and elucidated upon in my
reply to Kees outweigh this theoretical concern.
If we encounter actual real-world instances of this we can reconsider,
presuming we are ok with the asymmetry vs. other seal-protected calls. We
have this shipped with a uAPI already like this so there's no rush.
>
> -Jeff
>
> > Sorry, I didn't have any reply to that part, so I left it off. If Jeff
> > has a specific case in mind, I'll let him answer that part. :)
> >
> > -Kees
> >
> > --
> > Kees Cook
Cheers, Lorenzo
next prev parent reply other threads:[~2025-03-13 5:29 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-12 0:21 [RFC PATCH v1 0/2] " jeffxu
2025-03-12 0:21 ` [RFC PATCH v1 1/2] selftests/mm: mseal_test: avoid using no-op mprotect jeffxu
2025-03-12 0:21 ` [RFC PATCH v1 2/2] mseal: allow noop mprotect jeffxu
2025-03-12 13:49 ` Lorenzo Stoakes
2025-03-12 15:27 ` Kees Cook
2025-03-12 15:48 ` Pedro Falcato
2025-03-12 15:50 ` Lorenzo Stoakes
2025-03-12 16:45 ` Kees Cook
2025-03-12 23:29 ` Jeff Xu
2025-03-13 5:29 ` Lorenzo Stoakes [this message]
2025-03-13 22:50 ` Jeff Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=79b1b6bf-e916-45d4-b20a-0f9041ca36bf@lucifer.local \
--to=lorenzo.stoakes@oracle.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=broonie@kernel.org \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=jorgelo@chromium.org \
--cc=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pedro.falcato@gmail.com \
--cc=rdunlap@infradead.org \
--cc=skhan@linuxfoundation.org \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox