From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E4C1AD374B8 for ; Thu, 17 Oct 2024 16:12:16 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7A65D6B007B; Thu, 17 Oct 2024 12:12:16 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 756F26B0082; Thu, 17 Oct 2024 12:12:16 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 61E0F6B0085; Thu, 17 Oct 2024 12:12:16 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 4299F6B007B for ; Thu, 17 Oct 2024 12:12:16 -0400 (EDT) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 7EFF21601CA for ; Thu, 17 Oct 2024 16:12:03 +0000 (UTC) X-FDA: 82683585810.01.00FC6AE Received: from mail-oa1-f49.google.com (mail-oa1-f49.google.com [209.85.160.49]) by imf17.hostedemail.com (Postfix) with ESMTP id 300444001B for ; Thu, 17 Oct 2024 16:12:06 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=bOeVBiCA; spf=pass (imf17.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.160.49 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1729181486; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Mnd/uBBD+EEhRp8rXkoooYzQt3SSgVvcLoqmhOm8/d8=; b=Ba84f8Kt4SVOUsEi/dgKR63rU1ESHDv5K+gun6AH6y8KYnu40bllNXbSSk2mpAk1OasweY nKH1XQvLSSNEoadIupfLjGwLms89BaLBYwJftiEk7WD2SqigmS0xp8copaea4u62s/skyt rbr2IkK0P6w/bv+K24PjctMJ9Jm+Stg= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=bOeVBiCA; spf=pass (imf17.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.160.49 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1729181486; a=rsa-sha256; cv=none; b=nkRpe4hjJFAfZWKI16/fjLFpPgEtDPoKanozwTrzPLKD/ZVU00KRuG4WYxYOpPb2QbBNl+ vAvibx+tnqcTsn6QwwQyrCw3NCPUQdgf9bobNc77vBicdjt5x1hIKxyMxKzK1hbC3e2MXZ YOX1QM6O1SDzk53hbvdFcBMU2NKNdl0= Received: by mail-oa1-f49.google.com with SMTP id 586e51a60fabf-2888bcc0f15so129385fac.0 for ; Thu, 17 Oct 2024 09:12:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1729181533; x=1729786333; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Mnd/uBBD+EEhRp8rXkoooYzQt3SSgVvcLoqmhOm8/d8=; b=bOeVBiCA43RZHSWFDK/bErTAHXJinCA34apxxQYqPZ6QWbLb+SXsiPGq4uJDLPob9a ddeRPsszWmegce0LXaEqJSmfxTgEgs1GEXPSU8I/1nwhPr7jQouJN2Qa6IXjvi/mcZ4/ uElwgUajGD+d+xVGkXUjawUIVoLRLc5e8VRLs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729181533; x=1729786333; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Mnd/uBBD+EEhRp8rXkoooYzQt3SSgVvcLoqmhOm8/d8=; b=W0V67VCM6MB7lXDNncQSwTj21fz+udr/xjxDlSOdC9NOJk3b7uOSt/B9gIhESUEB9p yKpU5DMPEK9Kjy80WVTjwHk2BJuyvpvtRFDmo/1nP4zpFAdWLl1VYenbVOHO8gzwyoK7 6xs6Y7dZ8F+PZf2Z3aoNONLBsCZ6z9aJGxbkZTR7NuWyT5aujAdHcCC7JRkhnPGay27J hIgeSnO3mAA/PAzlPKH6034BXOeNguIPizvj1iiWgOCQt73B6foMcfYIq8H+NuKgBNys TsHoxWMMdZIgBEEmWl56ZfjcO+dZ9ra5yASAQXuJG41OKsdVKXc52GMn6bFAFNN8GX4D 5uGg== X-Forwarded-Encrypted: i=1; AJvYcCWLRJDTwvCXo4Ae+nUgzN2Sfa/RlLq0iJ2q0LMU2wzJpqp64MfDbRoEoXpSULehzrPW+Tlyn/1HuA==@kvack.org X-Gm-Message-State: AOJu0YzQ6kgv2HOf11QjnMMCcGBSa8Mbh1dhAmSPx7ekrxJfORVPAMYf 4wp45KGg5KAfzOAOe0iI/JzcKvqYrRuAyGwEMqXsWI0Y7DUASqynLNUHu2xnmOJukBgMh+WRfv0 Aqmrx/1RUXuuvMpnQKgKA8zZr0L5bNRCcd+16 X-Google-Smtp-Source: AGHT+IE3Fsi07N7Rh0MbMb6DVuEVuZxfPPNrlyT9dYEiNnKn8vIax41O2lEbT4g3Cv65s3OSySkf3Zds0w4WBJKsjCg= X-Received: by 2002:a05:6870:568b:b0:27b:9f8b:277d with SMTP id 586e51a60fabf-2890c8619a8mr1002074fac.12.1729181532946; Thu, 17 Oct 2024 09:12:12 -0700 (PDT) MIME-Version: 1.0 References: <20241014215022.68530-1-jeffxu@google.com> <20241014215022.68530-2-jeffxu@google.com> <6r5sxlhfujr2expiscsfpdjtraqlvy6k3cznmv25lo6usmyw7x@igmuywngc5xi> <20241017083752.GA15167@redhat.com> In-Reply-To: <20241017083752.GA15167@redhat.com> From: Jeff Xu Date: Thu, 17 Oct 2024 09:12:00 -0700 Message-ID: Subject: Re: [RFC PATCH v2 1/1] exec: seal system mappings To: Oleg Nesterov Cc: "Liam R. Howlett" , akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, torvalds@linux-foundation.org, adhemerval.zanella@linaro.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, jorgelo@chromium.org, sroettger@google.com, ojeda@kernel.org, adobriyan@gmail.com, anna-maria@linutronix.de, mark.rutland@arm.com, linus.walleij@linaro.org, Jason@zx2c4.com, deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net, hch@lst.de, peterx@redhat.com, hca@linux.ibm.com, f.fainelli@gmail.com, gerg@kernel.org, dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org, mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org, ardb@google.com, enh@google.com, rientjes@google.com, groeck@chromium.org, lorenzo.stoakes@oracle.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Stat-Signature: k8ubadoesak5kkkab93unr1yitmhdi39 X-Rspamd-Queue-Id: 300444001B X-Rspamd-Server: rspam11 X-HE-Tag: 1729181525-295456 X-HE-Meta: U2FsdGVkX1/0084HkjC7W37/S3UY5Ar8VeDtNzJkTtG8W1i3LhOTRH677hMel3MBkkweQeKISs+8pBh9MXe3HbX9avXCStkQ7J3941j1UEjy1nrqfPTzQN4hXzphpdf2GfPyXS7vTKivTucN3AS6O3oUw+UbEh7zcjErWOSwSyiQBJVorKW8sKn+KAkBj+FKb04CAKYhaGmVlGgqgj9DXdMR0Z6QAafROBVFRy5RD/kmZvZMTYmkeJwVHhjtpm6k2oUFiFy/1J0pvzXzUE3rtaUll2JIFFVZ5Dd/bsc0Yq0j5jD3uyJLii82s/GepHGOh0bmRtqyPIjFwNbyqkqEL8btVB8v7wtAq82cHmxEIEAEY7scI8cl97FIJMMmZbPIIXNDzVz0V6g3Bd4CWL95rycJqQ1ZHW9pjlKRUvI9P53vP0ekATztzEEMz4pHeENuj+YQo+CmNhie8zdrGwPMqudb93Alf/1Gq1n4OHBl8U5aAkbZ0DGgyhuKof7MhnIfcmP+5P2RlYOCLA6IcbBE/gygOkfCJpYXo3pwRaut0Beq7vVZZ4AmX2TamavnYYztcNL/0hjzlOjViBB0YlgcJFSI1nq+KWO6H3jPEp9Pt6JwjN5zw9NJv20yCV329yMOVNoxsTA8BtsjfKlwd7NaDIj8yyyBB4e99gdtGt6dKKRARyJABDlqNYQzfse4efuyXKb/4WXYbmFRYTD+KmtRvZvl4Xm3E/NDSVp5aqYCyCecnUpuSpD6lSEfAwCYGA56UwVPyo7y0mdvNCezEOpTc2msurPOQP3jaAMyq3OtvkKQf8d2X7r/gZVuIf81QVaa5cI8GblRQJ1UKxrdNKh5daqjzlXOwlaTIn25YgXpjFOFO+Bv0l56BjXVwWLCj7/R/+bD5jOeOZAD6J7DJU5doE8apkWuA2REbkgUF2CnU8Kg1H9w6DaLvbvsvjnVkauVsCDixLv07USW+W2561w tLGsfbpW Ljyf1T2udkdJNJE1bq5zvzUg7YFfauqG/pBNO727Ro8BNqqpc5NlapmGjPN70Rd3yI1ONoKNmpj9f0i9PeQEf4CbDyCQqthMrJwP1WY27wSPJbfgxapGVpVO0XLkwXaDYZJHsVQzxw8AULE4PIp/u1S5phtt1chASmj0Rc4A5GPfBfqaxdFixnrAsch1B1wES1eVjsY5i15NiA6n0BVIvlwgVEeObmHICHS234F/7sMv2LsY7OEqIxDaST1oknj/jugE7wuTUapKtENTC8HXuTF+RanFNM35dV6z5//2kZ0hThVzTzEoszF1sDD2essSEi+0/ X-Bogosity: Ham, tests=bogofilter, spamicity=0.004085, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Oct 17, 2024 at 1:38=E2=80=AFAM Oleg Nesterov wro= te: > > On 10/16, Jeff Xu wrote: > > > > On Wed, Oct 16, 2024 at 6:10=E2=80=AFPM Liam R. Howlett wrote: > > > > > > > + exec.seal_system_mappings =3D [KNL] > > > > + Format: { never | always } > > > > + Seal system mappings: vdso, vvar, sigpage, up= robes, > > > > + vsyscall. > > > > + This overwrites KCONFIG CONFIG_SEAL_SYSTEM_MA= PPINGS_* > > > > + - 'never': never seal system mappings. > > > > > > Not true, uprobes are sealed when 'never' is selected. > > > > > Thanks. I forgot to uprobes from the description in Kconfig and > > kernel-parameters.txt, will update. > > Jeff, I am sorry for confusion. > > No need to make uprobes "special" and complicate the logic/documentation. > > I just meant that, unlike vdso, it is always safe/good to mseal the "[upr= obes]" > vma, regardless of config/boot options. > > Please do what you think is right, I am fine either way. > OK, in that case, V1 is a better approach, using the same config to control all system mappings. I will send V1 to revert that. Thanks for clarifying. -Jeff > Oleg. >