From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7AC69C77B7D for ; Sun, 7 May 2023 19:53:22 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7874F6B0078; Sun, 7 May 2023 15:53:21 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 737D16B007D; Sun, 7 May 2023 15:53:21 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5FF016B007E; Sun, 7 May 2023 15:53:21 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 50B126B0078 for ; Sun, 7 May 2023 15:53:21 -0400 (EDT) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 10C9880E1D for ; Sun, 7 May 2023 19:53:21 +0000 (UTC) X-FDA: 80764508202.17.AEFE4A3 Received: from mail-yw1-f169.google.com (mail-yw1-f169.google.com [209.85.128.169]) by imf03.hostedemail.com (Postfix) with ESMTP id 1332220009 for ; Sun, 7 May 2023 19:53:16 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=paul-moore.com header.s=google header.b=HovbGonv; spf=pass (imf03.hostedemail.com: domain of paul@paul-moore.com designates 209.85.128.169 as permitted sender) smtp.mailfrom=paul@paul-moore.com; dmarc=pass (policy=none) header.from=paul-moore.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1683489197; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Zyj2EiCvdTduHLqcmu7mXgIBGvXlvMB1pane2tqkF7E=; b=CubGIboCkpsAxzc1eEnIS2qmbGgaHLmdfC3U45o4crj2BejCTRUt1+wHXGG8kJBQO4Oj65 BUhmAdIl4v3Hnl5OGTi9IUUUXQv0TrJOVBHlQTn29WDZ+3WFCwwd5iKqti6PNLhzK4ouOq aLXE0eqEqc4Gg4FCl4L4m3Le3ELlkXw= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1683489197; a=rsa-sha256; cv=none; b=Yp8H49xGy65StKuxkPh9AQG0CbveTZofCrXv2KPKlWV3/v2+lw+EqsLm9s3EO6aeFFx78o 5wh+YuxkPOO73Hdftl1uQN8AE65dECl/KywGmETgfKAokqgyg2qOQK1033o+QL4onEFq+j Ldz+ce35Smu19b/IUZwfLcBF/RjtMcw= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=paul-moore.com header.s=google header.b=HovbGonv; spf=pass (imf03.hostedemail.com: domain of paul@paul-moore.com designates 209.85.128.169 as permitted sender) smtp.mailfrom=paul@paul-moore.com; dmarc=pass (policy=none) header.from=paul-moore.com Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-559eae63801so56450397b3.2 for ; Sun, 07 May 2023 12:53:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1683489196; x=1686081196; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Zyj2EiCvdTduHLqcmu7mXgIBGvXlvMB1pane2tqkF7E=; b=HovbGonvcX5N33ZjAIXpk4nBo33sAlxq1QGT9NpuhVKTsJ+IPtEw9Cp0pK3vMQqZCX yMERRh6IsK8ylRf73EWSXkyxzpndyvw9zupn3p6xHJtD6gh6YQnVVMmrhzQzNnp/3k82 WvBn7PioMWALD9g+ebvbodFgl7/8Zdu91Kkz7apHZvluX0naIRyiebich3A8BibOJ5ud x4u598AtsP929aBszW6HtQkOJeQzHnv9lc7PiAdtQJiyGXVl7j2NvQew1QYm2We4ZngS cmO8wXENruc4TD8Z4g4R0Ngf5MD+xWtep2Y3ix0agt9ARcjjDYtovnqY7/J87qqW4DWg MMMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683489196; x=1686081196; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Zyj2EiCvdTduHLqcmu7mXgIBGvXlvMB1pane2tqkF7E=; b=kJtNp96RP88q6UYMDxUQHc8JJyHZ9IlGDuZClOgc2YzGRDklCLqc1bjfrpo+xWehSl Bt/2pcv35t6YAW8ZLAXiiFbLIuF9OOy682IYkcbmnM2rdLsUPxEU2jjyvtWKFuziB5Q9 rp6W1mKQhGO60Tw/av64YhLLe/jf8z5mLALmSIMcXvMXS6l9TboTN0989gOjvhRUxiK3 p7q7gWBL2CzRY5u+Z9sJqohD5a3uT+Aak+jJJ/OanvIuw0rcryp3/W9GoTPot/AMI6RP ZDDc013TEmmzNu8fZgYy84kWD6BPoHW3ZbtG0a2R9cikZIJTTQiNr0PA3f9P8FGYPfC2 ntig== X-Gm-Message-State: AC+VfDxZfCD8J6midDj8VXtL6mI/2SrFSKpz2UDZuluAbWNdtf2uByvv DKNwNh6Mn3l+jz0NQ/rS3bGAQ6xE+oAl8VyANk7t X-Google-Smtp-Source: ACHHUZ7pNs3NaZ4FLiSZ/VNIGrR4CzLJdGR6zgvUQNMJX+pul+3P3AfyeKE5TmTF6NGa13Y4VaviefX/KFQw2NkRUEs= X-Received: by 2002:a0d:ea4b:0:b0:55a:20a1:4ba6 with SMTP id t72-20020a0dea4b000000b0055a20a14ba6mr8815170ywe.25.1683489196101; Sun, 07 May 2023 12:53:16 -0700 (PDT) MIME-Version: 1.0 References: <20230504213002.56803-1-michael.mccracken@gmail.com> <87pm7f9q3q.fsf@gentoo.org> In-Reply-To: From: Paul Moore Date: Sun, 7 May 2023 15:53:05 -0400 Message-ID: Subject: Re: [PATCH] sysctl: add config to make randomize_va_space RO To: Kaiwan N Billimoria Cc: David Hildenbrand , Sam James , Michael McCracken , linux-kernel@vger.kernel.org, serge@hallyn.com, tycho@tycho.pizza, Luis Chamberlain , Kees Cook , Iurii Zaikin , Andrew Morton , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, kernel-hardening@lists.openwall.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Stat-Signature: dwhfn7wkz51sftomixsy66xffqq6tw33 X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 1332220009 X-Rspam-User: X-HE-Tag: 1683489196-57030 X-HE-Meta: U2FsdGVkX19XtHWF1XsM+18W0HLhzm7jN1vbuSSjM+89rAjOZI32POel18TMHs/zfCk3uF1wBYnu4mLsntKw1DsXAuozQ8cX5hQSpOy0gSPzkjP1jD4A1tvX/GxfUboxVVJrIhLUwXK/Isqf+kPacF2IpjoMAiziJ9HpktSJGS7EJPY4GOJkuMpjNm21uL7vABOO+GW+0/M//SUawEaPxFWHGLcvWvRS89Pw1gvUlEcb2ZWgT206w2RGRwoX869R6yF7jORlir6LDcVDd2I1v1/cL5/s0EdG1LJCuz7jlBRcgJzcjF7ygqJzy9P6Qbe+w97AaKOF3yEVVh+teJFiAlTag+wHiN0J8mZKcp69bMWCb20UTjtqgsyYj8o2ge7Y92qkddXYw2UxccSVAeY9jd//ntuEQSjtau5akJRXSe2tuuChG3P7fZJiLxGMHigC0FE/v1mW5n0pnTQAbGbcCPPhPiJaj1V4e8UpRyDknq/B3eV207VNrkyRw0pREg0qIt8imNvNcwsm6r48v1iaH/9pUYrSo1gP82rnQrV0zPt4tNG8/pjSZLGvI2ejGCyPV69MOdrknNbbsQADQUnpHBKXEteKKSV0g5VWWaQaFnVrM2f8wCWqIZ4yA32Wel0XVo5G/hHw8t/ZhHiN/D2sdb3TqVIP2fQIIDmxAXmKlP4im73lur48ZWvvqgtu3dch/0ent9+scMGmFjoGIIrT14Pcvle1xPNnT9oS1To1cQ3EG/zeVwWFE9cbslJ7kdlu0ZIabeux6KdzyDELPEj21MqN4eACb9yFDrZ9tPmfDxdY5ujWnMatdvmQcdQUz+NHkEn9opzhuVi429AaR7oq2/pL+9ADqAbwicDTMW1uaucN4JCJqX3Iv7xxB9jEXAS48+/tSI6ddAyHHyXhf5ED1lqoxztG4Lb2X6BLvb1g96tmcGGKWWzafqcc0SxbDJJBINpVpLhzXI3iDcCXGi1 nSFnRcLe 9fv/4WOv1NRSV/qRKPtH0BOYG6Pxon3DdrnCwirYedKHAJZpQ5XHZjJTofGYRCTIm+Z+x8CdodXB6NdM7wUGVvveWcAw6n0+Acp0lMJvsooIdcqFfM3uKV5Dp7ihiudZi550DvQw06r67IjyY0Z6THaUXtvtVXiqZR4m6F3QriM/1bAWKFlaYDTpu24a7+DmM8T+sV3bVp7a8jq8HdjZADbHXgUYQi/bxVPl00lFPphO6e927AFNQfR+CrwNDL9fl3kEcCo+jje+GhwTui2N7rACsY8GRDpLn0IOWzwCSHje3phkrOvEJiUhXBrD6yGGOh19BVSCByO5xFtrCMwkX8PJnTXyVnbWDOlTDQg86H7ybde8zqGADTJnug6mq+wes119n18q9sATk83vXirrG3MURDPM5rU0e1GK7BgC58rwUVDPLV53+4BLidGsVjXRxlzL0jZmAiHv2Ux3ZfVrgsAdjCUGxa+FNMp4bW+2CDii4v1fmEdplM5a+Uw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Sat, May 6, 2023 at 3:05=E2=80=AFAM Kaiwan N Billimoria wrote: > On Fri, May 5, 2023 at 8:53=E2=80=AFPM Paul Moore w= rote: > > > > On Fri, May 5, 2023 at 11:15=E2=80=AFAM David Hildenbrand wrote: > > > On 05.05.23 09:46, Sam James wrote: > > > > David Hildenbrand writes: > > > >> On 04.05.23 23:30, Michael McCracken wrote: > > > >>> Add config RO_RANDMAP_SYSCTL to set the mode of the randomize_va_= space > > > >>> sysctl to 0444 to disallow all runtime changes. This will prevent > > > >>> accidental changing of this value by a root service. > > > >>> The config is disabled by default to avoid surprises. > > > > ... > > > > > If we really care, not sure what's better: maybe we want to disallow > > > disabling it only in a security lockdown kernel? > > > > If we're bringing up the idea of Lockdown, controlling access to > > randomize_va_space is possible with the use of LSMs. One could easily > > remove write access to randomize_va_space, even for tasks running as > > root. > > IMO, don't _move_ the sysctl to LSM(s). There is nothing to move, the ability to restrict access to randomize_va_space exists today, it is simply a matter of if the security policy author or admin wants to enable it. If you are like Michael and you want to block write access, even when running as root, you can do so with an LSM. You can also allow write access. With SELinux you can allow/disallow the privilege on a task-by-task basis to meet individual usability and security requirements. --=20 paul-moore.com