From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 35442E77197 for ; Thu, 2 Jan 2025 19:16:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A728B6B0083; Thu, 2 Jan 2025 14:16:07 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id A21E56B00F1; Thu, 2 Jan 2025 14:16:07 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8EA166B00C0; Thu, 2 Jan 2025 14:16:07 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 723086B00FD for ; Thu, 2 Jan 2025 14:16:07 -0500 (EST) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 20A08AEA21 for ; Thu, 2 Jan 2025 19:16:07 +0000 (UTC) X-FDA: 82963464612.03.157503B Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51]) by imf01.hostedemail.com (Postfix) with ESMTP id 9D6E140003 for ; Thu, 2 Jan 2025 19:15:26 +0000 (UTC) Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=M3Jc6nDi; spf=pass (imf01.hostedemail.com: domain of avagin@gmail.com designates 209.85.167.51 as permitted sender) smtp.mailfrom=avagin@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1735845341; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=UqIxSCyYuqdK7c1rmrJ8SVgEIQ+tOD9C0wkDiXicRJE=; b=zVTrkLSr4Lh84gTRxMR66sdtGxnpAGFCz4lEfy8Do6hUa+CsvmscmUGFXq/WEyXOuWg6gA K31/xzU39pO/N4YHQ099tYNE0iZeJeYDTpmEwQxQcLE10RVgVNBdnqbYJmGrXun/4YRDhM hGvWuRdOFn525ncLgV7yklM3hjPUIDc= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1735845341; a=rsa-sha256; cv=none; b=paT2Ng0XWbeOamNt+omng6Ee97DUUWxKqpClILybZJkyyNw9AfeganFNfEfheOB+5fB1TJ 7GVGPl6H6jUHzKTIHuIaElp9zP0H2NMPNmy2fBFr9MkodTKWCLVXfKPJNQ2xdHR5rLyhlO dBwxEEbHAFjS1fVp8l8CoQ58GiEBFO8= ARC-Authentication-Results: i=1; imf01.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=M3Jc6nDi; spf=pass (imf01.hostedemail.com: domain of avagin@gmail.com designates 209.85.167.51 as permitted sender) smtp.mailfrom=avagin@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-lf1-f51.google.com with SMTP id 2adb3069b0e04-54021daa6cbso12202076e87.0 for ; Thu, 02 Jan 2025 11:16:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1735845363; x=1736450163; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=UqIxSCyYuqdK7c1rmrJ8SVgEIQ+tOD9C0wkDiXicRJE=; b=M3Jc6nDiq/xRBl91jghXgzohfzldTgvrmFJiTNxMhPp2Ut05Gt3v44vOOIqZFr/486 8Wj2A1mHtGdWJkne28BydNn1IrQ4DBpXzYlWx35OQbBDepOwFHerq2hrXhBpTJ575QEo xhKGTBJ+n12qXNiU2YjHSskhxsKZGchbjemt2DJ3IROjw9Sglo18ps5ieO8vBF5e86Nf TtE+xSsXq5QYDGKaisOTszLsdMcUAXCs7PyHmEj5ajWwPsaHdJbkmSVwRmNS/LamM30f QzO6CPxExnz5QZ930gtvbRCsi6Xe3Z70fsStCA+TxSVdogmbH2l9dwKfmE/53/bk3h1I dXJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735845363; x=1736450163; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UqIxSCyYuqdK7c1rmrJ8SVgEIQ+tOD9C0wkDiXicRJE=; b=Eto2PBlBDwjD06+g9F3Wc8Md2Nu0N6JdOlvcbUua1rqNOjtePv6aGdQ45CS5SB6q4E GREG1EdFk4ucS9GLmd7GPw/Bf9kHGkP5+WN0iXwjEAyqHw6nX6H/VlLMOBVRrM3cQGeZ wNVSH0YsFqQg9SL4FJTSPhYLctQHzbAxcnI6GdWe5DTRrulzguLAHGBahyXAMVp5et39 xnFBTMhpeKKrnx2gWKErlmpyigddvDWjh8rW5hwWMyNRTjPWDmVOwnd59wRIsZBVs3Oy kETa2JmfhVFsobWFwez4KJS2+jaHVQyFQAufXygCTyUvimfTInfyIkXiKMQU9Ko0qBZU 4A5A== X-Forwarded-Encrypted: i=1; AJvYcCUdpcmju4aBlnPeaSMYQ7UCK1pk1MQt17HFFo5LWzflzzFMzQdIf17wlBARvmdbjOq8eq+q2kcZ+Q==@kvack.org X-Gm-Message-State: AOJu0YxiSfTU0Be3YJ03YzlZlY7RumsG1X8uhBhZjWts25tGQMMnzsgo +VqCqwV8KEcs7as3/7J3AJLnXDveQelX+Donb8++NJN1DGjw1MGIUXzuelMuTpxwCf4PYBRis1m dP92yPyzd+wuirU9LFOY12y1t734= X-Gm-Gg: ASbGnctalbXg4Po6xx7SvSrFj7qZfpkMk+lJ/7IPT4i6UKkxgx6zPCibYiSE4AUjgNB wkBcO+E9yXDVCFSSnSfxp0PXAsZDX6MDgKT0yLQY= X-Google-Smtp-Source: AGHT+IGkaFEDf3g3TUnmavktQOKEFtDbw+jaIpkYUf/eEXoRJds3vRbY1uTc8GDlL4Gst5X13SUuAPMaalYF6UzPuSs= X-Received: by 2002:a05:6512:e83:b0:53e:fa8b:822e with SMTP id 2adb3069b0e04-54229560344mr14975048e87.37.1735845362948; Thu, 02 Jan 2025 11:16:02 -0800 (PST) MIME-Version: 1.0 References: <20241125202021.3684919-1-jeffxu@google.com> <20241125202021.3684919-2-jeffxu@google.com> <202412171248.409B10D@keescook> In-Reply-To: <202412171248.409B10D@keescook> From: Andrei Vagin Date: Thu, 2 Jan 2025 11:15:51 -0800 Message-ID: Subject: Re: [PATCH v4 1/1] exec: seal system mappings To: Kees Cook Cc: jeffxu@chromium.org, akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, torvalds@linux-foundation.org, adhemerval.zanella@linaro.org, oleg@redhat.com, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, jorgelo@chromium.org, sroettger@google.com, ojeda@kernel.org, adobriyan@gmail.com, anna-maria@linutronix.de, mark.rutland@arm.com, linus.walleij@linaro.org, Jason@zx2c4.com, deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net, hch@lst.de, peterx@redhat.com, hca@linux.ibm.com, f.fainelli@gmail.com, gerg@kernel.org, dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org, Liam.Howlett@oracle.com, mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org, ardb@google.com, enh@google.com, rientjes@google.com, groeck@chromium.org, mpe@ellerman.id.au, Vlastimil Babka , Lorenzo Stoakes , Dmitry Safonov <0x7f454c46@gmail.com>, Mike Rapoport , Alexander Mikhalitsyn Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: 9D6E140003 X-Stat-Signature: wawsm1epy5bbz6z3ybrow9gwgknw8ctb X-Rspam-User: X-HE-Tag: 1735845326-629857 X-HE-Meta: U2FsdGVkX19dSKV6ALslXpb5sAul2NuZfDN8ic13blvQXcso/qD1a28QORlgP3pTZlKHqONF1duz2tyQjaMnao40iIwCUltVyCfQhiWNJjE1JBoHtgUXwvz4AZfGxnICOkVUbhfa7QVdifUA2Dtf+704r8yzR91ORumtb6jX82K7qLZeZhaVr5L2yroELXO873kxL+GQ0MjwY3Osn88dKK+X6HUHkJrhroyXgPuWBCODKRWKu5Qv7I4kF4qjXnassu8biIYgnMM3r22sN6iwSaoW3+YlXHLF1IrnT1uQ+jUJxBxP/EQhv9tjVVMri0VL4K3O/6eFPbUuyB/kCL+x7d3pSZLBFF5H5MYwFbZnxVDSqAXLJSawPWPDiaAr9YzXTcFwEcDtY101tPHpcbCYB8foPP9ImmwfN9ezdQanzKb1Bgtgzj1MkgGvw60Tf80lXe11+aeWNfs/8h7lFWa9HFS+vsWVBleYqhR4YmuZK6dgYx7+55/koIbA1u79kh+pVV2i6Klo9PeXrEAInsugnuTIRXJmNG/jxVMEtvPI1DtQ18KucoGsGyqxzGCs7HhK3Q3xQgGUtZChGBcicqLQVGMi+ZF2Jc1QuKYvTNRsQbtCsJnr+zRyU2AyuK8KkPC2xbNIj9O6qvg/It9lhvxmeBhH7avDdiGHth5QLvy+d0WJTBXjg1LW19h8XJnRClpXiOJAKtsP/AtTaVdO7ByjiBnVXPo1l2gziuOJIpLHaZw1uTj/oBd8jnOkyUbZO8JOd6CwLxcYdRqCtRgJyeXTkdm/2VNtQtaRJsiEfg1tmYRMZoUGuqXJd/5eXRc7KZShiIlXWB2l3roLsdhDpuLZlNlfwPuXBderfxuXgeJxy/YLApSZzMpBLh+IkrEqOpNP5N0IPbMpIP/tzb29UaHdQINOJ9XyThfSFcnKDJMs9oe5BilrrPAHoMcy8dC7Dg02Ntcon9LXvYsjG86R5uZ L8te/txu rbqnCxXasE/bHdaSs1tc9rZpspe1oMMnJ2M5o2/QXnBZLV/kstO8ys2a/j8AyDGQJiyg3Z9/PU9JXAhkKGdZyWCTx/gCPaIryvUsJnY71iGPSTlBJV/0opYrY7o391HL7kHfkF/XsSkAOpPBM/DetZ5OkD6EZE2TrKU7/XFN2ROICKWxCvJ48BzaXkYkwl/RG0stXhvkWD5u02wJZ1FsBo1StJUAe9fL9Dzo3FHFF9Ab1Q63x4cISASNOZz2RSYuzcqoFOHPFdwhOyAsdMse8J5I8gQJfRnwNdsfX1mSVvqcwGmzEXj1he2K3HBPZfbiRiXQBrrW/rVeD+1jCHMIWu2vtKEbbXAJTulPVAPX5cXS28cP56KR+k10rYnjkq5eZpHpTPqi1CsLZ7M8Yi5vVvwDiefGBt4T1eN0o X-Bogosity: Ham, tests=bogofilter, spamicity=0.225605, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Dec 17, 2024 at 2:18=E2=80=AFPM Kees Cook wrote: > .... > Also from discussions it sounds like there may need to be even finer-gain > control, likely via prctl, for dealing with the CRIU case. The proposal > is to provide an opt-out prctl with CAP_CHECKPOINT_RESTORE? I think this > is reasonable and lets this all work without a new CONFIG. I imagine it > would look like: > > criu process (which has CAP_CHECKPOINT_RESTORE): Hi Kees, Sorry for the delay, I've been out of network for the last two weeks. Overall, this approach looks good to me. However, I think the opt-out prctl shouldn't depend on CAP_CHECKPOINT_RESTORE. There are other use cases besides CRIU where we need to unmap or move system mappings. For example, gVisor uses stub processes to represent guest address spaces. gVisor unmaps all system mappings (like vdso, vvar, etc) from stub processe= s. > - prctl(GET_MSEAL_SYSTEM_MAPPINGS) > - if set: > - remember we need to mseal mappings > - prctl(SET_MSEAL_SYSTEM_MAPPINGS, 0) > - re-exec with --mseal-system-mappings (or something) > - perform the "fork a tree to restore" work > - in each child, move around all the mappings > - if we need to mseal mappings: > - prctl(SET_MSEAL_SYSTEM_MAPPINGS, 1) > - mseal each system mapping > - eventually drop CAP_CHECKPOINT_RESTORE > - become the restored process > Thanks, Andrei