From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D43B6C7EE24
	for <linux-mm@archiver.kernel.org>; Mon, 15 May 2023 21:43:23 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 4D388900003; Mon, 15 May 2023 17:43:23 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 48243900002; Mon, 15 May 2023 17:43:23 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 37143900003; Mon, 15 May 2023 17:43:23 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id 2AC78900002
	for <linux-mm@kvack.org>; Mon, 15 May 2023 17:43:23 -0400 (EDT)
Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id E3CDE1204B2
	for <linux-mm@kvack.org>; Mon, 15 May 2023 21:43:22 +0000 (UTC)
X-FDA: 80793815844.27.BAAC120
Received: from mail.hallyn.com (mail.hallyn.com [178.63.66.53])
	by imf26.hostedemail.com (Postfix) with ESMTP id B49F9140012
	for <linux-mm@kvack.org>; Mon, 15 May 2023 21:43:20 +0000 (UTC)
Authentication-Results: imf26.hostedemail.com;
	dkim=none;
	spf=pass (imf26.hostedemail.com: domain of serge@hallyn.com designates 178.63.66.53 as permitted sender) smtp.mailfrom=serge@hallyn.com;
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1684187001;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=ikLRWupscOM2nXvh5OebiCzQSs3QLnFIp1fxMMxx+Ko=;
	b=Ux+9cxCG7MuTd+OIUEr2x86kL7KZ1W3OVoQ+Zm9rL1roZU5w4rE4ubW/7PW47SSLxwJTjQ
	QboP36xkiJvZlq1VEAhjmUOYVttKVOL1pDdGqMrK7/wdB1y1BCfzLcH8q9seAtmHdn0NMB
	zvABQzuwDyXjSSpnn3q8ZeUlXAWaan4=
ARC-Authentication-Results: i=1;
	imf26.hostedemail.com;
	dkim=none;
	spf=pass (imf26.hostedemail.com: domain of serge@hallyn.com designates 178.63.66.53 as permitted sender) smtp.mailfrom=serge@hallyn.com;
	dmarc=none
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684187001; a=rsa-sha256;
	cv=none;
	b=tCJ+H0mQo2OeFRJ5gcG5P8i2+3NsiTDEZ0ACgIXt1BBjcd2BDBfKpPVqQadUBZGqbRnxs2
	8/MP7F3///1MiJ2eFPyfNQFNPkXFR8DBu+vVHupi4J0EYOTENgUk7Tyh7tIxFCd3oRRQQ5
	eIV3owoCLNP8hwK7Q7qSPU7yMtCBJ/c=
Received: from jerom (unknown [128.107.241.165])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: serge)
	by mail.hallyn.com (Postfix) with ESMTPSA id F0521459;
	Mon, 15 May 2023 16:43:14 -0500 (CDT)
Date: Mon, 15 May 2023 16:43:12 -0500
From: Serge Hallyn <serge@hallyn.com>
To: David Hildenbrand <david@redhat.com>
Cc: Michael McCracken <michael.mccracken@gmail.com>,
	linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com,
	tycho@tycho.pizza, Luis Chamberlain <mcgrof@kernel.org>,
	Kees Cook <keescook@chromium.org>,
	Iurii Zaikin <yzaikin@google.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	linux-fsdevel@vger.kernel.org, linux-mm@kvack.org
Subject: Re: [PATCH] sysctl: add config to make randomize_va_space RO
Message-ID: <ZGKncJpVPhOiA7XG@jerom>
References: <20230504213002.56803-1-michael.mccracken@gmail.com>
 <fbf37518-328d-c08c-7140-5d09d7a2674f@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <fbf37518-328d-c08c-7140-5d09d7a2674f@redhat.com>
X-Stat-Signature: kk46p7j869e8dd7ckeq51sn4ot4twch3
X-Rspamd-Server: rspam05
X-Rspamd-Queue-Id: B49F9140012
X-Rspam-User: 
X-HE-Tag: 1684187000-324414
X-HE-Meta: U2FsdGVkX18UdEDIwW6pSVQqt5RMqItyZB5EP907ygGinM99X0jZbM5ZOl6IAyKayA9lIy9UcXAm4Ku5JoUtpUlSAXfWS1oAtmy3QUBYiJKQ18HWJuQPSkbGqP/BIjfQdkG4oUpqbVkeJZBnyKL5vnZuGDPZiWFWXoJEaQBjh7oqb2/PcvjxLLk1xnEm/9XXUDxn7nP7d8wtr3TOZPqYXSIVK6/jSKBfKXq3mS29CvmTulJ14SCyG0Q6IV+9+ztN9dvIK+xqI/8OSRAz6GG1j9Ta+bIcAWDEIh9KvTW1wDYQ8pBuBUAGyBBTGB2HbIY2ahUuOZfQx0JjQHs3H/0GhZdIMxB4t1YVXJdoRFuYyOZIW0+LOdvJYoVMzpBuqOxM5DHXZY6g8aCoTfvWySZStJ4P+rXIL/Zlm7NA2tZW7GDTBNPDxQuF/H7ekDkhQT02hl8LSkC9T+DX1hqwVnUTY5PpoNjOC3USTjrVCfThxJAeCL1/rJJkXPYotkYU+03xWOXWcX0by4kmESvL1Yg3xxiZX7VGuhKatbliwbUa0KxjkeJUOExjS6msExjHXMBv41RCvVaeS43V9S1+Ms9QW/eIh1kzrGC3zyH/8rlPBly90w+jCIUqL1fT9Z4o1PGOZXmzG3QV9pCOMr2h1sQczTb27fjhfR8VyLDjPwRNNWx5NtxPr69lYQjbW8w8lkWbRF0jmnI3BwBURiPtTN2bd6csY0koq/Re9ekCZsSQN4jXk8lzn7upJx4lEhvG01etSqucUDhRRKRiJ4SQhAo0SIfepq/yTfKzzeuGmqGYWbJotK/cwhYfFUtD+I7gLGzlLfzHCq7spm7RQT97fB+dm0Eh2kafLQ4dgPaG/sAAzwpNGfbP7+MgIt0ZX8Ju7Z2HZqXrW56EkLZd4VYEIP/3ktWYjhcpcnccy3Qkr5uMxWgreuYod3gvDIflQclVVhkdCBzD4cI86uQ2kbjyRYA
 BhOVl5wA
 ayWPK2mChSmangeD9vY7u19F3v+59tzV3/a9y69zVxofnGHCzDA/kzHITmU9I4LUhc6yNUXDYNCwD1fgIaW2wGaEZuD1kyLcU0sjk9NJkuQS7zhwpS5Qlsm2Jwh3b9fpa3Ct6dJ2JvTl2D6uGJ3vtMGkwXJcK1tCxZByykxtWnosZXafZkeqbqkbtl5yqkuDebofOGKBOBEj5hpE=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Fri, May 05, 2023 at 09:35:59AM +0200, David Hildenbrand wrote:
> On 04.05.23 23:30, Michael McCracken wrote:
> > Add config RO_RANDMAP_SYSCTL to set the mode of the randomize_va_space
> > sysctl to 0444 to disallow all runtime changes. This will prevent
> > accidental changing of this value by a root service.
> > 
> > The config is disabled by default to avoid surprises.
> 
> Can you elaborate why we care about "accidental changing of this value by a
> root service"?

Accidental... malicious...  Note that when people run programs as root with
reduced or no capabilities they can still write this file.

> We cannot really stop root from doing a lot of stupid things (e.g., erase
> the root fs), so why do we particularly care here?

Regardless of the "real value" of it, I know for a fact there are lots
of teams out there adding kernel patches to just change the mode of that
file.  Why?  Possibly to satisfy a scanner, because another team says
it's important.

The problem with lockdown is it's all or nothing.  The problem with LSM
for this purpose is that everyone will have to configure their policy
differently.

So I do think it was worth testing the waters with this patch, to reduce
the number of duplicate patches people run with.

-serge