From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9EB14C77B7F
	for <linux-mm@archiver.kernel.org>; Fri,  5 May 2023 15:15:21 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id DFB096B0072; Fri,  5 May 2023 11:15:20 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id D842E6B0075; Fri,  5 May 2023 11:15:20 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id C4B516B007B; Fri,  5 May 2023 11:15:20 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by kanga.kvack.org (Postfix) with ESMTP id AA2E76B0072
	for <linux-mm@kvack.org>; Fri,  5 May 2023 11:15:20 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1683299720;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=kkrG6TrT6vUt7l/1yAEGc4UPeZE85BI5/e7CQ9gxkxM=;
	b=gpzsSvTTyKZYDEASGfcOZYFa+ytkc+Nts1BAxIPN+VsiSRIBl3xbx7l5Gx5ibvdEe2viv8
	oKjDbTBhFXjphz+ul3Ib1+av1AvKggZn+FNZDVGOiyWrArt6RFGWlFhykbVdyB93DlDMf8
	UcWuMzlAEov/uuF7d3sx0fn8kzis8Kk=
Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com
 [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-437-dQWn5aB7O16CfXtbVGfvCA-1; Fri, 05 May 2023 11:15:19 -0400
X-MC-Unique: dQWn5aB7O16CfXtbVGfvCA-1
Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-3064d0b726fso690775f8f.0
        for <linux-mm@kvack.org>; Fri, 05 May 2023 08:15:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1683299717; x=1685891717;
        h=content-transfer-encoding:in-reply-to:subject:organization:from
         :references:cc:to:content-language:user-agent:mime-version:date
         :message-id:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=kkrG6TrT6vUt7l/1yAEGc4UPeZE85BI5/e7CQ9gxkxM=;
        b=DFfqNjGgv0+PHaleow+VQGGIdc4yM2OWLNUH+E50T1hXXDYi7dJ8W55NVI1c+5uiPI
         sBppInuCzWCkVyN0e+7gi93h/lVOflfTjuH43Etc+ylpY0Bb2bVlaxs4lWFIfdcVWVPi
         PsiIgUzwISh1oPOavJgTxCuaoBAo9/2e+a6en3K5oG1ZMKoh79ekJ4O7AEUZmLBlcpnU
         SLmyIK/PC+r1OVvBiey2YcIwmRdGVXCrmhv1lVpm9aeWDAkPNSqyFYlLVcXzpeSlxFpG
         Gu/AT5PRLGva/2ueulzMLB0GxH9iAId1SDX5Y+292V+Ihg1TnIglS3L6r0iZSfBFSLW3
         0LgA==
X-Gm-Message-State: AC+VfDzLq8m0gyr5owTstVX5AGVBopJULlZWShuiWhDHxrjq03Ur6QHk
	zZAVoSHAoQgNCFZsk+LVj+W74YssUuVh5tbeSi/682/b9P3QeBNt8WCY8k/vXj6qMUtgdZK1VfL
	V0BOykWiIPpc=
X-Received: by 2002:adf:e852:0:b0:2f2:783f:ae4a with SMTP id d18-20020adfe852000000b002f2783fae4amr1565322wrn.32.1683299717085;
        Fri, 05 May 2023 08:15:17 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ5JphXg6YSvIF6EBsByLfX+Q1TzMx3ezx0pIYW00N+N1esYSq7PB5q/K6U1CiU7dEnLsZInQg==
X-Received: by 2002:adf:e852:0:b0:2f2:783f:ae4a with SMTP id d18-20020adfe852000000b002f2783fae4amr1565295wrn.32.1683299716737;
        Fri, 05 May 2023 08:15:16 -0700 (PDT)
Received: from ?IPV6:2003:cb:c71f:6900:2b25:fc69:599e:3986? (p200300cbc71f69002b25fc69599e3986.dip0.t-ipconnect.de. [2003:cb:c71f:6900:2b25:fc69:599e:3986])
        by smtp.gmail.com with ESMTPSA id k17-20020adfe3d1000000b00301a351a8d6sm2704788wrm.84.2023.05.05.08.15.15
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 05 May 2023 08:15:16 -0700 (PDT)
Message-ID: <c50ac5e4-3f84-c52a-561d-de6530e617d7@redhat.com>
Date: Fri, 5 May 2023 17:15:15 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.10.0
To: Sam James <sam@gentoo.org>
Cc: Michael McCracken <michael.mccracken@gmail.com>,
 linux-kernel@vger.kernel.org, serge@hallyn.com, tycho@tycho.pizza,
 Luis Chamberlain <mcgrof@kernel.org>, Kees Cook <keescook@chromium.org>,
 Iurii Zaikin <yzaikin@google.com>, Andrew Morton
 <akpm@linux-foundation.org>, linux-fsdevel@vger.kernel.org,
 linux-mm@kvack.org, kernel-hardening@lists.openwall.com
References: <20230504213002.56803-1-michael.mccracken@gmail.com>
 <fbf37518-328d-c08c-7140-5d09d7a2674f@redhat.com> <87pm7f9q3q.fsf@gentoo.org>
From: David Hildenbrand <david@redhat.com>
Organization: Red Hat
Subject: Re: [PATCH] sysctl: add config to make randomize_va_space RO
In-Reply-To: <87pm7f9q3q.fsf@gentoo.org>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000136, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On 05.05.23 09:46, Sam James wrote:
> 
> David Hildenbrand <david@redhat.com> writes:
> 
>> On 04.05.23 23:30, Michael McCracken wrote:
>>> Add config RO_RANDMAP_SYSCTL to set the mode of the randomize_va_space
>>> sysctl to 0444 to disallow all runtime changes. This will prevent
>>> accidental changing of this value by a root service.
>>> The config is disabled by default to avoid surprises.
>>
>> Can you elaborate why we care about "accidental changing of this value
>> by a root service"?
>>
>> We cannot really stop root from doing a lot of stupid things (e.g.,
>> erase the root fs), so why do we particularly care here?
> 
> (I'm really not defending the utility of this, fwiw).
> 
> In the past, I've seen fuzzing tools and other debuggers try to set
> it, and it might be that an admin doesn't realise that. But they could
> easily set other dangerous settings unsuitable for production, so...

At least fuzzing tools randomly toggling it could actually find real 
problems. Debugging tools ... makes sense that they might be using it.

What I understand is, that it's more of a problem that the system 
continues running and the disabled randomization isn't revealed to an 
admin easily.

If we really care, not sure what's better: maybe we want to disallow 
disabling it only in a security lockdown kernel? Or at least warn the 
user when disabling it? (WARN_TAINT?)

-- 
Thanks,

David / dhildenb