From: "Liam R. Howlett" <Liam.Howlett@oracle.com>
To: Jeff Xu <jeffxu@chromium.org>
Cc: Kees Cook <kees@kernel.org>,
akpm@linux-foundation.org, jannh@google.com,
torvalds@linux-foundation.org, vbabka@suse.cz,
lorenzo.stoakes@oracle.com, adhemerval.zanella@linaro.org,
oleg@redhat.com, avagin@gmail.com, benjamin@sipsolutions.net,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
linux-mm@kvack.org, jorgelo@chromium.org, sroettger@google.com,
hch@lst.de, ojeda@kernel.org, thomas.weissschuh@linutronix.de,
adobriyan@gmail.com, johannes@sipsolutions.net,
pedro.falcato@gmail.com, hca@linux.ibm.com, willy@infradead.org,
anna-maria@linutronix.de, mark.rutland@arm.com,
linus.walleij@linaro.org, Jason@zx2c4.com, deller@gmx.de,
rdunlap@infradead.org, davem@davemloft.net, peterx@redhat.com,
f.fainelli@gmail.com, gerg@kernel.org,
dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org,
mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org,
ardb@google.com, enh@google.com, rientjes@google.com,
groeck@chromium.org, mpe@ellerman.id.au,
aleksandr.mikhalitsyn@canonical.com, mike.rapoport@gmail.com
Subject: Re: [RFC PATCH v5 1/7] mseal, system mappings: kernel config and header change
Date: Thu, 13 Feb 2025 19:14:36 -0500 [thread overview]
Message-ID: <tfoitovawb6zwr7nvwfo2mnbahgtnoo6umvecj5mgtie4b5vuf@sloraia3ppfy> (raw)
In-Reply-To: <CABi2SkX3o-PdeuzownVkFT-oo8tjtaaS9ebOALu+r6O1S6W3sg@mail.gmail.com>
* Jeff Xu <jeffxu@chromium.org> [250213 17:00]:
> On Thu, Feb 13, 2025 at 12:54 PM Liam R. Howlett
> <Liam.Howlett@oracle.com> wrote:
>
> > > > >
> > > > > VM_SEALED isn't defined in 32-bit systems, and mseal.c isn't part of
> > > > > the build. This is intentional. Any 32-bit code trying to use the
> > > > > sealing function or the VM_SEALED flag will immediately fail
> > > > > compilation. This makes it easier to identify incorrect usage.
> > > >
> > > > So you are against using the #define because the VM_SYSTEM_SEAL will be
> > > > defined, even though it will be VM_NONE? This is no worse than a
> > > > function that returns 0, and it aligns better with what we have today in
> > > > that it can be put in the list of other flags.
> > >
> > > When I was reading through all of this and considering the history of
> > > its development goals, it strikes me that a function is easier for the
> > > future if/when this can be made a boot-time setting.
> > >
> >
> > Reworking this change to function as a boot-time parameter, or whatever,
> > would not be a significant amount of work, if/when the time comes.
> > Since we don't know what the future holds, it it unnecessary to engineer
> > in a potential change for a future version when the change is easy
> > enough to make later and keep the code cleaner now.
> >
> Sure, I will put the function in mm.h for this patch. We can find a
> proper place when it is time to implement the boot-time parameter
> change.
>
> The call stack for sealing system mapping is something like below:
>
> install_special_mapping (mm/mmap.c)
> map_vdso (arch/x86/entry/vdso/vma.c)
> load_elf_binary (fs/binfmt_elf.c)
> load_misc_binary (fs/binfmt_misc.c)
> bprm_execve (fs/exec.c)
> do_execveat_common
> __x64_sys_execve
> do_syscall_64
>
> IMO, there's a clear divide between the API implementer and the API user.
> mm and mm.h are the providers, offering the core mm functionality
> through APIs/data structures like install_special_mapping().
>
> The exe layer (bprm_execve, map_vdso, etc) is the consumer of the
> install_special_mapping.
> The logic related to checking if sealing system mapping is enabled
> belongs to the exe layer.
Since this is an all or nothing enabling, there is no reason to have
each caller check the same thing and do the same action. You should put
the logic into the provider - they all end up doing the same thing.
Also, this is a compile time option so it doesn't even need to be
checked on execution - just apply it in the first place, at the source.
Your static inline function was already doing this...?
I'm confused as to what you are arguing here because it goes against
what you had and what I suggested. The alternative you are suggesting
is more code, more instructions, and the best outcome is the same
result.
>
> >
> > > If mm maintainers prefer a #define for now, that's fine of course. The
> > > value of VM_SYSTEM_SEAL can be VM_NONE on 32-bit.
> >
> > Thanks. I think having a flag with VM_NONE on 32-bit is just as sane as
> > a "flags |= system_seal()" call that unconditionally returns 0 on
> > 32-bit.
> >
> Consider the case below in src/third_party/kernel/v6.6/fs/proc/task_mmu.c,
>
> #ifdef CONFIG_64BIT
> [ilog2(VM_SEALED)] = "sl",
> #endif
>
> If #ifdef CONFIG_64BIT is missing, it won't be detected during compile time.
>
> Setting VM_SEALED to VM_NONE could simplify the coding in some cases
> (get/set case), but it might make other cases error prone.
>
> I would prefer to not have VM_SEALED for 32 bit.
But what I posted leaves VM_SEALED undefined for 32 bit, it defines
VM_SYSTEM_SEALED which can be placed, for instance, into
_install_special_mapping() arguments directly. Reducing the change to
just adding a new flag to the list. And it's applied to all system
mappings based on if it's enabled on compile or not.
Also:
include/linux/mm.h:#define VM_NONE 0x00000000
so, I'm not sure what evaluation you are concerned about? It would be
defined as 0.
Thanks,
Liam
next prev parent reply other threads:[~2025-02-14 0:15 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-12 3:21 [RFC PATCH v5 0/7] mseal system mappings jeffxu
2025-02-12 3:21 ` [RFC PATCH v5 1/7] mseal, system mappings: kernel config and header change jeffxu
2025-02-12 3:31 ` Randy Dunlap
2025-02-12 3:40 ` Jeff Xu
2025-02-12 15:05 ` Liam R. Howlett
2025-02-13 17:15 ` Jeff Xu
2025-02-13 18:29 ` Liam R. Howlett
2025-02-13 20:11 ` Kees Cook
2025-02-13 20:54 ` Liam R. Howlett
2025-02-13 22:00 ` Jeff Xu
2025-02-14 0:14 ` Liam R. Howlett [this message]
2025-02-14 1:10 ` Liam R. Howlett
2025-02-14 14:39 ` Jeff Xu
2025-02-14 14:59 ` Lorenzo Stoakes
2025-02-14 15:18 ` Jeff Xu
2025-02-12 3:21 ` [RFC PATCH v5 2/7] selftests: x86: test_mremap_vdso: skip if vdso is msealed jeffxu
2025-02-12 13:03 ` Thomas Weißschuh
2025-02-13 14:14 ` Jeff Xu
2025-02-13 19:28 ` Kees Cook
2025-02-13 22:20 ` Jeff Xu
2025-02-14 2:52 ` Kees Cook
2025-02-14 14:15 ` Jeff Xu
2025-02-12 3:21 ` [RFC PATCH v5 3/7] mseal, system mappings: enable x86-64 jeffxu
2025-02-12 3:21 ` [RFC PATCH v5 4/7] mseal, system mappings: enable arm64 jeffxu
2025-02-12 3:21 ` [RFC PATCH v5 5/7] mseal, system mappings: enable uml architecture jeffxu
2025-02-12 3:21 ` [RFC PATCH v5 6/7] mseal, system mappings: uprobe mapping jeffxu
2025-02-12 3:21 ` [RFC PATCH v5 7/7] mseal, system mappings: update mseal.rst jeffxu
2025-02-12 11:24 ` [RFC PATCH v5 0/7] mseal system mappings Lorenzo Stoakes
2025-02-12 12:37 ` Pedro Falcato
2025-02-12 14:01 ` Lorenzo Stoakes
2025-02-12 14:08 ` Johannes Berg
2025-02-13 19:59 ` Pedro Falcato
2025-02-13 20:47 ` Kees Cook
2025-02-18 23:18 ` Pedro Falcato
2025-02-19 13:46 ` Adhemerval Zanella Netto
2025-02-19 17:17 ` enh
2025-02-23 2:05 ` Jeff Xu
2025-02-12 22:05 ` Kees Cook
2025-02-13 14:20 ` Jeff Xu
2025-02-13 18:35 ` Liam R. Howlett
2025-02-13 19:34 ` Kees Cook
2025-02-13 20:10 ` Liam R. Howlett
2025-02-13 14:19 ` Jeff Xu
2025-02-12 3:32 jeffxu
2025-02-12 3:32 ` [RFC PATCH v5 1/7] mseal, system mappings: kernel config and header change jeffxu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tfoitovawb6zwr7nvwfo2mnbahgtnoo6umvecj5mgtie4b5vuf@sloraia3ppfy \
--to=liam.howlett@oracle.com \
--cc=42.hyeyoo@gmail.com \
--cc=Jason@zx2c4.com \
--cc=adhemerval.zanella@linaro.org \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=aleksandr.mikhalitsyn@canonical.com \
--cc=anna-maria@linutronix.de \
--cc=ardb@google.com \
--cc=ardb@kernel.org \
--cc=avagin@gmail.com \
--cc=benjamin@sipsolutions.net \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=deller@gmx.de \
--cc=enh@google.com \
--cc=f.fainelli@gmail.com \
--cc=gerg@kernel.org \
--cc=groeck@chromium.org \
--cc=hca@linux.ibm.com \
--cc=hch@lst.de \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=johannes@sipsolutions.net \
--cc=jorgelo@chromium.org \
--cc=kees@kernel.org \
--cc=linus.walleij@linaro.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mark.rutland@arm.com \
--cc=mhocko@suse.com \
--cc=mike.rapoport@gmail.com \
--cc=mingo@kernel.org \
--cc=mpe@ellerman.id.au \
--cc=ojeda@kernel.org \
--cc=oleg@redhat.com \
--cc=pedro.falcato@gmail.com \
--cc=peterx@redhat.com \
--cc=peterz@infradead.org \
--cc=rdunlap@infradead.org \
--cc=rientjes@google.com \
--cc=sroettger@google.com \
--cc=thomas.weissschuh@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=vbabka@suse.cz \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox