Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751763AbdFGMgc (ORCPT ); Wed, 7 Jun 2017 08:36:32 -0400 Received: from lhrrgout.huawei.com ([194.213.3.17]:28128 "EHLO lhrrgout.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751476AbdFGMga (ORCPT ); Wed, 7 Jun 2017 08:36:30 -0400 From: Igor Stoppa To: , , CC: , , , , , , , , , , Igor Stoppa Subject: [PATCH v6 0/4] ro protection for dynamic data Date: Wed, 7 Jun 2017 15:35:01 +0300 Message-ID: <20170607123505.16629-1-igor.stoppa@huawei.com> X-Mailer: git-send-email 2.9.3 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.122.225.51] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090203.5937F348.001B,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 273fc7ba2c483e3a3271514ae8e5d1c8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2380 Lines: 65 Hi, please consider for inclusion. This patchset introduces the possibility of protecting memory that has been allocated dynamically. The memory is managed in pools: when a pool is made R/O, all the memory that is part of it, will become R/O. A R/O pool can be destroyed to recover its memory, but it cannot be turned back into R/W mode. This is intentional. This feature is meant for data that doesn't need further modifications, after initialization. An example is provided, showing how to turn into a boot-time option the writable state of the security hooks. Prior to this patch, it was a compile-time option. This is made possible, thanks to Tetsuo Handa's rework of the hooks structure (included in the patchset). Changes since the v5 version: - use unsigned long for __PMALLOC_ALIGNED alignment - fixed a regression where size in bytes was used instead of size in words - tightened the update of the pools list during removal, by doing earlier the decrement of the atomic counter The only question still open is if there should be a possibility for unprotecting a memory pool in other cases than destruction. The only cases found for this topic are: - protecting the LSM header structure between creation and insertion of a security module that was not built as part of the kernel (but the module can protect the headers after it has loaded) - unloading SELinux from RedHat, if the system has booted, but no policy has been loaded yet - this feature is going away, according to Casey. Igor Stoppa (3): Protectable Memory Allocator Protectable Memory Allocator - Debug interface Make LSM Writable Hooks a command line option Tetsuo Handa (1): LSM: Convert security_hook_heads into explicit array of struct list_head include/linux/lsm_hooks.h | 412 ++++++++++++++++++++--------------------- include/linux/page-flags.h | 2 + include/linux/pmalloc.h | 20 ++ include/trace/events/mmflags.h | 1 + init/main.c | 2 + mm/Kconfig | 11 ++ mm/Makefile | 1 + mm/pmalloc.c | 339 +++++++++++++++++++++++++++++++++ mm/usercopy.c | 24 ++- security/security.c | 49 +++-- 10 files changed, 631 insertions(+), 230 deletions(-) create mode 100644 include/linux/pmalloc.h create mode 100644 mm/pmalloc.c -- 2.9.3