Received: by 10.223.176.46 with SMTP id f43csp1136951wra; Wed, 24 Jan 2018 11:13:42 -0800 (PST) X-Google-Smtp-Source: AH8x224W5E2wy7ClCQZ5gsWGJBy+x8owr9NxW4xGJfZpmT/mhQLS+9WFZrqBnmM5VhhE1L6hJh9E X-Received: by 10.99.180.6 with SMTP id s6mr10492641pgf.5.1516821222152; Wed, 24 Jan 2018 11:13:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516821222; cv=none; d=google.com; s=arc-20160816; b=Q+EFMr4hkGQnxKHu7csX1SWCHKzugr6ECK1o9tcuOH0LJBse0VGJnAHmGXd7i96Uet hUa1rSa5PI75wKBf79sx+TMOBs2nPDXVYlOfh4tJppvPJ0ztu81U8/zLl3X+g50fIV+i i38Dy95uaAX7zXOJmCC6skTBfUdmalAysqESiSA7uGMKG9+WbMalXFZJpz2Sl/cCdNoZ zMuGQUNJLunBtQvzOMuPIhXXQjFYzwmNVYtv1F1a2Cor99LmxCYK3dJq9RotoP2sO7Er Z1h52znRAjhoZo/xnkQmVEbVpRI6Ya+/01QGSI6h2pNIjlin6G8SFyp+HC8AD3L7DeEI 37xQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=1I7U/F0ucofxTrzPTWV1KOz0oDAngAPYRBd0AunRLTw=; b=BAwrio1humnGpbQSX0BJ9vRk59IQOE5dAFL93zxHrzNCK0ph2XPS5yqZ+dwUmV6FFK dEn2n4R6pK7NvhGxLay9KygDrQSnMy7QrUKv+1cg00xwUdU3lKxS1dfVRWZ7AflXPiyq i6CaYJL8bakiRyI32PX6z8JMs2r43U7eDLJmtPAFRujbKQ+NhO7Se9p5heGOd2FVJqiR Edy6zwKrJg8Xg1sU7zFc/Bykvu2Tr53tfx1C75ikhKYXZIH06WgsCwK+nzVWlPgscGo+ Zst7GVqYVKXJnGVVEoVX0u9EAWyfcQNejxscuq1i4Wbjj2dPRWpHwEcstgvMfoFUhubm Mslg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=bUn8LNl1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k130si478358pgc.358.2018.01.24.11.13.27; Wed, 24 Jan 2018 11:13:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=bUn8LNl1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965224AbeAXTLR (ORCPT + 99 others); Wed, 24 Jan 2018 14:11:17 -0500 Received: from mail-ot0-f194.google.com ([74.125.82.194]:34272 "EHLO mail-ot0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964999AbeAXTLO (ORCPT ); Wed, 24 Jan 2018 14:11:14 -0500 Received: by mail-ot0-f194.google.com with SMTP id x15so4543210ote.1 for ; Wed, 24 Jan 2018 11:11:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1I7U/F0ucofxTrzPTWV1KOz0oDAngAPYRBd0AunRLTw=; b=bUn8LNl1f9hcWu7eppDFq4LhjfSc+0uP6gyIwtKucGbHG+RDp5HtQZY7SCwNos4xmL UMNJKUha1h/DUO39LHq6wndpJR/eH/+M5qCBdv8FDfW1tumVvPHbotSxt4jtgxMjrswv xY+Z3wh/4p3/yzZatdystn30rYMr7cZKfvcb/hPOLPVlOQJsYjsqoMo4iew7CAd3RLjD 3bRNdYqp4SoVqjs3z3KMLzamFrVWpHJjTwZ4eMqNQmDtXivTx40QPpMxzd3NPOTi+uZ+ sQQHbaWoS9THgEICa54q5NOeNFCv40+JBC3CHxXDu6oDB8/L52Ds8Eq/XGo9eIJpMk6o WffQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1I7U/F0ucofxTrzPTWV1KOz0oDAngAPYRBd0AunRLTw=; b=mlnh1DOpVAWbfN3o1LoExKYT5r2Xf7hrdXuiwy7gcyuvMF4h+WOy31jD2OC2CKtr5X 3mCDlOU35kEYvbxzaLw5mCORIV02qSZ9jIJTIRsrHZlhMBVaAdNcKGUb3plv4+jRMi90 8k6K7SjPE83RT480MBbTvXYCbMpL1yKvvph8PHVCEY/MLFugGEFbjyWj11RVnvzMYMOd 6bObI79lZkPQWtljtB1AFJb6Tt5Cf4yVS/5NxekKZSKwbuqlWAxRvkDIz7jm0wXLJAbV MFG2uxl/TPp4fg3TEK7G7T+ZniQPNjdQolVi/u+Vve8xVYiugCQsAkJuEtXB0KRkjfa2 X1og== X-Gm-Message-State: AKwxytfruDnGWeEEJiexdxfkIveYnINKvikePiFkows2rXpSopGdUYXH 1gYkYsDK9lRLJU8ss4m/0F01Ww3BOId9f6tA3jhklg== X-Received: by 10.157.25.44 with SMTP id j44mr9540877ota.111.1516821073988; Wed, 24 Jan 2018 11:11:13 -0800 (PST) MIME-Version: 1.0 Received: by 10.74.154.97 with HTTP; Wed, 24 Jan 2018 11:10:53 -0800 (PST) In-Reply-To: <20180124175631.22925-5-igor.stoppa@huawei.com> References: <20180124175631.22925-1-igor.stoppa@huawei.com> <20180124175631.22925-5-igor.stoppa@huawei.com> From: Jann Horn Date: Wed, 24 Jan 2018 20:10:53 +0100 Message-ID: Subject: Re: [kernel-hardening] [PATCH 4/6] Protectable Memory To: Igor Stoppa Cc: jglisse@redhat.com, Kees Cook , Michal Hocko , Laura Abbott , Christoph Hellwig , Matthew Wilcox , Christoph Lameter , linux-security-module@vger.kernel.org, linux-mm@kvack.org, kernel list , Kernel Hardening Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 24, 2018 at 6:56 PM, Igor Stoppa wrote: > The MMU available in many systems running Linux can often provide R/O > protection to the memory pages it handles. > > However, the MMU-based protection works efficiently only when said pages > contain exclusively data that will not need further modifications. > > Statically allocated variables can be segregated into a dedicated > section, but this does not sit very well with dynamically allocated > ones. > > Dynamic allocation does not provide, currently, any means for grouping > variables in memory pages that would contain exclusively data suitable > for conversion to read only access mode. > > The allocator here provided (pmalloc - protectable memory allocator) > introduces the concept of pools of protectable memory. > > A module can request a pool and then refer any allocation request to the > pool handler it has received. > > Once all the chunks of memory associated to a specific pool are > initialized, the pool can be protected. I'm not entirely convinced by the approach of marking small parts of kernel memory as readonly for hardening. Comments on some details are inline. > diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h > index 1e5d8c3..116d280 100644 > --- a/include/linux/vmalloc.h > +++ b/include/linux/vmalloc.h > @@ -20,6 +20,7 @@ struct notifier_block; /* in notifier.h */ > #define VM_UNINITIALIZED 0x00000020 /* vm_struct is not fully initialized */ > #define VM_NO_GUARD 0x00000040 /* don't add guard page */ > #define VM_KASAN 0x00000080 /* has allocated kasan shadow memory */ > +#define VM_PMALLOC 0x00000100 /* pmalloc area - see docs */ Is "see docs" specific enough to actually guide the reader to the right documentation? > +#define pmalloc_attr_init(data, attr_name) \ > +do { \ > + sysfs_attr_init(&data->attr_##attr_name.attr); \ > + data->attr_##attr_name.attr.name = #attr_name; \ > + data->attr_##attr_name.attr.mode = VERIFY_OCTAL_PERMISSIONS(0444); \ > + data->attr_##attr_name.show = pmalloc_pool_show_##attr_name; \ > +} while (0) Is there a good reason for making all these files mode 0444 (as opposed to setting them to 0400 and then allowing userspace to make them accessible if desired)? /proc/slabinfo contains vaguely similar data and is mode 0400 (or mode 0600, depending on the kernel config) AFAICS. > +void *pmalloc(struct gen_pool *pool, size_t size, gfp_t gfp) > +{ [...] > + /* Expand pool */ > + chunk_size = roundup(size, PAGE_SIZE); > + chunk = vmalloc(chunk_size); You're allocating with vmalloc(), which, as far as I know, establishes a second mapping in the vmalloc area for pages that are already mapped as RW through the physmap. AFAICS, later, when you're trying to make pages readonly, you're only changing the protections on the second mapping in the vmalloc area, therefore leaving the memory writable through the physmap. Is that correct? If so, please either document the reasoning why this is okay or change it.