Received: by 10.223.185.116 with SMTP id b49csp1113940wrg; Tue, 20 Feb 2018 13:37:26 -0800 (PST) X-Google-Smtp-Source: AH8x224eu6NzfBcNzAJ84DJ5a64wM9vt6p+dRaQXowvh3CV/sGGzLUejeQ0QB0fC6kkK87VKOovt X-Received: by 2002:a17:902:5481:: with SMTP id e1-v6mr916290pli.300.1519162646398; Tue, 20 Feb 2018 13:37:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519162646; cv=none; d=google.com; s=arc-20160816; b=zjT4lyqlUMAbWBz0FsJ5xSYtQB2JBCjc2/lLxxSsstAX9zRk7VvUOU8sSa/5H+weEu gY2SrKJBgER2sr5NpGsSYj/0faoxHSyfjD5qcmzIweC3kNii6PCm5rtg30hMJ7ncMeQi oghxKnFmCIpJdfSh+QU74aXD51/EXsHWmI3z8J7j8AHE6XW1XhGE/BeCHAntKEM/sSsx nalj+toZDubIiBsRnnugV36Lv7qXJZ03EBDY3cyJCb1zR8vSFBnAXzYAt60MGmpr6Ftk pGowr4MypSYiijeUJwT2BLOS/ngf3V5761I/WqjhvU3HBCS4UchHCQLVoEbq+Dfsq53u DE+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=YGdi/S4+WSGTDs9Cc+dMhOXqD7VNlNKqfdWvp8dwbuc=; b=FplwTXxxqfvhjnxctq9RIKAKQio0/RTJIWHvi0J0mBUhke8iyvJKtrf5RZUnO8bVwv CnbqIt9d7zzrubeqKBiMTh6wKx3VqFjIA6/mM81txwqlNf7m8x9FigGEPz90RZDY5ZKP kXKqMcbOxGgN2RM1qA1L7pJl4/xX5VulS7dqR3mVUYVxzkvWRNzk3yHipPtyrn3uFBhC 5BRacz7E+4Y6tZeLxDqsG6jMrCuRlDsAZrA6fXfmUeJTb6VP4UqDQ/7n0qGIiUo93bDd lzfBSZcpv13r4ResC+ElpMwRbEpKOw7f/md1UAftyHZlHTUncEM92Dh9+Uht0LvqA9wE jkPQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f3-v6si7937011plo.610.2018.02.20.13.37.11; Tue, 20 Feb 2018 13:37:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751372AbeBTVgT (ORCPT + 99 others); Tue, 20 Feb 2018 16:36:19 -0500 Received: from mx1.redhat.com ([209.132.183.28]:41764 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750799AbeBTVgP (ORCPT ); Tue, 20 Feb 2018 16:36:15 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 98CA280090; Tue, 20 Feb 2018 21:36:15 +0000 (UTC) Received: from rh (ovpn-116-62.phx2.redhat.com [10.3.116.62]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3686654477; Tue, 20 Feb 2018 21:36:15 +0000 (UTC) Received: from [::1] (helo=rh) by rh with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eoFa3-0004Ac-Td; Wed, 21 Feb 2018 08:36:07 +1100 Date: Wed, 21 Feb 2018 08:36:04 +1100 From: Dave Chinner To: Igor Stoppa Cc: Kees Cook , Matthew Wilcox , Randy Dunlap , Jonathan Corbet , Michal Hocko , Laura Abbott , Jerome Glisse , Christoph Hellwig , Christoph Lameter , linux-security-module , Linux-MM , LKML , Kernel Hardening Subject: Re: [RFC PATCH v16 0/6] mm: security: ro protection for dynamic data Message-ID: <20180220213604.GD3728@rh> References: <20180212165301.17933-1-igor.stoppa@huawei.com> <20180220012111.GC3728@rh> <24e65dec-f452-a444-4382-d1f88fbb334c@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <24e65dec-f452-a444-4382-d1f88fbb334c@huawei.com> User-Agent: Mutt/1.9.1 (2017-09-22) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Tue, 20 Feb 2018 21:36:15 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 20, 2018 at 08:03:49PM +0200, Igor Stoppa wrote: > > > On 20/02/18 03:21, Dave Chinner wrote: > > On Mon, Feb 12, 2018 at 03:32:36PM -0800, Kees Cook wrote: > >> On Mon, Feb 12, 2018 at 8:52 AM, Igor Stoppa wrote: > >>> This patch-set introduces the possibility of protecting memory that has > >>> been allocated dynamically. > >>> > >>> The memory is managed in pools: when a memory pool is turned into R/O, > >>> all the memory that is part of it, will become R/O. > >>> > >>> A R/O pool can be destroyed, to recover its memory, but it cannot be > >>> turned back into R/W mode. > >>> > >>> This is intentional. This feature is meant for data that doesn't need > >>> further modifications after initialization. > >> > >> This series came up in discussions with Dave Chinner (and Matthew > >> Wilcox, already part of the discussion, and others) at LCA. I wonder > >> if XFS would make a good initial user of this, as it could allocate > >> all the function pointers and other const information about a > >> superblock in pmalloc(), keeping it separate from the R/W portions? > >> Could other filesystems do similar things? > > > > I wasn't cc'd on this patchset, (please use david@fromorbit.com for > > future postings) > > Apologies, somehow I didn't realize that I should have put you too in > CC. It will be fixed at the next iteration. No worries, If you weren't at LCA, you wouldn't have known :P > > so I can't really say anything about it right > > now. My interest for XFS was that we have a fair amount of static > > data in XFS that we set up at mount time and it never gets modified > > after that. > > This is the typical use case I had in mind, although it requires a > conversion. > Ex: > > before: > > static int a; > > > void set_a(void) > { > a = 4; > } > > > > after: > > static int *a __ro_after_init; > struct gen_pool *pool; > > void init_a(void) > { > pool = pmalloc_create_pool("pool", 0); > a = (int *)pmalloc(pool, sizeof(int), GFP_KERNEL); > } > > void set_a(void) > { > *a = 4; > pmalloc_protect_pool(pool); > } Yeah, that's kinda what I figured. I'm guessing that I treat a pool just like a normal heap allocation, but then when all the objects I need to allocate are fully initialised, then I write protect the pool? i.e. the API isn't using an object-based protection scope? FWIW, I'm not wanting to use it to replace static variables. All the structures are dynamically allocated right now, and get assigned to other dynamically allocated pointers. I'd likely split the current structures into a "ro after init" structure and rw structure, so how does the "__ro_after_init" attribute work in that case? Is it something like this? struct xfs_mount { struct xfs_mount_ro{ ....... } *ro __ro_after_init; ...... Also, what compile time checks are in place to catch writes to ro structure members? Is sparse going to be able to check this sort of thing, like is does with endian-specific variables? > I'd be interested to have your review of the pmalloc API, if you think > something is missing, once I send out the next revision. I'll look at it in more depth when it comes past again. :P Cheers, Dave. -- Dave Chinner dchinner@redhat.com