Received: by 10.223.185.116 with SMTP id b49csp864933wrg; Wed, 21 Feb 2018 08:09:10 -0800 (PST) X-Google-Smtp-Source: AH8x2264plLil6IdJkrBi0X7OtLgFDyAWHIsP8lISlKPFBI2LKHqHsoqBbS59RaXYVPw14F5ibDL X-Received: by 10.99.96.206 with SMTP id u197mr3000777pgb.261.1519229349898; Wed, 21 Feb 2018 08:09:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519229349; cv=none; d=google.com; s=arc-20160816; b=Jt2gUPP97h2WNdQ1oFeu7oz3dfqbXox7HiCRKJqzDYomrV8zoApbbx+RNil4xZX3rw tGCVjhZfmIhIS9jmig1W5e92WHxxlszt3M2R1qvky8u9LljVqIodaHGoq3JLjUOzbwK6 dhBi9Skrr0cSSwAwN72KSMHyjpAidzorjMh8PbEeOosFSQxLbY4fFDchWusGhhe00Uv/ nmzG7g8aE4qXML4nD7DcYvPA/fN3onWXRAJDRsHuRMwj1pfB1g1gpGOH0t9FnR9hSKR9 AXaBG4PsrCuZqG9mBJ34PoY4Y8pqDRoT34hvj+ptC26NBiBKVV6KSKtPW3qDXOfvmdFP yX/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=bPpfrERbesHpIXqgK5cfI69FssCUlAuaoxSZLLPwp5Q=; b=Eo9hqculBpFDpLSPTyqToH1QLs0H81rNcjLINYED+j2V+9H4ZWp5OLtA5Ptf6wwBuG aqRuH3sKbaNcSrfKYRrf9JO0e8eZ+5vARl+bQ2AP2i7hdLK14yC9eoatIECjG/r3x3Dd fmCa01LaGkT718AAzD1Qd2asvwSyp8PwC8q/3hS3iwavYHs+7Lk+epq3XTIDfle9tZ8H DNgkG7h6qG1ZCiKG9u/V9T2Tk2zY53i19IS+8mOIaUpxZ0pCDqhu8TkKhBu0DYsaWf9p gToLX9gxEYEy7TFoCtw+LP92xc4OdWK3cVJ5zNx++et3IcIAgLSKEmGVzKki3Vyxf1Xk KY4g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y5si1032888pgy.715.2018.02.21.08.08.54; Wed, 21 Feb 2018 08:09:09 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932662AbeBUJ4w (ORCPT + 99 others); Wed, 21 Feb 2018 04:56:52 -0500 Received: from lhrrgout.huawei.com ([194.213.3.17]:26990 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932381AbeBUJ4u (ORCPT ); Wed, 21 Feb 2018 04:56:50 -0500 Received: from LHREML712-CAH.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 831CAAF614CAA; Wed, 21 Feb 2018 09:56:46 +0000 (GMT) Received: from [10.122.225.51] (10.122.225.51) by smtpsuk.huawei.com (10.201.108.35) with Microsoft SMTP Server (TLS) id 14.3.361.1; Wed, 21 Feb 2018 09:56:46 +0000 Subject: Re: [RFC PATCH v16 0/6] mm: security: ro protection for dynamic data To: Dave Chinner , Matthew Wilcox CC: Kees Cook , Randy Dunlap , Jonathan Corbet , Michal Hocko , "Laura Abbott" , Jerome Glisse , "Christoph Hellwig" , Christoph Lameter , linux-security-module , Linux-MM , LKML , Kernel Hardening References: <20180212165301.17933-1-igor.stoppa@huawei.com> <20180220012111.GC3728@rh> <24e65dec-f452-a444-4382-d1f88fbb334c@huawei.com> <20180220213604.GD3728@rh> <20180220235600.GA3706@bombadil.infradead.org> <20180221013636.GE3728@rh> From: Igor Stoppa Message-ID: <46a9610a-182b-4765-9d83-cab6297377f3@huawei.com> Date: Wed, 21 Feb 2018 11:56:22 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180221013636.GE3728@rh> Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.122.225.51] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 21/02/18 03:36, Dave Chinner wrote: > On Tue, Feb 20, 2018 at 03:56:00PM -0800, Matthew Wilcox wrote: >> On Wed, Feb 21, 2018 at 08:36:04AM +1100, Dave Chinner wrote: >>> FWIW, I'm not wanting to use it to replace static variables. All the >>> structures are dynamically allocated right now, and get assigned to >>> other dynamically allocated pointers. I'd likely split the current >>> structures into a "ro after init" I would prefer to use a different terminology, because, if I have understood the use case, this is not exactly the same as __ro_after_init So, this is my understanding: * "const" needs to be known at link time - there might be some adjustments later on, ex: patching of "const" pointers, after relocation has taken place - I am assuming we are not planning to patch const data The compiler can perform whatever optimization it feels like and it is allowed to do, on this. * __ro_after_init is almost the same as a const, from a r/w perspective, but it will become effectively read_only after the completion of the init phase. The compiler cannot use it in any way to detect errors, AFAIK. The system will just generate a runtime error is someone tries to alter some __ro_after_init data, when it's read-only. The only trick available is to use, after the protection, a different type of handle, const. * pmalloc pools can be protected (hence the "p") at any time, but they start as r/w. Also, they cannot be declared statically. * data which is either const or __ro_after_init is placed into specific sections (on arm64 it's actually the same) and its pages are then marked as read-only. >>> structure and rw structure, so >>> how does the "__ro_after_init" attribute work in that case? Is it >>> something like this? >>> >>> struct xfs_mount { >>> struct xfs_mount_ro{ >>> ....... >>> } *ro __ro_after_init; > ^^^^^^^^ > > pointer, not embedded structure.... I doubt this would work, because I think it's not possible to put a field of a structure into a separate section, afaik. __ro_after_init would refer to the ro field, not to the memory it refers to. >>> ...... >> >> No, you'd do: >> >> struct xfs_mount_ro { >> [...] >> }; is this something that is readonly from the beginning and then shared among mount points or is it specific to each mount point? >> struct xfs_mount { >> const struct xfs_mount_ro *ro; >> [...] >> }; > > .... so that's pretty much the same thing :P The "const" modifier is a nice way to catch errors through the compiler, iff the ro data will not be initialized through this handle, when it's still writable. >>> Also, what compile time checks are in place to catch writes to >>> ro structure members? Is sparse going to be able to check this sort >>> of thing, like is does with endian-specific variables? >> >> Just labelling the pointer const should be enough for the compiler to >> catch unintended writes. > > Ok. yes, anyway the first one trying to alter it at run time, is in for some surprise. >>>> I'd be interested to have your review of the pmalloc API, if you think >>>> something is missing, once I send out the next revision. >>> >>> I'll look at it in more depth when it comes past again. :P >> >> I think the key question is whether you want a slab-style interface >> or whether you want a kmalloc-style interface. I'd been assuming >> the former, but Igor has implemented the latter already. > > Slabs are rally only useful when you have lots of a specific type of > object. I'm concerned mostly about one-off per-mount point > structures, of which there are relatively few. A heap-like pool per > mount is fine for this. That was my same sentiment. Actually it would be even possible to simulate caches with pools: each pool supports a granularity parameter, during creation. One could have multiple pools, each with different granularity, but it would probably lead to a proliferation of pools. Instead, I preferred to have pmalloc as a drop-in replacement for the variants of k/v/kv malloc. The only real issue was the - previous - inability of tracking the size of an allocation, given its address, but that is taken care of by the patch for the genalloc bitmap. If I could have a pointer to a good candidate for the pmalloc treatment, I could come up with a patch, to show how it could be done. Then it might be easier to discuss if the API needs to be modified and/or extended somehow. -- igor