Received: by 10.223.185.82 with SMTP id b18csp57745wrg; Thu, 8 Mar 2018 19:12:24 -0800 (PST) X-Google-Smtp-Source: AG47ELsuSeptNqQTkvf9vVY9RGY/ouDLUIej/ujBCf+1IlBbYR0JqKOPGwirRLid4Jm7DANX/9yo X-Received: by 2002:a17:902:aa03:: with SMTP id be3-v6mr24430086plb.211.1520565144471; Thu, 08 Mar 2018 19:12:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520565144; cv=none; d=google.com; s=arc-20160816; b=Ikpoa3faLPh6J8g4lFv4Cl73qIRLrM40uI/2MbXd7CmZvCgF0g5JZql7itg3+eTKIM WQAiFLqLLzS8y8jX2ni/5h3JoJvYR9wp7xAwbOTXAUT9kKLV6HlHiwl3pwFmutBrniKd Jqopwy4INostHvypOoRWB+waUZPh2c0RxSXxH1pXjLgMNgWmznU/a+BNwwmXNGNbxHDF yhXlv4BZ7S00+8D1GtutLXi7VdkpoW3Paa9Ez+XtOqSSotTPlL0jU82ShVt1CShsddtx kDB0HWPwK3UBYLvP3D+Pn8VAxnznobdfveOwQr7CnRx3A/o6GUGy1FA8pLQankNE+Cez Dt8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature:arc-authentication-results; bh=wD60IUpPxZpdtPCKKEtaQexxhJLliKa8uhvbpQip19M=; b=On4jsDBqegjklmMpf9ep0k15dw/eXnLSgF18/yDC2i1ymIsqRZWJBIUcSbYzvrCCNA T5S/GpxJhAJauX5RIFz/iBl5r95LXMu3307q2PKztdHoFpmq8sYOpbN57qPIyNAAk6vV h/LX10DqoxPR6MGhQsPRjyz3tfGCZhmpleIuGrnltpJDcrc1fQVx9CCdAJDV0a7q66jx 3FNlcSic63zP/hZdS4p7fobsaEFzGxE5nXRIJeYAhDqJb/o3je4uSzQU6MrGBJt+HIVH hjCOflxvbCTApwsfzU4NitLBcPOoHKi0ubRATwDgHll/IGNiPrEAyMFAP2LHCaNTTjU8 PVHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=fOG6ZF5H; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a16si51387pgw.58.2018.03.08.19.12.10; Thu, 08 Mar 2018 19:12:24 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=fOG6ZF5H; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751191AbeCIDK6 (ORCPT + 99 others); Thu, 8 Mar 2018 22:10:58 -0500 Received: from mail-pl0-f68.google.com ([209.85.160.68]:45429 "EHLO mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751106AbeCIDK4 (ORCPT ); Thu, 8 Mar 2018 22:10:56 -0500 Received: by mail-pl0-f68.google.com with SMTP id v9-v6so4501908plp.12 for ; Thu, 08 Mar 2018 19:10:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=wD60IUpPxZpdtPCKKEtaQexxhJLliKa8uhvbpQip19M=; b=fOG6ZF5H/tNGOK5EoGJhXgMNlEKtRDUk/yAYIzmcebUURIiJ0nIc54OjXd5wicv3C8 PVq5XHn9zNUG8tICrcOv/OpFS317XSsASmixChDdV3uV4ng3uXqibP23xxWsbquu1SgL 8IzrACYolgJT3FjAx0JD3HSuv+2MZI1W1aMF9MLsPEH3gYjwO3wTgdVYb2cdyLeeLG0c I7EUFkhDFDVLn+tiYF1Zp1m2/hZTilcFCXPhLEOTRChOQnqvPpQjAP0WZFEuezX3gZnK TSuFFeXwEqygeziTLFic7YtC7jYymNg4al4JslpNQY9gsInGGqv50DE5+hnn+nxHWXJQ JfRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=wD60IUpPxZpdtPCKKEtaQexxhJLliKa8uhvbpQip19M=; b=PXIE5zBbh4zwstq8/6uK+e6AhCnNKKE/SOyl8hsK1detEtWIpiZTcjk7351tvSYuqM ROF+pmapDEnBe5Lvx15dlk5vo2SAzrhiLzQjdxxgbp6btS8XX2wltzJHxgv4CKmpPCWU 4Bhov9mqEH3s9FeYfvxDcMOiKQACd4ix4CXsaWWjZaCtcUMU66wScbaHKcNZy/Iaaj8d rjtd2IKZswACbYNkcd4IlMN/udoj2McLWr01RO1/eNtYoBLi8l65x0NG9mgJufhQCs0x A7KsXtQVGF+wxuG/dGuNSyVF+3K1Zcz3MVaurQ92YQUCwUn0uRJez73zC9AtuvPQs7C0 QtEA== X-Gm-Message-State: APf1xPCcTnx7tU90bBumcP8uv937f/tvEaIiLP9sUj2QdUvvb1meSFTS N/wDf8xHdRN95j+dTNNnyW55Vg== X-Received: by 2002:a17:902:2ec1:: with SMTP id r59-v6mr25337904plb.416.1520565056094; Thu, 08 Mar 2018 19:10:56 -0800 (PST) Received: from ?IPv6:2600:1010:b05d:dc76:e069:cad1:42ef:c98b? ([2600:1010:b05d:dc76:e069:cad1:42ef:c98b]) by smtp.gmail.com with ESMTPSA id w88sm166002pfa.50.2018.03.08.19.10.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Mar 2018 19:10:55 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries From: Andy Lutomirski X-Mailer: iPhone Mail (15D100) In-Reply-To: <20180308.213153.2003279953084099668.davem@davemloft.net> Date: Thu, 8 Mar 2018 19:10:54 -0800 Cc: luto@kernel.org, alexei.starovoitov@gmail.com, keescook@chromium.org, ast@kernel.org, tixxdz@gmail.com, viro@zeniv.linux.org.uk, daniel@iogearbox.net, torvalds@linux-foundation.org, gregkh@linuxfoundation.org, mcgrof@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@fb.com, linux-api@vger.kernel.org Content-Transfer-Encoding: quoted-printable Message-Id: <3BC1EAA3-D926-4758-901D-A860718B846A@amacapital.net> References: <20180309012046.6kcivmzzkap3a4xc@ast-mbp> <20180308.213153.2003279953084099668.davem@davemloft.net> To: David Miller Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Mar 8, 2018, at 6:31 PM, David Miller wrote: >=20 > From: Andy Lutomirski > Date: Fri, 9 Mar 2018 02:12:24 +0000 >=20 >> First, compile your user code and emit a staitc binary. Use objdump >> fiddling or a trivial .S file to make that static binary into a >> variable. Then write a tiny shim module like this: >>=20 >> extern unsigned char __begin_user_code[], __end_user_code[]; >>=20 >> int __init init_shim_module(void) >> { >> return call_umh_blob(__begin_user_code, __end_user_code - __begin_user_c= ode); >> } >>=20 >> By itself, this is clearly a worse solution than yours, but it has two >> benefits, one small and two big. The small benefit is that it is >> completely invisible to userspace: the .ko file is a bona fide module. >=20 > Anything you try to do which makes these binaries "special" is a huge > negative. I don=E2=80=99t know what you mean. Alexei=E2=80=99s approach introduces a w= hole new kind of special module. Mine doesn=E2=80=99t.=20 >=20 >> The big benefits are: >=20 > I don't see those things as benefits at all, and Alexei's scheme can > easily be made to work in your benefit #1 case too. >=20 How? I think you=E2=80=99ll find that a non-modular implementation of a bun= dled ELF binary looks a *lot* like my call_umh_blob(). > It's a user binary. It's shipped with the kernel and it's signed. >=20 > If we can't trust that, we can't trust much else. I=E2=80=99m not making any arguments about security at all. I=E2=80=99m talk= ing about functionality.=20 If we apply Alexei=E2=80=99s patch as is, then I think we=E2=80=99ll have a s= ituation where ET_EXEC modules are only useful if they can do their jobs wit= hout any filesystem access at all. This is fine for networking, where netli= nk sockets are used, but I think it=E2=80=99s not so great for other use cas= es. If we ever try to stick a usb driver into userspace, we=E2=80=99re going= to want to instantiate the user task once per device, passed as stdin or si= milar, and Alexei=E2=80=99s code will make that very awkward.