Received: by 10.223.185.82 with SMTP id b18csp62292wrg; Thu, 8 Mar 2018 19:19:08 -0800 (PST) X-Google-Smtp-Source: AG47ELtiejFcVlTyPD7CSWqmxbkRHYtzJqFb+z2rv2hRkff+rPbrHqDQhVmQmoqzv8O/Qc2T9Tyr X-Received: by 10.99.1.148 with SMTP id 142mr23574161pgb.24.1520565548701; Thu, 08 Mar 2018 19:19:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520565548; cv=none; d=google.com; s=arc-20160816; b=WOZpAZFExOct7X1GlohaFbe/bHlXa9ftGNdFEIFqttNMWrVMHVWi067mym3gUoXYYy 5o2TS77lhwsZSj/hjejqAfUIrF9xrhCoAVqqMxWkGfgL0p1ypbI2CpnFVqDiY0TWEaDK XpGeEKPJP1H6MSkM+DUTkG6haFfO3S/ZTBcmkoCT36kwKFFNJ68HMbj4PpCIyma/vtSU c/Ahj/nAGRSfE05dx0ztkSJiS+pODTtjHBBn4tF+OnzyZdP1tjS+l/dXdWDkRzgeHDAI OZiMJrkwFoeW62QXaRCfyz+N7gdjavrqJUTrAWIedhRnu/bGSofEUVeik3EhsNa9PO1j mFSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=6+RueHmzpR9j7PSeQeLfG1mRO4kqrDMQbnIEdpy5YUg=; b=W86Qms7E1JwAuqWmxGTLboS+AuaAgumQh3DKVWH0kqejw/S7bX8aTU1zPYT4PvHlIc DEM9R9uaPgC6KQKfv//mk9dQTvvEHggWftc3NAJQ9NhUjkGJ6JRqqT+pjHS07Js914uH F5RS7q9s4g9//vKZED7L6Bg/5zzQu3rrjwTY3u04HhYP6YcS6K873sW1Dgjq3zkCyvf0 G5nojzBok83aD5212RhE6G42PnSFx5lLRImvBFYs9mPyg/GZ/L4B46j1xSd6Bh0lK25g PTUH+2GZr/kdCF1ADCQTINBzUO0S55s/lTJTrV8b5YRNlmoKlSa3E8AHF4ZT6GM24gkN yx/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=JtR2VEOz; dkim=fail header.i=@linux-foundation.org header.s=google header.b=QHw4BM18; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f26si65002pgn.650.2018.03.08.19.18.54; Thu, 08 Mar 2018 19:19:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=JtR2VEOz; dkim=fail header.i=@linux-foundation.org header.s=google header.b=QHw4BM18; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751238AbeCIDRn (ORCPT + 99 others); Thu, 8 Mar 2018 22:17:43 -0500 Received: from mail-io0-f196.google.com ([209.85.223.196]:45474 "EHLO mail-io0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750918AbeCIDRl (ORCPT ); Thu, 8 Mar 2018 22:17:41 -0500 Received: by mail-io0-f196.google.com with SMTP id m22so2008895iob.12; Thu, 08 Mar 2018 19:17:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=6+RueHmzpR9j7PSeQeLfG1mRO4kqrDMQbnIEdpy5YUg=; b=JtR2VEOzlMRPa3CYFEEK9DEXyldljSsPSp5qoM/TozSxN1JZR1r1q2JEmP5DA0nZVR G6w33J1uougWPcTjdM+BqyRX749e7gDRQerR3LVDJsFKoVgk/A/FUlIeNHSFSpJXJkuV Jwhe4FS49pGUGtCaewVJT2H1E5M45d/A24RgLvjvb3YKjoHajOFNiIH67qS6n68J9oAU Xl3rFTpitcbVXs7r/OkPDj2eitkz0wRBihbes1nsB731QneyiPFWDk9nNch++I+UzbHG IMkzswRd6+9Td8o6SE+w5LXFNPR7s1rCmuUD31qePeYrjGevoM513ZzMc2G4vRXBD3S8 VJYw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=6+RueHmzpR9j7PSeQeLfG1mRO4kqrDMQbnIEdpy5YUg=; b=QHw4BM18xyGQe5x9L1kS1wyr2Q1gSEe6xW6v3wEcD6xf8ZA1f5401PcJoI5jcrhvCK fMhGnc1gCU9cGtxLmQfZYW5+lo69LI25SslYRP9dFCzDpmSXJGprXzdzdHj0pluCOXEV ivDOdULiyJzMpWmJJ+ZQFCZ2y3lobpowMz+XU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=6+RueHmzpR9j7PSeQeLfG1mRO4kqrDMQbnIEdpy5YUg=; b=fazMTIV6zvlsYP/rPwRg7GLbQCCqXc+V29FXudgh0QgMHLm5lMb0mrwQCv1P0Fgv/K t7/wBJAaRHyA1dJcpgXt6hA7n0trI4qDwoZRBrenpQ4FOtgiyF6CQFaHu0O7pa7DATKz 8bU/Ql9UD95HnQPTyq215MJQDyJfjhr2a2LhTg5kBQAokZsagoVRz/pRKl7twlG1ceXj 0YHmkc/LgRdP9gsGeVbL6sMDMhFkhRG2ntXG/UXj7/NhwhKAfBckvkWzsmlUiuVnsa1E 2SZIhHCyPK7tFwe/vwdKCXFoJC4u+qOcLuWL22rbZM8hhkhccYJcerpriEC96ReT/wSJ 270A== X-Gm-Message-State: APf1xPC3wk5xOr0FZ28fEXQN02eab+jxyUgdvPQ/dx/QBnU/HbkAzehI d8rMOrDXJeXRa3Wfx5z7I9j7j9sln865Ghwfc2w= X-Received: by 10.107.22.1 with SMTP id 1mr34974038iow.238.1520565460297; Thu, 08 Mar 2018 19:17:40 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.135.221 with HTTP; Thu, 8 Mar 2018 19:17:39 -0800 (PST) In-Reply-To: References: <20180306013457.1955486-1-ast@kernel.org> From: Linus Torvalds Date: Thu, 8 Mar 2018 19:17:39 -0800 X-Google-Sender-Auth: XswQv0HNVUYhGDM3HeZg6Qr0TNU Message-ID: Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries To: Kees Cook Cc: Andy Lutomirski , Alexei Starovoitov , Djalal Harouni , Al Viro , "David S. Miller" , Daniel Borkmann , Greg KH , "Luis R. Rodriguez" , Network Development , LKML , kernel-team , Linux API Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 8, 2018 at 7:06 PM, Linus Torvalds wrote: > > So I don't like Andy's "let's make it a kernel module and then that > kernel module can execve() a blob". THAT seems like just stupid > indirection. > > But I do like Andy's "execve a blob" part, because it is the *blob* > that has had its signature verified, not the file! To be honest., Andy's approach has the advantage that all the synchronization we do for modules still works. In particular, we have module loading logic where we synchronize loading of modules with the same name, so that two things that do request_module() concurrently will not lead to two modules being loaded. See that whole "module_mutex" thing, and the logic in (for example) "add_unformed_module()". Andrei's patch short-circuits the module loading before that, so if you have two concurrent request_module() calls, you'll end up with no serialization, and two executables. So maybe Andy is right. He often is, after all. Linus