DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=XQmbZi/Ko9HDQ/P24zjkw7V7QGNG3WWHGtwMTM9XA6HtGfjJEgo6awu6GGN0zBebW9uBr1ehSKRAIgR9QVl1i2MlvkzF63LXY8jgTIYExeQw0jvB4cYJkXJR2NkJkNyn2BiUKxFFer+Dz7WGu1vLEe684hh5q6CLv8zMuTfRUrQ=
Message-ID: <787b0d920601251745n72811696p129396f1279a4a82@mail.gmail.com>
Date: Wed, 25 Jan 2006 20:45:48 -0500
From: Albert Cahalan <acahalan@gmail.com>
To: Nix <nix@esperi.org.uk>
Subject: Re: [PATCH 4/4] pmap: reduced permissions
Cc: Arjan van de Ven <arjan@infradead.org>,
       "Albert D. Cahalan" <acahalan@cs.uml.edu>,
       "Jakub Jelinek <jakub@redhat.com> Al Viro" <viro@ftp.linux.org.uk>,
       linux-kernel@vger.kernel.org, akpm@osdl.org
In-Reply-To: <87r76vrhsj.fsf@amaterasu.srvr.nix>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Content-Disposition: inline
References: <200601222219.k0MMJ3Qg209555@saturn.cs.uml.edu>
	 <1137996654.2977.0.camel@laptopd505.fenrus.org>
	 <787b0d920601230128o5a12513fjae3708e3fb552dca@mail.gmail.com>
	 <1138009305.2977.28.camel@laptopd505.fenrus.org>
	 <787b0d920601230220r5c7df60dk142d1d637ab4ed48@mail.gmail.com>
	 <87r76vrhsj.fsf@amaterasu.srvr.nix>
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 2346
Lines: 53

On 1/25/06, Nix <nix@esperi.org.uk> wrote:
> On 23 Jan 2006, Albert Cahalan said:
> > On 1/23/06, Arjan van de Ven <arjan@infradead.org> wrote:
> >> On Mon, 2006-01-23 at 04:28 -0500, Albert Cahalan wrote:
> >
> >> > I tend to think that glibc should not be reading this file.
> >> > What excuse is there?
> >>
> >> glibc needs to be able to find out if a certain address is writable. (eg
> >> mapped "w"). The only way available for that is... reading the maps
> >> file.
> >
> > What the heck for? That's gross.
>
> Ironically enough, it's security. :)
>
> > If glibc is just providing this info for apps, there should be a
> > system call for it. Otherwise, being the C library, glibc can
> > damn well remember what it did.
>
> Nah, it's used for vfprintf() argument-area checking.
>
> Specifically, it's the Linux implementation of __readonly_area(),
> located in sysdeps/unix/sysv/linux/readonly-area.c in glibc-3.4-to-be,
> and used by vfprintf() on behalf of __vfprintf_chk(). Calls to this
> function (and the other __*_chk() functions) are expanded by glibc's
> string headers and generated by GCC 4.1+ automatically when possible
> (and by GCCs out there in the field: this patch is shipped by RH
> already, known as FORTIFY_SOURCE).
>
> FORTIFY_SOURCE zaps a whole class of security vulnerabilities stone
> dead. Breaking it would be a bad idea. Therefore, /proc/self/maps has to
> remain readable, even in setuid programs, because setuid programs are
> one class of programs for which FORTIFY_SOURCE is crucial.
>
> [Jakub added to Cc:, he can defend his own code much better than I can]

OK, Jakub, how would you like the system call to look? :-)
It looks like the mincore() system call has reserved bits
available in the output vector.

It's just vfprintf? Not vsprintf too? I'll take a guess that the
performance hit was considered tolerable only if doing IO
anyway. A proper system call would help both cases.

It's bad enough that procps has to suffer the overhead of
parsing all that nasty text. The thought of every app doing
that, automatically via gcc+glibc, is truly horrifying.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/