Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp1983644ybv; Fri, 21 Feb 2020 06:49:25 -0800 (PST) X-Google-Smtp-Source: APXvYqw67okUJuHnETpSYs8+VTI7zW0W+RTQfkyx8EmjWKfw+ykpgUG5n86xzUINytQAA1PVWi6m X-Received: by 2002:aca:b183:: with SMTP id a125mr2279527oif.83.1582296565152; Fri, 21 Feb 2020 06:49:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582296565; cv=none; d=google.com; s=arc-20160816; b=zlwDs2CvAlB2QZ/cFSKLH/l15Eh2dAh7Nc6FW8dywY241RLxPUgk6kf3hpdb1fPuW5 tWEN+MGYAvw46OMS4zv3e5Ps4QXe08CwptTSSsH/hh29vdF6tQPGeKZ0UOzvYtkgwKoS Mk32rAq9yWtbEgVOtMwh3l+edflAFy9Lxza4SCG3Kjs1r6WS9ma0UL6WJpELyFtY5rPc tY0yrTYOP//8KZcwug6p/TLrpmErZE25PVISeIictkETPwDaE5ZxnTsIlqm5VDc7dpcW 74Fo8/MFFfrDxyy7bws1zF+dm1p8FoAcp3H4s99ASa1dZQkgikhmT2kB4C5buakfeXtF g5EQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=JHMwWjN7nc8iaGBcz7/4VzP1XSfSgnK0vC/3LaoaPro=; b=cUCrpjzJY8wkP8ORtJ8BTO64E6dmdIglKtqBH7treBXT/Y9nCsucuKYjd1rUh5RnaV sQ+aglTWqrD9r2Z0Dhd3JxTl//Ta9CPmDIuyEHEx1v5/+M32NZF0KfntIt4VxUvPSB+P S2390LlnkfFi0GEKlUtWqO7NU/4I8q4aZrod44B8lAdzV0JzEjii2GTOLFaa4hjkUa6L JSWTdOskswhr8z553erTKTyjOyCI4FgZaY/w/JC4QLSMf3FWoBVySgoPT5P3+Hr0/Zfu p7QvyPX+du0mboPOJTpoi+BnobkOW8PtYs+1DCIT1rznQ4uJFzkpiSu4dz/eMmwUM2pP u5Cg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AGOjzX4D; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t26si1462295otq.264.2020.02.21.06.49.12; Fri, 21 Feb 2020 06:49:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AGOjzX4D; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728938AbgBUOtA (ORCPT + 99 others); Fri, 21 Feb 2020 09:49:00 -0500 Received: from mail.kernel.org ([198.145.29.99]:56752 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727315AbgBUOtA (ORCPT ); Fri, 21 Feb 2020 09:49:00 -0500 Received: from willie-the-truck (236.31.169.217.in-addr.arpa [217.169.31.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6964D20656; Fri, 21 Feb 2020 14:48:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1582296539; bh=Tg/z7ezWX1c7D6YoATKHY8w65DWTSaJmOP1DDofML50=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=AGOjzX4D6tNBheKkXYIyh3CD4VgdZzXymU0+s89C6AFBSITpiaGNmYiAm00VGff68 J8OMtCXAyAZyNhbS0OOIRPmXAToVcHAZWUOp6iNrHTAKO1Raug2+yT+qEMcma4QRos eNoQCnDYW/ODGRjY2ZIe6Y4n52vMupTEkRIIrjQ8= Date: Fri, 21 Feb 2020 14:48:54 +0000 From: Will Deacon To: Masami Hiramatsu Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, akpm@linux-foundation.org, "K . Prasad" , Thomas Gleixner , Greg Kroah-Hartman , Frederic Weisbecker , Christoph Hellwig , Quentin Perret , Alexei Starovoitov Subject: Re: [PATCH 0/3] Unexport kallsyms_lookup_name() and kallsyms_on_each_symbol() Message-ID: <20200221144853.GA18153@willie-the-truck> References: <20200221114404.14641-1-will@kernel.org> <20200221232746.6eb84111a0d385bed71613ff@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200221232746.6eb84111a0d385bed71613ff@kernel.org> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Masami, On Fri, Feb 21, 2020 at 11:27:46PM +0900, Masami Hiramatsu wrote: > On Fri, 21 Feb 2020 11:44:01 +0000 > Will Deacon wrote: > > Despite having just a single modular in-tree user that I could spot, > > kallsyms_lookup_name() is exported to modules and provides a mechanism > > for out-of-tree modules to access and invoke arbitrary, non-exported > > kernel symbols when kallsyms is enabled. > > > > This patch series fixes up that one user and unexports the symbol along > > with kallsyms_on_each_symbol(), since that could also be abused in a > > similar manner. > > What kind of issue would you like to fix with this? I would like to avoid out-of-tree modules being easily able to call functions that are not exported. kallsyms_lookup_name() makes this trivial to the point that there is very little incentive to rework these modules to either use upstream interfaces correctly or propose functionality which may be otherwise missing upstream. Both of these latter solutions would be pre-requisites to upstreaming these modules, and the current state of things actively discourages that approach. The background here is that we are aiming for Android devices to be able to use a generic binary kernel image closely following upstream, with any vendor extensions coming in as kernel modules. In this case, we (Google) end up maintaining the binary module ABI within the scope of a single LTS kernel. Monitoring and managing the ABI surface is not feasible if it effectively includes all data and functions via kallsyms_lookup_name(). Of course, we could just carry this patch in the Android kernel tree, but we're aiming to carry as little as possible (ideally nothing) and I think it's a sensible change in its own right. I'm surprised you object to it, in all honesty. Now, you could turn around and say "that's not upstream's problem", but it still seems highly undesirable to me to have an upstream bypass for exported symbols that isn't even used by upstream modules. It's ripe for abuse and encourages people to work outside of the upstream tree. The usual rule is that we don't export symbols without a user in the tree and that seems especially relevant in this case. > There are many ways to find (estimate) symbol address, especially, if > the programmer already has the symbol map, it is *very* easy to find > the target symbol address even from one exported symbol (the distance > of 2 symbols doesn't change.) If not, they can use kprobes to find > their required symbol address. If they have a time, they can use > snprintf("%pF") to search symbol. I would say that both of these are inconvenient enough that the developer would think twice before considering to use them in production. > So, for me, this series just make it hard for casual developers (but > maybe they will find the answer on any technical Q&A site soon). Which casual developers? I don't understand who you're referring to here. Do you have a specific example in mind? > Hmm, are there other good way to detect such bad-manner out-of-tree > module and reject them? What about decoding them and monitor their > all call instructions? That sounds like using a sledge hammer to crack a nut to me. Will