Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2161558pxa; Mon, 3 Aug 2020 08:59:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz7+ZRxcR8aaLXBHz6SbcfOhOlfP7GdPhR5+061bBvCPVsxxAZR69edsoDyxqrekmlxEC+s X-Received: by 2002:aa7:dacb:: with SMTP id x11mr15571140eds.280.1596470371939; Mon, 03 Aug 2020 08:59:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596470371; cv=none; d=google.com; s=arc-20160816; b=J8JUQ3PNkXfNDovvIXacTuZU9hlnpMDHdF5CnpRthGiRwgtRwSSg47rK0JsacxWu+p mFKG4LxdPovRP+3oZMBBibhrSkQeFBXKTfsngwZBUEz3DS0agY+3GYH5+WIjHB9O/vRu 0lkUXJw7hxu4lUDhky0InBT4PSTOsMduFX/VFu7n0gDyTuaHn/GD8O3PtEd1dbX/04yP eAjqsg/+ZJ0qKiRSlrWVRzq957Cozmp8IFPeyfFuWbgoY94za4pBwjsYvY0XV/UqIgJB vUye5AiHM6XdnhdT37eq9/GvG74u+CYT1DAmmnAtuY2kP04ZbA+GIHw3cvmnpwB4iglk yLJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature:dkim-filter; bh=61JblHzq4qhtQkPzj2G3tGZ75oReI0NIx105fosLKrI=; b=AxjjgtyL82+44VVcZML+TbRKnFYjQGj2Bo8I/AMPbriZ0IRfbq30VU+GuubJ41sZyz y9BG2ro6gfdMH8+i0Bi0pzpW0WzBZo9zf12mfpmsP/LdsLem2vycnb2WsA2PTGRrYOHv MOrAvivSsttdDjwOVZP9QFb22grKB1AbTvR/36B/kYXcNy9yQpuo4cJyH//FNDYOkusl OdVrCcrp4Gy01gAksjn95/r2XjSqxmcp6DdpacXJ/rbCtXvyr7ggG2Z3Wyq26sFL/Lva 0Amyg4qMM1t3Tb6VPxiMbjilPR3c2Ak3WbtCn3CML0bDWhiGnPmF10jLT6Ifnm3CWVYH Zf0w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b="CmZKNOH/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gl17si10596155ejb.589.2020.08.03.08.59.09; Mon, 03 Aug 2020 08:59:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b="CmZKNOH/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728190AbgHCP7G (ORCPT + 99 others); Mon, 3 Aug 2020 11:59:06 -0400 Received: from linux.microsoft.com ([13.77.154.182]:43092 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725945AbgHCP7G (ORCPT ); Mon, 3 Aug 2020 11:59:06 -0400 Received: from [192.168.254.32] (unknown [47.187.206.220]) by linux.microsoft.com (Postfix) with ESMTPSA id 0B58220B4908; Mon, 3 Aug 2020 08:59:04 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 0B58220B4908 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1596470345; bh=61JblHzq4qhtQkPzj2G3tGZ75oReI0NIx105fosLKrI=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=CmZKNOH/KALtRXbeh0M5SY5+FforFJaVBEotq9VkjW4009Y9gJ4Y8SiPFK60B63Ek PKT5VksgRHxxB2UeKRaW8GTHJZ0qNSXo3Bv3a1oHMYNew4GGXbm8WZ2IzEPQtDPc28 jbSZxdwUc01p8o/CYVhWcBeeqUmlISxGx9Y/uaWA= Subject: Re: [PATCH v1 0/4] [RFC] Implement Trampoline File Descriptor To: David Laight , Andy Lutomirski Cc: Kernel Hardening , Linux API , linux-arm-kernel , Linux FS Devel , linux-integrity , LKML , LSM List , Oleg Nesterov , X86 ML References: <20200728131050.24443-1-madvenka@linux.microsoft.com> <3b916198-3a98-bd19-9a1c-f2d8d44febe8@linux.microsoft.com> From: "Madhavan T. Venkataraman" Message-ID: <8f938da2-a10d-ca15-56f0-70315c678771@linux.microsoft.com> Date: Mon, 3 Aug 2020 10:59:04 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/3/20 3:23 AM, David Laight wrote: > From: Madhavan T. Venkataraman >> Sent: 02 August 2020 19:55 >> To: Andy Lutomirski >> Cc: Kernel Hardening ; Linux API ; >> linux-arm-kernel ; Linux FS Devel > fsdevel@vger.kernel.org>; linux-integrity ; LKML > kernel@vger.kernel.org>; LSM List ; Oleg Nesterov >> ; X86 ML >> Subject: Re: [PATCH v1 0/4] [RFC] Implement Trampoline File Descriptor >> >> More responses inline.. >> >> On 7/28/20 12:31 PM, Andy Lutomirski wrote: >>>> On Jul 28, 2020, at 6:11 AM, madvenka@linux.microsoft.com wrote: >>>> >>>> From: "Madhavan T. Venkataraman" >>>> >>> 2. Use existing kernel functionality. Raise a signal, modify the >>> state, and return from the signal. This is very flexible and may not >>> be all that much slower than trampfd. >> Let me understand this. You are saying that the trampoline code >> would raise a signal and, in the signal handler, set up the context >> so that when the signal handler returns, we end up in the target >> function with the context correctly set up. And, this trampoline code >> can be generated statically at build time so that there are no >> security issues using it. >> >> Have I understood your suggestion correctly? > I was thinking that you'd just let the 'not executable' page fault > signal happen (SIGSEGV?) when the code jumps to on-stack trampoline > is executed. > > The user signal handler can then decode the faulting instruction > and, if it matches the expected on-stack trampoline, modify the > saved registers before returning from the signal. > > No kernel changes and all you need to add to the program is > an architecture-dependant signal handler. Understood. Madhavan