Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp3251477pxa;
        Sat, 8 Aug 2020 15:18:57 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJw9lchQtyLg8gBNP40q3U4O4BdSnatEhBAfSvxSmntN3UTh3xDum0OMWLpVmf+6GEtauRsh
X-Received: by 2002:a17:906:15c2:: with SMTP id l2mr15081429ejd.112.1596925137135;
        Sat, 08 Aug 2020 15:18:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1596925137; cv=none;
        d=google.com; s=arc-20160816;
        b=tR8SgQowiqXghUQxys/1wRrvVa7oZYTiTVV5fWT5dJbf0QmxQ8bYueIypOXBhgGrpo
         /wLntxQmoinq6L8lNTtTdoH83GCraws2ZkQER83a7M798Ky/eywwGB+Ze7lFtFbFbeBu
         tzKsqnCWHVMbRbFQ+ddB5XEMP/newMtch3ldjJxvtlPcJvhmDItd/nmT6KA0jIqZ+KlU
         JGkSAtTqB5bGx4WY2Meyv0I8deWnow3g+BoA82oekly9oHrPLQe6KFOG+/XrlUoFDt7E
         ujSqHNlAci1VZsJFwseEDRaceX2s9TrieovkISNjn7fp0GgSDEoM8UqKE98ENztRMt5K
         dBbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=0miEDuRDtqZqcYBbGk7fdE2wPfAvHxkWJGNm+kKJejU=;
        b=RkbaLU16x7l7N+UIax8Z7/808pr7zsxsys031Z9CD/byZTOKFLspvhOE18W0PngAF7
         2qiHbflz1DFm2iIVB/t3ugnk7eLjnhplSIKbMviMqtNtpXmBiOkH0FehODWJFFEFt+7c
         sqFcy+TgsYRQ4FY3kRZ9xhrXvcJk65PSksIeGOQ0hY/2yPOjYYpJkuKCp/ZG7cBaUUQA
         A8FfuOh1EApc73yOjNnjxhwBnALQQ8Kxyb8rtP2ozGYzecYu6S6q+pFN7dUbiCJgeHyk
         I7Zrg36W8PON4S1jPG1yZrV2xzoMO3tU0/ItW0ejNFCBHPEQPbTtq6k5zx3h7Dk+Xe1C
         lEpQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id a1si8001535eju.9.2020.08.08.15.18.32;
        Sat, 08 Aug 2020 15:18:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726093AbgHHWRw (ORCPT <rfc822;linux.htchiang@gmail.com>
        + 99 others); Sat, 8 Aug 2020 18:17:52 -0400
Received: from jabberwock.ucw.cz ([46.255.230.98]:37712 "EHLO
        jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725779AbgHHWRw (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 8 Aug 2020 18:17:52 -0400
Received: by jabberwock.ucw.cz (Postfix, from userid 1017)
        id EAB141C0BDA; Sun,  9 Aug 2020 00:17:49 +0200 (CEST)
Date:   Sun, 9 Aug 2020 00:17:48 +0200
From:   Pavel Machek <pavel@ucw.cz>
To:     "Madhavan T. Venkataraman" <madvenka@linux.microsoft.com>
Cc:     Mark Rutland <mark.rutland@arm.com>,
        kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
        linux-arm-kernel@lists.infradead.org,
        linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org, oleg@redhat.com,
        x86@kernel.org
Subject: Re: [PATCH v1 0/4] [RFC] Implement Trampoline File Descriptor
Message-ID: <20200808221748.GA1020@bug>
References: <aefc85852ea518982e74b233e11e16d2e707bc32>
 <20200728131050.24443-1-madvenka@linux.microsoft.com>
 <20200731180955.GC67415@C02TD0UTHF1T.local>
 <6236adf7-4bed-534e-0956-fddab4fd96b6@linux.microsoft.com>
 <20200804143018.GB7440@C02TD0UTHF1T.local>
 <b3368692-afe6-89b5-d634-12f4f0a601f8@linux.microsoft.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <b3368692-afe6-89b5-d634-12f4f0a601f8@linux.microsoft.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi!

> Thanks for the lively discussion. I have tried to answer some of the
> comments below.

> > There are options today, e.g.
> >
> > a) If the restriction is only per-alias, you can have distinct aliases
> >    where one is writable and another is executable, and you can make it
> >    hard to find the relationship between the two.
> >
> > b) If the restriction is only temporal, you can write instructions into
> >    an RW- buffer, transition the buffer to R--, verify the buffer
> >    contents, then transition it to --X.
> >
> > c) You can have two processes A and B where A generates instrucitons into
> >    a buffer that (only) B can execute (where B may be restricted from
> >    making syscalls like write, mprotect, etc).
> 
> The general principle of the mitigation is W^X. I would argue that
> the above options are violations of the W^X principle. If they are
> allowed today, they must be fixed. And they will be. So, we cannot
> rely on them.

Would you mind describing your threat model?

Because I believe you are using model different from everyone else.

In particular, I don't believe b) is a problem or should be fixed.

I'll add d), application mmaps a file(R--), and uses write syscall to change
trampolines in it.

> b) This is again a violation. The kernel should refuse to give execute
> ???????? permission to a page that was writeable in the past and refuse to
> ???????? give write permission to a page that was executable in the past.

Why?

										Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html