Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp405110pxa; Tue, 11 Aug 2020 06:10:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzNm5KTOKTdLGwl+wCCgaX2hLVtMUgHWMxxKSjJ1igDIKZIoP1ntQsM4H2zfyAs3hO1XQIE X-Received: by 2002:a17:906:260c:: with SMTP id h12mr27610891ejc.457.1597151413085; Tue, 11 Aug 2020 06:10:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597151413; cv=none; d=google.com; s=arc-20160816; b=qiBuvuUrTbLo/YLbUs4IMg2vAOCjLs1TEDEr6ZDX9obAbl05uwBejgZ8ZpCx3Qu9SG n932HsnX5zoyzAn2QDW2sILkDF6/iBqP+EMVy95Xl5Fb8izbarVl5dGBoC9XRjaQBqo7 ixtB88KHAf7oNiCk5KGwoe1VYnPfEKb98qohAQOU1MQQrsFm77A0rxuUL43Cc5Bajuf5 YpCjDYDIhUWrG/AGCfeSfjI0qOyQYhp/pyzEehuWFQkOa4Zkpb7PO9LcnfFW6LdzT2in pgjNnVl3TJLPn+I1/ZJeLnhtnfR6VL0Y9tP1sMusq++NJB05r5CusnRvoyc0apvoqBTT r8QQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=FkGiQXx1IjXoWu+BqAu5YzD+uuqh8JSxwKc5ZFD0lTQ=; b=jXaG8AJa37pFOvXH4oU0381vK64ouUTCHEwLwqTbbTMz3sVsCvlK2n197JdM6uek/d 1XlldzxJ/MWGfNSKe6CxxdcKhuf1g0BIWZwW26HcGbeVFsBpzBaesDeVtnbRCiInmKkx m2OKxc3nZHqneYWhVa9sWIsMWpER+NRhZ9/L22AUWy0vjEmVv5KHYQiLBb1NTzvxN8yg wlw/KifmVjvRVrxHK9+ZJ/47QCWtqqmM0NMSIOce3SUP87bpUOUAvlknzwJLSXz8Hd7W Blf2C9Jr5G9yBEQdIQ4Dk8PGnmiD4Yf5uKeIIYRTaV0DxEyu8yE6RQmJR7d9GvY4ETF+ GF+A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ba10si2746279edb.472.2020.08.11.06.09.46; Tue, 11 Aug 2020 06:10:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728685AbgHKNIl (ORCPT + 99 others); Tue, 11 Aug 2020 09:08:41 -0400 Received: from jabberwock.ucw.cz ([46.255.230.98]:41556 "EHLO jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728557AbgHKNIk (ORCPT ); Tue, 11 Aug 2020 09:08:40 -0400 Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id C95DF1C0BD8; Tue, 11 Aug 2020 15:08:37 +0200 (CEST) Date: Tue, 11 Aug 2020 15:08:37 +0200 From: Pavel Machek To: "Madhavan T. Venkataraman" Cc: Mark Rutland , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, oleg@redhat.com, x86@kernel.org Subject: Re: [PATCH v1 0/4] [RFC] Implement Trampoline File Descriptor Message-ID: <20200811130837.hi6wllv6g67j5wds@duo.ucw.cz> References: <20200728131050.24443-1-madvenka@linux.microsoft.com> <20200731180955.GC67415@C02TD0UTHF1T.local> <6236adf7-4bed-534e-0956-fddab4fd96b6@linux.microsoft.com> <20200804143018.GB7440@C02TD0UTHF1T.local> <20200808221748.GA1020@bug> <6cca8eac-f767-b891-dc92-eaa7504a0e8b@linux.microsoft.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="yvr4rtdsyfwruwtq" Content-Disposition: inline In-Reply-To: <6cca8eac-f767-b891-dc92-eaa7504a0e8b@linux.microsoft.com> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --yvr4rtdsyfwruwtq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > >> Thanks for the lively discussion. I have tried to answer some of the > >> comments below. > >=20 > >>> There are options today, e.g. > >>> > >>> a) If the restriction is only per-alias, you can have distinct aliases > >>> where one is writable and another is executable, and you can make = it > >>> hard to find the relationship between the two. > >>> > >>> b) If the restriction is only temporal, you can write instructions in= to > >>> an RW- buffer, transition the buffer to R--, verify the buffer > >>> contents, then transition it to --X. > >>> > >>> c) You can have two processes A and B where A generates instrucitons = into > >>> a buffer that (only) B can execute (where B may be restricted from > >>> making syscalls like write, mprotect, etc). > >> > >> The general principle of the mitigation is W^X. I would argue that > >> the above options are violations of the W^X principle. If they are > >> allowed today, they must be fixed. And they will be. So, we cannot > >> rely on them. > >=20 > > Would you mind describing your threat model? > >=20 > > Because I believe you are using model different from everyone else. > >=20 > > In particular, I don't believe b) is a problem or should be fixed. >=20 > It is a problem because a kernel that implements W^X properly > will not allow it. It has no idea what has been done in userland. > It has no idea that the user has checked and verified the buffer > contents after transitioning the page to R--. No, it is not a problem. W^X is designed to protect from attackers doing buffer overflows, not attackers doing arbitrary syscalls. Best regards, Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --yvr4rtdsyfwruwtq Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCXzKYVQAKCRAw5/Bqldv6 8ukgAJ9NvrVhKohEnNz0+UYVlo/02QCYaACgiTn7V4hdsKUqG2xCfqc/g1HOnV4= =VFJ2 -----END PGP SIGNATURE----- --yvr4rtdsyfwruwtq--