Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp273933pxu; Wed, 7 Oct 2020 02:45:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzCeGEgrLctKAPbbzEl8eFk3Xu/OFCTJhgEZsv0tZ57ST58nbLN/IsmJoOD+/KcxrhqCKEI X-Received: by 2002:a17:906:660f:: with SMTP id b15mr2543627ejp.333.1602063941858; Wed, 07 Oct 2020 02:45:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602063941; cv=none; d=google.com; s=arc-20160816; b=uZNAGkyaC1QzNQuZBLD/Vx3uP4AnxMV2gSXuxPLTNaE52bhlWo9FNb5di22NFjEtj5 81RAP/I+870AMartxKV4l6RpQdG5uCs3QSTQGUbxcT8BzY7m0IOP0yTfzD3nZaO7hAEi Y8DKKECl2ZbuC8oYSmsTAJzbPsHXw1QTnXGcTCmlhdN5HatfLCo09nugi8/SuoTa/Ucf ttCra1jz1/Kc5e3wcDWzVKlV8VaSPCLlorzWiwCCZSnasAbTTSU2tQQWt239Z6ZudrK3 M9IAluzboFJ1uZ4FDXQc5mjJFNcsGGO/CUGyYULwI2UkZwVo8DqAnpQ2b7nb8ySlJRi5 lSeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=4hFktsPwEbTgb6XtsDRKma4HYkbhuyQkfc2EV/sEEq4=; b=WRmzbYc2udwpZMeRadzUQnxMuPnbdjwW6YP4V0cQIIllMvpuo7/EQYgoMyPQCTfY4p V3jIti6qPTov/baU8orAGWFdhS2EymVvZg/CATEK8jAdisr/+mJRfqUiYuAunHwzj8w/ ITz8OvMg7emfUtnlKl6Y7Mrnpm3aqnjilBLnRbDWD+VL1FI+97XvQnPSLDeSIdZdBEO0 T9Me9gNlDxkq7In8vDFG8KySSDmvT3EukTSz3no+wI684exFP8X3/kDrSk+dEfkN7vOG gdxCDHiW2wj7x8wEZFl4v/YatE5r+G/MD8FWfhqUSlVnvkccBfq52/R5Ovflc/ss2yo5 5Xdg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PeJPY3t2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d1si1079494ejj.113.2020.10.07.02.45.17; Wed, 07 Oct 2020 02:45:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PeJPY3t2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727211AbgJGJn4 (ORCPT + 99 others); Wed, 7 Oct 2020 05:43:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43946 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726218AbgJGJn4 (ORCPT ); Wed, 7 Oct 2020 05:43:56 -0400 Received: from mail-lf1-x141.google.com (mail-lf1-x141.google.com [IPv6:2a00:1450:4864:20::141]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7EEDDC061755 for ; Wed, 7 Oct 2020 02:43:54 -0700 (PDT) Received: by mail-lf1-x141.google.com with SMTP id r127so1507423lff.12 for ; Wed, 07 Oct 2020 02:43:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=4hFktsPwEbTgb6XtsDRKma4HYkbhuyQkfc2EV/sEEq4=; b=PeJPY3t2subOODdcZjbaiew8E9wJphH5QHFWTqfxC6QtU6CxaljZFwUYEx4QPPjJ3e 7JhFK63xaJLx+sEKCfV6i3e63IZyOW90iiF+5UcV8BPXaJOLL0LwzPMBamP9E94yuq2m BtZrSMd/o4q3S80lDZt49lc64W0pCWaNMAhopT3Fw6uLxBDxYZba3BOVUaE7/igggED9 xWWs0dc6C3MgD+0SuWdGA43Lb2jumM0JN253IkT62eD65hwbgH5AdlFYHLdMzbQXG3jF HgIxt5c2FXyENDQGf5ieYWurEMIVIeynCnhR1U0x5o4KnctHUYQmBDZQb3aqEEK/kVSl XN0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=4hFktsPwEbTgb6XtsDRKma4HYkbhuyQkfc2EV/sEEq4=; b=onO2mO8r/Jm9oJRcHGgr/BfAKHwWW7UVQFsoP9Iy+LMda855vtNrWrPICwi9yIqrKy 5Ler944/sR7DzoBtkzdCZOT82iZyKmgQscJOAFlrAB3TNe/fdnPMZSZnEhUX5BJrI3tz 8/ze9x5EYJnYLdTCfWsvfwGpOtYDsak3oVkVNNJzUuRJuMJBmTdd97+00EepXxpJVoel CJuJcn277XhoHvyVXchnk5G3Np0PSmwsTFxuqDBiOtnW4eJIKk0kAHqF6naxYe6UcLwg nYf0VohSR7aHXBXelZqqWFV9IxSqY+u1vadauz1jxfIf0WVJW42Ung8+f3LjRI5NelDX 87gg== X-Gm-Message-State: AOAM5322G2eqVCpEPOEuDeZTbieVLU8ubrQiF7V+kz0ZiZ4CYTEdZVWQ A2URe8QP93cT5nciI1B6uwcXeJls0d4= X-Received: by 2002:a05:6512:3692:: with SMTP id d18mr644960lfs.62.1602063832636; Wed, 07 Oct 2020 02:43:52 -0700 (PDT) Received: from [192.168.1.112] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id o23sm95757lji.68.2020.10.07.02.43.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 07 Oct 2020 02:43:52 -0700 (PDT) Subject: Re: [PATCH] mm: optionally disable brk() To: David Laight , 'David Hildenbrand' , Michal Hocko Cc: "akpm@linux-foundation.org" , "linux-mm@kvack.org" , "linux-kernel@vger.kernel.org" References: <20201002171921.3053-1-toiwoton@gmail.com> <653873ef-2a57-37e0-1ac3-fba763652b35@redhat.com> <2a0f5ade-d770-c36e-50bc-ff0c8e9dacbf@gmail.com> <20201005061248.GN4555@dhcp22.suse.cz> <888e62e0-3979-207b-c516-ddfc6b9f3345@redhat.com> <4d325e3e-3139-eded-6781-435fb04fb915@gmail.com> <9dc586f4-38f0-7956-0ab6-bd7921491606@redhat.com> <5fb32353b1964299809fce0c7579a092@AcuMS.aculab.com> <23ca06acdfb44b76892857f9e9871241@AcuMS.aculab.com> From: Topi Miettinen Message-ID: Date: Wed, 7 Oct 2020 12:43:48 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: <23ca06acdfb44b76892857f9e9871241@AcuMS.aculab.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5.10.2020 15.25, David Laight wrote: > From: David Hildenbrand >> Sent: 05 October 2020 13:19 >> >> On 05.10.20 13:21, David Laight wrote: >>> From: David Hildenbrand >>>> Sent: 05 October 2020 10:55 >>> ... >>>>> If hardening and compatibility are seen as tradeoffs, perhaps there >>>>> could be a top level config choice (CONFIG_HARDENING_TRADEOFF) for this. >>>>> It would have options >>>>> - "compatibility" (default) to gear questions for maximum compatibility, >>>>> deselecting any hardening options which reduce compatibility >>>>> - "hardening" to gear questions for maximum hardening, deselecting any >>>>> compatibility options which reduce hardening >>>>> - "none/manual": ask all questions like before >>>> >>>> I think the general direction is to avoid an exploding set of config >>>> options. So if there isn't a *real* demand, I guess gluing this to a >>>> single option ("CONFIG_SECURITY_HARDENING") might be good enough. >>> >>> Wouldn't that be better achieved by run-time clobbering >>> of the syscall vectors? >> >> You mean via something like a boot parameter? Possibly yes. > > I was thinking of later. > Some kind of restricted system might want the 'clobber' > mount() after everything is running. Perhaps suitably privileged tasks should be able to install global seccomp filters which would disregard any NoNewPrivileges requirements and would apply immediately to all tasks. The boot parameter would be also nice so that initrd and PID1 would be also restricted. Seccomp would also allow more specific filtering than messing with the syscall tables. -Topi