Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp1911721pxv; Fri, 2 Jul 2021 15:58:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx7IeMcsQ9+0lyGNA7J4/vEFWI03g+HF3l5z0tvpMpagsGH/yqwU/J1RV48iSy3doTyzH/5 X-Received: by 2002:a02:3705:: with SMTP id r5mr1511603jar.144.1625266716762; Fri, 02 Jul 2021 15:58:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625266716; cv=none; d=google.com; s=arc-20160816; b=Hegq+J28Dk/3mwlEXj9SebYxmemtxGKpEWh5TjNol36v9pe4rYsfkI8UaEjkZ7OuXQ jJ/c4TmOTWX5HqN1288RJpWigsbYycgflz6Ttd/D+9GB/qK8Bu5ss8hhgd7P4xOxCvJY X1ZKHFtZZ9UQCn/NKZ2XbP5pT7bcf02lb3dZNwFiemEEMzrbX4DdRCBwn6bRubR0H0Qs I3cQX3wNjxSSandSAaOLi76BydLYR3NaHdYBjmnDluwwXXtcoP+yq6ADZ2p9IrBMuD5v fe9oNuVJ1atqYe8FNe3W6vcFBxY75pts8V5zPtIfJLhBocHGjMRXNRkWAO/mdVNMptSX 5xWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=YXFkSkQBVcCeyR4RWPLEdXQbvNNprJvvswWYm7O0tLU=; b=HezNnNPji4d8nx6Z/AmFQkLteQEtx8IpBg75qyWzz+C4VQGf+XFg3PaXBV8aazBxPz thD47qCxXlXNKxv6MY3lNVCn09qY3DKAWI+re0ULjoiQKovZ94hyomI3FLPJg6iBV8VP h7l2x1lIaHDV9CsHSpU75nLZR//5HR6UzfRlQnBlb5BeTxrhd1Zp3Eyqx+pBPVjYhrGM RSjoVEN07GonpmR4N/GS1TlsaUdYTCuCjC6Lzx7ye9eF0B9Vk3Ye35KnhJ2NynL6rDS6 9HPB5Ig8pEaQpf36S7juKwQjPINdiWnpjoAZ3p5D/2x3bA8N1SZhpzw8jxZ/ApeK6yA1 6qNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=dD0DozhQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l16si4899663ion.65.2021.07.02.15.58.24; Fri, 02 Jul 2021 15:58:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=dD0DozhQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233260AbhGBWrQ (ORCPT + 99 others); Fri, 2 Jul 2021 18:47:16 -0400 Received: from mail.kernel.org ([198.145.29.99]:39062 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233249AbhGBWrP (ORCPT ); Fri, 2 Jul 2021 18:47:15 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 88B1D61369; Fri, 2 Jul 2021 22:44:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1625265883; bh=VAS+i7j9RsZ5DMKojNBUf0k3To0kIZtOvo7yvM1oi8w=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=dD0DozhQq7Qa778vxZIqWGs+qXclDLvCdjAF/3bHkz1/HbJEX8RMbAqV7L08WQ3D9 p5TQhcRdav3lunVo3DljPtUD5d/CX/y/A+ybJW8U7+WsIFZeV5AFu9lhICMuRGJhzo 2iUu5aPzwJtW1ZipB4zChrDyLLqTOt2AKk5Mub4GgU40xW8Xn/IDdiO5MIuOTEK8Vm ssM7dNIyHlzjgvHGDabsNNa5E0qmSUEC5Qn/7Iu0SaBXuU1YqwxEBbOV6mp5bqzb7Y 4i0QQ2mcNWbS1oRiPTiRM+Tyubz2xmwDHty6m2wBCw9zHO3ehs09NwTwiDYxLspJhf /e6zPWovD4/Bw== Subject: Re: [PATCH 0/4 POC] Allow executing code and syscalls in another address space To: Andrei Vagin , linux-kernel@vger.kernel.org, linux-api@vger.kernel.org Cc: linux-um@lists.infradead.org, criu@openvz.org, avagin@google.com, Andrew Morton , Anton Ivanov , Christian Brauner , Dmitry Safonov <0x7f454c46@gmail.com>, Ingo Molnar , Jeff Dike , Mike Rapoport , Michael Kerrisk , Oleg Nesterov , Peter Zijlstra , Richard Weinberger , Thomas Gleixner References: <20210414055217.543246-1-avagin@gmail.com> From: Andy Lutomirski Message-ID: <6073e4c6-6fe8-0448-4586-5d04d7154164@kernel.org> Date: Fri, 2 Jul 2021 15:44:41 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: <20210414055217.543246-1-avagin@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/13/21 10:52 PM, Andrei Vagin wrote: > process_vm_exec has two modes: > > * Execute code in an address space of a target process and stop on any > signal or system call. We already have a perfectly good context switch mechanism: context switches. If you execute code, you are basically guaranteed to be subject to being hijacked, which means you pretty much can't allow syscalls. But there's a lot of non-syscall state, and I think context switching needs to be done with extreme care. (Just as example, suppose you switch mms, then set %gs to point to the LDT, then switch back. Now you're in a weird state. With %ss the plot is a bit thicker. And there are emulated vsyscalls and such.) If you, PeterZ, and the UMCG could all find an acceptable, efficient way to wake-and-wait so you can switch into an injected task in the target process and switch back quickly, then I think a much nicer solution will become available. > > * Execute a system call in an address space of a target process. I could get behind this, but there are plenty of cans of worms to watch out for. Serious auditing would be needed.