Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp3353205rdg;
        Tue, 17 Oct 2023 11:55:21 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHoG5m9yDGP5wOwWjvSAKdqcq4XDDlchAC+qTNlshp54658O5TP6a7HfTMduyqO2stZEvcc
X-Received: by 2002:a17:902:dac6:b0:1ca:4ad7:682f with SMTP id q6-20020a170902dac600b001ca4ad7682fmr3421960plx.26.1697568921341;
        Tue, 17 Oct 2023 11:55:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697568921; cv=none;
        d=google.com; s=arc-20160816;
        b=nh6Nk1dHdeKazXBSVxQqTKzr5MZxBbi9W7hMZiyY+XTGCvMkF9KjVBCgyU5gK6J6rA
         DUAY1R0Gybyn0UvP4vAqF7ayYMhTcTwGPhdOVFAQFm+oEl+C5tLKEgglXXv9fP2nAe1k
         3k0LioUX45BLLCSVaxIeMvcgpMeY4FTHyOhuAMd8GppshDIBb0vEv8enuXgAc9LDzcDC
         IvucIN2PvBgAsI66cuUHaLxxjU+9dQQ7fnDSsTJIWoIMmDLcZDpHmqRQ9a6eEXAJgKIq
         zwjZ3c5j5E9BmnbMlhRk5F/ZDCyF4lfogn20bDF9XZ4YVRnEDfEX/NpCbQozbfCajQ0K
         XeMA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:content-id:mime-version:comments
         :references:in-reply-to:subject:cc:to:from:dkim-signature;
        bh=9K3FzVzA0EdZyVUbEfpRJH5ISTp9XEDRjk0GSGvJzN8=;
        fh=IQX8tdld4lOeftqiT+B5HlAn/d71rDgRFedE3WO9UFI=;
        b=TflYKsQSvDgEaV3at9ZnOr4+cMCU/Vkv5YhWt2Vfy/sB6l42YK4rMtcm0P6Ubo6s5y
         97eWHl91lUNlPVUI6+M7/PGU5TBvTLAtRER3m5I2RYja/IzlaGdAjaLLbOgz+xD+pJw1
         WQzJ4fBA36hc2m2y8KbcTQoPmoDVT0uuIkDHgTEHkt1dJp2CswSy5QiX/vAKRPARoCOs
         Nj3g8ZIqHoAZQC0brP/Hi+r5fVsb2q9XYwsKohxC9Np9FoLfK+9Hmf6bwWrbkLa9plli
         FgwNTjUBOFFLckpnvBohfM0v5rwIqx8ant9akqSlyCyCQ79DbHmH4W5o0Z+bVSZMJqYc
         llng==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@openbsd.org header.s=selector1 header.b=8xwIonPT;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from pete.vger.email (pete.vger.email. [23.128.96.36])
        by mx.google.com with ESMTPS id q11-20020a170902dacb00b001c9b5a90a92si813768plx.344.2023.10.17.11.55.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 17 Oct 2023 11:55:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@openbsd.org header.s=selector1 header.b=8xwIonPT;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by pete.vger.email (Postfix) with ESMTP id 69EC2802923C;
	Tue, 17 Oct 2023 11:55:18 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1344099AbjJQSzH (ORCPT <rfc822;tarbal@gmail.com> + 99 others);
        Tue, 17 Oct 2023 14:55:07 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45208 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235020AbjJQSzF (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Oct 2023 14:55:05 -0400
Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 36A69FC;
        Tue, 17 Oct 2023 11:55:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=selector1; bh=nltAwsLnVc
        o8Ol3OOUaPBGv1UdYJKAJvkuezLI48KVs=; h=date:references:in-reply-to:
        subject:cc:to:from; d=openbsd.org; b=8xwIonPTgs5mDltwxve/VanHgI0S5pOMV
        r3DRia+EKAbNalzQ8JRX2Amk9L1RYwHUWowf+ECZ+JuhNYSGBSpYlbBgfgX86UGBTCXjoH
        wwbJhZOx/gCpNq6wZSObg695vA1FRW9rLvSWVfTKdOjot3/uWB7YUedZPcn2BlPA6o/nAK
        43Re55EP1rS//OSdUm8FY5T34SaTav9Ufb4evq1lyA38xQr3BWH1I6iKvb0Iqz0CFXqgfJ
        wM2LaB0vIkEnB8kWbahyz2vV8TsQD5Y7z9bHZB2nyy6YyOdMTPj4kEWNF75aZxLv5O40kx
        YyBV47e7tbtJPiwZhUTzq8rNQ1raw==
Received: from cvs.openbsd.org (localhost [127.0.0.1])
        by cvs.openbsd.org (OpenSMTPD) with ESMTP id 0883e4b1;
        Tue, 17 Oct 2023 12:55:01 -0600 (MDT)
From:   "Theo de Raadt" <deraadt@openbsd.org>
To:     Linus Torvalds <torvalds@linux-foundation.org>
cc:     Jeff Xu <jeffxu@google.com>, jeffxu@chromium.org,
        akpm@linux-foundation.org, keescook@chromium.org,
        sroettger@google.com, jorgelo@chromium.org, groeck@chromium.org,
        linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
        linux-mm@kvack.org, jannh@google.com, surenb@google.com,
        alex.sierra@amd.com, apopple@nvidia.com,
        aneesh.kumar@linux.ibm.com, axelrasmussen@google.com,
        ben@decadent.org.uk, catalin.marinas@arm.com, david@redhat.com,
        dwmw@amazon.co.uk, ying.huang@intel.com, hughd@google.com,
        joey.gouly@arm.com, corbet@lwn.net, wangkefeng.wang@huawei.com,
        Liam.Howlett@oracle.com, lstoakes@gmail.com, willy@infradead.org,
        mawupeng1@huawei.com, linmiaohe@huawei.com, namit@vmware.com,
        peterx@redhat.com, peterz@infradead.org, ryan.roberts@arm.com,
        shr@devkernel.io, vbabka@suse.cz, xiujianfeng@huawei.com,
        yu.ma@intel.com, zhangpeng362@huawei.com, dave.hansen@intel.com,
        luto@kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [RFC PATCH v1 0/8] Introduce mseal() syscall
In-reply-to: <CAHk-=wjS=xg12RVQdTNxEurjo21eXQBQO0D5My6Aox4LCfsO1A@mail.gmail.com>
References: <20231016143828.647848-1-jeffxu@chromium.org> <CAHk-=whFZoap+DBTYvJx6ohqPwn11Puzh7q4huFWDX9vBwXHgg@mail.gmail.com> <CALmYWFtTDAb_kpZdAe_xspqwNgK1NWJmjTxaTC=jDEMzfe297Q@mail.gmail.com> <CAHk-=wj87GMTH=5901ob=SjQqegAm2JYBE7E4J7skJzE64U-wQ@mail.gmail.com> <55960.1697566804@cvs.openbsd.org> <CAHk-=wjS=xg12RVQdTNxEurjo21eXQBQO0D5My6Aox4LCfsO1A@mail.gmail.com>
Comments: In-reply-to Linus Torvalds <torvalds@linux-foundation.org>
   message dated "Tue, 17 Oct 2023 11:38:19 -0700."
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <68270.1697568901.1@cvs.openbsd.org>
Date:   Tue, 17 Oct 2023 12:55:01 -0600
Message-ID: <19404.1697568901@cvs.openbsd.org>
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Tue, 17 Oct 2023 11:55:18 -0700 (PDT)

Linus Torvalds <torvalds@linux-foundation.org> wrote:

> On Tue, 17 Oct 2023 at 11:20, Theo de Raadt <deraadt@openbsd.org> wrote:
> >
> > The only case where the immutable marker is ignored is during address space
> > teardown as a result of process termination.
> 
> .. and presumably also execve()?

Ah yes of course that also.

> I do like us starting with just "mimmutable()", since it already
> exists. Particularly if chrome already knows how to use it.

Well, our chrome fork knows how to use it.  Robert Nagy in our group maintains
1280 patches to make chrome work on OpenBSD.  Google ignores them and will not
upstream them.  Some of these changes are security related, and they ignore
them.  Other changes are to cope with security work we've done on our own,
for example: JIT changes from Stephen@google for mandatory IBT which google
hasn't upstreamed yet, impacts due to PROT_EXEC-only mappings, etc.

But the only chrome diff required for mimmutable is for that v8_flags thing
I described.   And the same issue would need handling for mseal().  Introducing
the new "mutable" ELF section is probably going to be a bigger fuss than the
system call after mprotect(PROT_READ)....

> Maybe add a flag field (require it to be zero initially) just to allow
> any future expansion. Maybe the chrome team has *wanted* to have some
> finer granularity thing and currently doesn't use mimmutable() in some
> case?

There's only one feature I can think of, and we already do it right now,
documented in our manual page:

CAVEATS
     At present, mprotect(2) may reduce permissions on immutable pages marked
     PROT_READ | PROT_WRITE to the less permissive PROT_READ.  This one-way
     operation is permitted for an introductory period to observe how software
     uses this mechanism.  It may change to require explicit mutable region
     annotation with __attribute__((section(".openbsd.mutable"))) and explicit
     calls to mimmutable().

We had something which needed this behaviour during the development
transition.  It is exlusively mprotect RW -> R, no other transitions
allowed.

But once the transition was done, we don't need it anymore.  I want to
delete it, because it is a bit of a trap.  It still fails closed from an
attack perspective, but...

What worries me is a piece of code reached by mistake can do a
mprotect(lowering), not receive -1 EPERM, and carry on running..  I'd
prefer the first time you touch a mapping in the wrong way, you receive
indication of error.  This only applies applies to mprotect() acting up
on a region so the argument is a bit weak, due to mprotect() return
value checking being about as rare as unicorns.

Also, it would be a pain for OpenBSD to transition to adding a 0 flag.
I would need to see real cause not theory.