Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp3353205rdg; Tue, 17 Oct 2023 11:55:21 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHoG5m9yDGP5wOwWjvSAKdqcq4XDDlchAC+qTNlshp54658O5TP6a7HfTMduyqO2stZEvcc X-Received: by 2002:a17:902:dac6:b0:1ca:4ad7:682f with SMTP id q6-20020a170902dac600b001ca4ad7682fmr3421960plx.26.1697568921341; Tue, 17 Oct 2023 11:55:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697568921; cv=none; d=google.com; s=arc-20160816; b=nh6Nk1dHdeKazXBSVxQqTKzr5MZxBbi9W7hMZiyY+XTGCvMkF9KjVBCgyU5gK6J6rA DUAY1R0Gybyn0UvP4vAqF7ayYMhTcTwGPhdOVFAQFm+oEl+C5tLKEgglXXv9fP2nAe1k 3k0LioUX45BLLCSVaxIeMvcgpMeY4FTHyOhuAMd8GppshDIBb0vEv8enuXgAc9LDzcDC IvucIN2PvBgAsI66cuUHaLxxjU+9dQQ7fnDSsTJIWoIMmDLcZDpHmqRQ9a6eEXAJgKIq zwjZ3c5j5E9BmnbMlhRk5F/ZDCyF4lfogn20bDF9XZ4YVRnEDfEX/NpCbQozbfCajQ0K XeMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:content-id:mime-version:comments :references:in-reply-to:subject:cc:to:from:dkim-signature; bh=9K3FzVzA0EdZyVUbEfpRJH5ISTp9XEDRjk0GSGvJzN8=; fh=IQX8tdld4lOeftqiT+B5HlAn/d71rDgRFedE3WO9UFI=; b=TflYKsQSvDgEaV3at9ZnOr4+cMCU/Vkv5YhWt2Vfy/sB6l42YK4rMtcm0P6Ubo6s5y 97eWHl91lUNlPVUI6+M7/PGU5TBvTLAtRER3m5I2RYja/IzlaGdAjaLLbOgz+xD+pJw1 WQzJ4fBA36hc2m2y8KbcTQoPmoDVT0uuIkDHgTEHkt1dJp2CswSy5QiX/vAKRPARoCOs Nj3g8ZIqHoAZQC0brP/Hi+r5fVsb2q9XYwsKohxC9Np9FoLfK+9Hmf6bwWrbkLa9plli FgwNTjUBOFFLckpnvBohfM0v5rwIqx8ant9akqSlyCyCQ79DbHmH4W5o0Z+bVSZMJqYc llng== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@openbsd.org header.s=selector1 header.b=8xwIonPT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from pete.vger.email (pete.vger.email. [23.128.96.36]) by mx.google.com with ESMTPS id q11-20020a170902dacb00b001c9b5a90a92si813768plx.344.2023.10.17.11.55.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 11:55:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36; Authentication-Results: mx.google.com; dkim=fail header.i=@openbsd.org header.s=selector1 header.b=8xwIonPT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id 69EC2802923C; Tue, 17 Oct 2023 11:55:18 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344099AbjJQSzH (ORCPT + 99 others); Tue, 17 Oct 2023 14:55:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45208 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235020AbjJQSzF (ORCPT ); Tue, 17 Oct 2023 14:55:05 -0400 Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 36A69FC; Tue, 17 Oct 2023 11:55:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=selector1; bh=nltAwsLnVc o8Ol3OOUaPBGv1UdYJKAJvkuezLI48KVs=; h=date:references:in-reply-to: subject:cc:to:from; d=openbsd.org; b=8xwIonPTgs5mDltwxve/VanHgI0S5pOMV r3DRia+EKAbNalzQ8JRX2Amk9L1RYwHUWowf+ECZ+JuhNYSGBSpYlbBgfgX86UGBTCXjoH wwbJhZOx/gCpNq6wZSObg695vA1FRW9rLvSWVfTKdOjot3/uWB7YUedZPcn2BlPA6o/nAK 43Re55EP1rS//OSdUm8FY5T34SaTav9Ufb4evq1lyA38xQr3BWH1I6iKvb0Iqz0CFXqgfJ wM2LaB0vIkEnB8kWbahyz2vV8TsQD5Y7z9bHZB2nyy6YyOdMTPj4kEWNF75aZxLv5O40kx YyBV47e7tbtJPiwZhUTzq8rNQ1raw== Received: from cvs.openbsd.org (localhost [127.0.0.1]) by cvs.openbsd.org (OpenSMTPD) with ESMTP id 0883e4b1; Tue, 17 Oct 2023 12:55:01 -0600 (MDT) From: "Theo de Raadt" To: Linus Torvalds cc: Jeff Xu , jeffxu@chromium.org, akpm@linux-foundation.org, keescook@chromium.org, sroettger@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, jannh@google.com, surenb@google.com, alex.sierra@amd.com, apopple@nvidia.com, aneesh.kumar@linux.ibm.com, axelrasmussen@google.com, ben@decadent.org.uk, catalin.marinas@arm.com, david@redhat.com, dwmw@amazon.co.uk, ying.huang@intel.com, hughd@google.com, joey.gouly@arm.com, corbet@lwn.net, wangkefeng.wang@huawei.com, Liam.Howlett@oracle.com, lstoakes@gmail.com, willy@infradead.org, mawupeng1@huawei.com, linmiaohe@huawei.com, namit@vmware.com, peterx@redhat.com, peterz@infradead.org, ryan.roberts@arm.com, shr@devkernel.io, vbabka@suse.cz, xiujianfeng@huawei.com, yu.ma@intel.com, zhangpeng362@huawei.com, dave.hansen@intel.com, luto@kernel.org, linux-hardening@vger.kernel.org Subject: Re: [RFC PATCH v1 0/8] Introduce mseal() syscall In-reply-to: References: <20231016143828.647848-1-jeffxu@chromium.org> <55960.1697566804@cvs.openbsd.org> Comments: In-reply-to Linus Torvalds message dated "Tue, 17 Oct 2023 11:38:19 -0700." MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <68270.1697568901.1@cvs.openbsd.org> Date: Tue, 17 Oct 2023 12:55:01 -0600 Message-ID: <19404.1697568901@cvs.openbsd.org> X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Tue, 17 Oct 2023 11:55:18 -0700 (PDT) Linus Torvalds wrote: > On Tue, 17 Oct 2023 at 11:20, Theo de Raadt wrote: > > > > The only case where the immutable marker is ignored is during address space > > teardown as a result of process termination. > > .. and presumably also execve()? Ah yes of course that also. > I do like us starting with just "mimmutable()", since it already > exists. Particularly if chrome already knows how to use it. Well, our chrome fork knows how to use it. Robert Nagy in our group maintains 1280 patches to make chrome work on OpenBSD. Google ignores them and will not upstream them. Some of these changes are security related, and they ignore them. Other changes are to cope with security work we've done on our own, for example: JIT changes from Stephen@google for mandatory IBT which google hasn't upstreamed yet, impacts due to PROT_EXEC-only mappings, etc. But the only chrome diff required for mimmutable is for that v8_flags thing I described. And the same issue would need handling for mseal(). Introducing the new "mutable" ELF section is probably going to be a bigger fuss than the system call after mprotect(PROT_READ).... > Maybe add a flag field (require it to be zero initially) just to allow > any future expansion. Maybe the chrome team has *wanted* to have some > finer granularity thing and currently doesn't use mimmutable() in some > case? There's only one feature I can think of, and we already do it right now, documented in our manual page: CAVEATS At present, mprotect(2) may reduce permissions on immutable pages marked PROT_READ | PROT_WRITE to the less permissive PROT_READ. This one-way operation is permitted for an introductory period to observe how software uses this mechanism. It may change to require explicit mutable region annotation with __attribute__((section(".openbsd.mutable"))) and explicit calls to mimmutable(). We had something which needed this behaviour during the development transition. It is exlusively mprotect RW -> R, no other transitions allowed. But once the transition was done, we don't need it anymore. I want to delete it, because it is a bit of a trap. It still fails closed from an attack perspective, but... What worries me is a piece of code reached by mistake can do a mprotect(lowering), not receive -1 EPERM, and carry on running.. I'd prefer the first time you touch a mapping in the wrong way, you receive indication of error. This only applies applies to mprotect() acting up on a region so the argument is a bit weak, due to mprotect() return value checking being about as rare as unicorns. Also, it would be a pain for OpenBSD to transition to adding a 0 flag. I would need to see real cause not theory.