Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp3549676rdg; Tue, 17 Oct 2023 20:37:35 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEuB/vpQbaIH9WJNlOBk16PZaYcdEBwmGCJFcYpVU/6rvxZ1p4ASKFPUVqqWgmp8PQ3vc7E X-Received: by 2002:a05:6a21:185:b0:17b:40:ccc6 with SMTP id le5-20020a056a21018500b0017b0040ccc6mr4729202pzb.4.1697600254771; Tue, 17 Oct 2023 20:37:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697600254; cv=none; d=google.com; s=arc-20160816; b=o5RawtDW6a5YdIPSQR3vv5r2IH7rjXARB9rpWDf35rxClFSPZS3nnlsYL4xjXWxD5V Sl5S2JUSjzB6XLW2vPPwgO8hPGwPOt/sakqI4s2aFq2nNm7vSfntNrrrwNIhKIwMzSF6 d9lqfVov+QRVXx1lerJdLd9Ary3S/e2343lRpjUtrZ6n+82jYcYlqWnbBY0bhTNm1rMM b+nT7RS0O+W9RGf2QHCny0qsIZIbZWlCbFsCT0v61EqMNl5sDdoJmrgKTGKbKvod3DJS tPPEVdFqoWRG6LOp9yll7xyH1MteGj1CjbhowcgMDOgxwF/mR5HU2LUfVfBd9Q3pc/ri ai6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:content-id:mime-version:comments :references:in-reply-to:subject:cc:to:from:dkim-signature; bh=4vtlE7KI4uiB+xqM4CucouATaHWHdAhIXSC+BUi3raA=; fh=8yvaPkxzqkDXSe2UfbbcXbZLZ8HsckyRcJD13+B7v08=; b=FVY5QE2ZLFP7fkk2lJEuNt+12XUdDZpwebkSYDdk02/dstloZVLURFSlsX5Ik72qQO Wj22NmyaiIzDkDMkE2+DHxEtg5TBVQf2r0P1p7MpRJ8lUoBL4oTjJlMHZkobidWSgWNr Vd8nRFniS9/F0CkWKAZCJzLOP1/5VqSNLUdi36I23FcfmpXfI9GERgl+98rHQWo/TdS/ KoTQMDGWSColUzuzzalt8XV4g2tMeRxbl3fSlz0RzpB1wCWLsx8pPSYx/nUEMj5mZELz qiL2XZdwKJoz6nTpBPR1vVNmpqs5YPR94ZTWjEknDUEG1HWC9r5LdarNVyHF6GzQCO9f jSKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@openbsd.org header.s=selector1 header.b=jsDMH0m7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id k22-20020a634b56000000b005ae22729b09si1165822pgl.683.2023.10.17.20.37.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 20:37:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=fail header.i=@openbsd.org header.s=selector1 header.b=jsDMH0m7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 1F79680CC22B; Tue, 17 Oct 2023 20:37:32 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229499AbjJRDhZ (ORCPT + 99 others); Tue, 17 Oct 2023 23:37:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57920 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229449AbjJRDhY (ORCPT ); Tue, 17 Oct 2023 23:37:24 -0400 Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C0CEEFA; Tue, 17 Oct 2023 20:37:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=selector1; bh=TeLxSCjetO scvlEvELbRNGiU7p09LOhnflOe0RLiFYk=; h=date:references:in-reply-to: subject:cc:to:from; d=openbsd.org; b=jsDMH0m7ttDB4eio1pdXKIv+PU40k6qiw zsw3444aBI1uB65saDcHHuqszFN9VO6n8OjKIQf2Ts7V9vzWhYc1vorKp6BAjYJ5TybDHZ BvWDWj9zEYgWVYL6omIAh/g+WzNcryLAjXHgWMehKATTgnxao7mv8QxH/6QA2PKvsSplxP fWnsNhsy+y29yxNnZezm4MZL/Yv1HQEOk+V2Db/K2nwyV9n8ufjhKDkEBwLfLGNbg+gxvH ItZxcvH+FnzT0uMHkfDndP/1RIZXXTgHIp6rerLNbc+kRja6BSjkcT/kI0IVyBB4QnT2m0 AXylmYHuBgrppQukB35Lv8sbd+w+g== Received: from cvs.openbsd.org (localhost [127.0.0.1]) by cvs.openbsd.org (OpenSMTPD) with ESMTP id f1e58267; Tue, 17 Oct 2023 21:37:20 -0600 (MDT) From: "Theo de Raadt" To: Jeff Xu cc: Linus Torvalds , jeffxu@chromium.org, akpm@linux-foundation.org, keescook@chromium.org, sroettger@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, jannh@google.com, surenb@google.com, alex.sierra@amd.com, apopple@nvidia.com, aneesh.kumar@linux.ibm.com, axelrasmussen@google.com, ben@decadent.org.uk, catalin.marinas@arm.com, david@redhat.com, dwmw@amazon.co.uk, ying.huang@intel.com, hughd@google.com, joey.gouly@arm.com, corbet@lwn.net, wangkefeng.wang@huawei.com, Liam.Howlett@oracle.com, lstoakes@gmail.com, willy@infradead.org, mawupeng1@huawei.com, linmiaohe@huawei.com, namit@vmware.com, peterx@redhat.com, peterz@infradead.org, ryan.roberts@arm.com, shr@devkernel.io, vbabka@suse.cz, xiujianfeng@huawei.com, yu.ma@intel.com, zhangpeng362@huawei.com, dave.hansen@intel.com, luto@kernel.org, linux-hardening@vger.kernel.org Subject: Re: [RFC PATCH v1 0/8] Introduce mseal() syscall In-reply-to: References: <20231016143828.647848-1-jeffxu@chromium.org> <55960.1697566804@cvs.openbsd.org> <95482.1697587015@cvs.openbsd.org> Comments: In-reply-to Jeff Xu message dated "Tue, 17 Oct 2023 20:18:47 -0700." MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <45247.1697600240.1@cvs.openbsd.org> Date: Tue, 17 Oct 2023 21:37:20 -0600 Message-ID: <53481.1697600240@cvs.openbsd.org> X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Tue, 17 Oct 2023 20:37:32 -0700 (PDT) Jeff Xu wrote: > In linux cases, I think, eventually, mseal() will have a bigger scope than > BSD's mimmutable(). I don't believe that, considering noone needed this behaviour from the VM system in the last 4 decades. > VMA's metadata(vm_area_struct) contains a lot > of control info, depending on application's needs, mseal() can be > expanded to seal individual control info. > For example, in madvice(2) case: > As Jann point out in [1] and I quote: > "you'd probably also want to block destructive madvise() operations > that can effectively alter region contents by discarding pages and > such, ..." Then prohibit madvise(MADV_FREE) on all non-writeable mappings that are immutable. Just include this in the set of behaviours. Or make it the default. Don't make it an option that a program needs to set on pages! Noone is going to call it. Most programs don't know the addresses of the *REGIONS* they would want to do this for. Does your program know where libc's text segment starts and ends? No your program does not know these addresses, so the parts of the 'system' which do know this needs to do it (which would be ld.so or the libc init constructors). If madvise(MADV_FREE) is so dangerous.. say you have a program that would call through abort(), but you know a zero there can make the abort not abort but return, then is it bad to let the attacker do: madvise(&abort, pagesize, MADV_FREE) If that is bad, then block it in a smart way! Don't make a programmer of an application figure out how to do this. That results in a defense methodology where a handful of programs self-protect, but everything else is unprotected or unprotectable. That is shortsighted. > Another example: if an application wants to keep a memory always > present in RAM, for whatever the reason, it can call seal the mlock(). Please explain the attack surface. > I think I explained the logic of using bitmasks in the mseal() > interface clearly with the example of madvice() and mlock(). It is clear as mud.