Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp4003690rdg; Wed, 18 Oct 2023 11:55:06 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHBATjsMvY/5Us9T5qTDMHatcfkgdj5ByOCS3UswnekClK/YATWIXTw3T3X0P1QNHxmfdqi X-Received: by 2002:a05:6a00:cd4:b0:6bd:b4f1:49e8 with SMTP id b20-20020a056a000cd400b006bdb4f149e8mr6756397pfv.2.1697655305839; Wed, 18 Oct 2023 11:55:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697655305; cv=none; d=google.com; s=arc-20160816; b=MFwEVc0CqxPPoNyUgB2MUnaKmzLP8hkzc7Pxwp4eNdxtRM1DCrLy1wmUsF/J88+ag9 kyMU7GoDxdvucpP90iHUhbkA4bfk/GIKylqEM/5eK4Nuwr3wEc3xEeZs4Fln+RL3dJC3 xexq0IOQxxiQ4wAXIe/9wFeJNkdxX73dkBoo1kd9j353OPhHXZ8teIP9IgnxcAdhc6cM xtc1WaxLAKaOrewkPkadjgBmNS2uo97A6Ss0KWmCHa6+Qi1HBE5/CZPrEoajEr/JiLOg LZjYCuFFwzEFQVzoyGmGPTJQFBCsiGeUrXZR8c7IVs0s3tnb9wwc0lkSJSd7569LRBwn U+3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=NFJlA+mQhi+0DERBwp78bB/+mqro8rSJvhQZ9F+v2NE=; fh=bqNkEUcJhCQohggWp7EburdxpNFs7cnLlQXBoStlMNQ=; b=RVwNsVvcO7lKbcvu07scA6d7J4mDfzGj/MFTcgrZjxTfRoSd0mrjPBLY4Ghdaq3XTl xLCtvEyqvA2D7w6P6kEZOAQbthSIrB+jvT8y+5tXnx1HNW269Z/EQdQCCaagYGPrMZfO iRmtNDwKA3x3tTfLH6YIacXA9UwfKuuMIbO9TMiRJaQNpMZirl9rD+7bWZDBNCqJJwhB /yDf0SmchncBnDMCmIlDxHLi66tXCdaQedbyR6oYFcbEj8RZGi40xnLfHzzUUw9KD99p zVKF8OO0zcvSLwl8R2lxp+gkF1Q/DBVvYDlO2EABM5ZEGigf50+YtukNXj7YVeOQd/32 1zGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=WlSvcMi5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id u16-20020a627910000000b006bd360e70efsi1714516pfc.349.2023.10.18.11.55.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Oct 2023 11:55:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=WlSvcMi5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 29CA08104380; Wed, 18 Oct 2023 11:55:04 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229924AbjJRSzC (ORCPT + 99 others); Wed, 18 Oct 2023 14:55:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43914 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229441AbjJRSzB (ORCPT ); Wed, 18 Oct 2023 14:55:01 -0400 Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 82DC9118 for ; Wed, 18 Oct 2023 11:54:59 -0700 (PDT) Received: by mail-qt1-x829.google.com with SMTP id d75a77b69052e-41b813f0a29so51301cf.0 for ; Wed, 18 Oct 2023 11:54:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1697655298; x=1698260098; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=NFJlA+mQhi+0DERBwp78bB/+mqro8rSJvhQZ9F+v2NE=; b=WlSvcMi5F/jYXxVjjQcOVuG7FVY9JhBio0abDr6dtY+dGMzncWxQZdEqvyjdLwY3H5 mgSRekPrWheEXYi4QVxifQo8Z8b5FxJZX4fDGDhXv4Tv8OGRmSnFFAf8HoZceAyu5r63 J9k7UcPcoJgm4g8JjwCTAsoSkgVTa9J7OCIIK3G+XQrp8okByvd4G44x5Cntvz5V8Vgq ZYmUuQTUEhhOxagJPOZYcS3LbvLUJtxj7KL7Tz4KP2f4EWQK1U9/pZk5m/NAuWfoQg2i 5bLKP4tBEULzUa5+vGvAyBdxYUxjJa+ue2vgWmh4WBa9NQcelU9GLW7N50/6hxDU90kA H0yw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697655298; x=1698260098; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NFJlA+mQhi+0DERBwp78bB/+mqro8rSJvhQZ9F+v2NE=; b=pVpBwqnjpIeP1GXSCggBFQW91nu8cU8z+cDzmAmK7YBNz4krS4d65wcWFZErkKWjrY BHSsHxbDaDh/E9exCNIR4499VN7Xi1JCbbpz4ZxTnzlj627fKYO1Q2RQVG2N/FjmAvhT tcxO3efIl0Gffdxbw0XPJHwyJ5JXtbEzQZ4HMm7gnEnN9LJ77Qlym/XLPbHUVCt6i65p kkYwRUndcmRi3f7o2eDxI3luhmYAedUSVOjlHcZ06ms7PjY9gOG7KqELS+kcQNwbWNR1 uTEyhWiFJ91nOrPYVYSu7EtjyixOXSjlzdZp+K3AfcYwsmiZToAYgOoESazs43j3+Y50 td+w== X-Gm-Message-State: AOJu0Yy5cbmPqM5G+nN4EOAqNC0oa1i0lxagZ1bvUF+I+PsYQhBCtz2I tluw5LdtMfv2xx9otUFrgJ1VLvIWTjH+E/tcpqL4VQ== X-Received: by 2002:a05:622a:668a:b0:419:77b7:da5f with SMTP id hx10-20020a05622a668a00b0041977b7da5fmr39818qtb.11.1697655298459; Wed, 18 Oct 2023 11:54:58 -0700 (PDT) MIME-Version: 1.0 References: <20231016143828.647848-1-jeffxu@chromium.org> <55960.1697566804@cvs.openbsd.org> <95482.1697587015@cvs.openbsd.org> In-Reply-To: From: Jeff Xu Date: Wed, 18 Oct 2023 11:54:22 -0700 Message-ID: Subject: Re: [RFC PATCH v1 0/8] Introduce mseal() syscall To: Matthew Wilcox Cc: Theo de Raadt , Linus Torvalds , jeffxu@chromium.org, akpm@linux-foundation.org, keescook@chromium.org, sroettger@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, jannh@google.com, surenb@google.com, alex.sierra@amd.com, apopple@nvidia.com, aneesh.kumar@linux.ibm.com, axelrasmussen@google.com, ben@decadent.org.uk, catalin.marinas@arm.com, david@redhat.com, dwmw@amazon.co.uk, ying.huang@intel.com, hughd@google.com, joey.gouly@arm.com, corbet@lwn.net, wangkefeng.wang@huawei.com, Liam.Howlett@oracle.com, lstoakes@gmail.com, mawupeng1@huawei.com, linmiaohe@huawei.com, namit@vmware.com, peterx@redhat.com, peterz@infradead.org, ryan.roberts@arm.com, shr@devkernel.io, vbabka@suse.cz, xiujianfeng@huawei.com, yu.ma@intel.com, zhangpeng362@huawei.com, dave.hansen@intel.com, luto@kernel.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Wed, 18 Oct 2023 11:55:04 -0700 (PDT) On Wed, Oct 18, 2023 at 8:17=E2=80=AFAM Matthew Wilcox wrote: > > Let's start with the purpose. The point of mimmutable/mseal/whatever is > to fix the mapping of an address range to its underlying object, be it > a particular file mapping or anonymous memory. After the call succeeds, > it must not be possible to make any address in that virtual range point > into any other object. > > The secondary purpose is to lock down permissions on that range. > Possibly to fix them where they are, possibly to allow RW->RO transitions= . > > With those purposes in mind, you should be able to deduce for any syscall > or any madvise(), ... whether it should be allowed. > I got it. IMO: The approaches mimmutable() and mseal() took are different, but we all want to seal the memory from attackers and make the linux application safer. mimmutable() started with "none of updates to the sealed address is allowed once marked as immutable", this includes from within kernel space including driver, or any new syscalls. It is reasonable to me. mseal() starts with 4 syscalls from userspace, which is just a way (among m= any other ways) to demo what memory operation can be sealed, which happens to meet what Chome wants. This is an RFC, I appreciate your input. Best regards, -Jeff