Received: by 2002:a05:7412:251c:b0:e2:908c:2ebd with SMTP id w28csp1380616rda; Mon, 23 Oct 2023 10:43:38 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFZobOFj536kiIQrXom3tAZuNjdGMSDpa3mCDw4O+IdkstU16uj2YkU83dd5+BExgJqZ+sx X-Received: by 2002:a17:902:e810:b0:1ca:e78b:35dc with SMTP id u16-20020a170902e81000b001cae78b35dcmr2934079plg.27.1698083018426; Mon, 23 Oct 2023 10:43:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698083018; cv=none; d=google.com; s=arc-20160816; b=rUmF9GFMFN1CGbp3cwTtW+OlH5Qu/Y5EmIJGqsIEscEbivutXVNpFgWIGzn/IwClSH r1lMX/AYNFB9w7E0ampdbjVl8ztLrZ402Tlnzkr5YsAK671Ldm4EFEID/kI8hlpWCLZt LKtoBe3YTICgNS6urmGIW7ZLSpDYv3GMaFQCYUd+/bsEjubcgrecC7xD1z3TcycbW18R 4xjAmHIAzlQu33j2HqvQnKSo+oUrJY6tLxF7GX6e44IePopCDJZd5ywsGXqOSCQ48Dca 5k9JGx35gglPUsEqPpBqx2T/mNfIfcyy3LFgzMST0iv41eJ0/TSaNzPGx2QjnfNQRlG8 eVyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=bw5zQKp06M21UFu8ml4r7q055LQP16Jqvc/bc2xTyYM=; fh=9m/xvZ7Ynr7+QJFQuVgDv5UCAJneD9xdWA8PIEWLjG0=; b=NTSJOJOZm/tubtHtofbHX5MVV4A/45AnQo5CsZJ1xSxKoN7osXuXtLbrXMauN1pnbq JfLj+bS2A1i+HDap8TaW+lPnvhugLzCcihGkrOCdwPQS4l4UGP+OlTlsIvj3tDs0pete 7oCPHbRSijlcHT4joGIafqsrxtn90h1IOAKtIMDpAuJ0G9INPKLV+yuIa8OFFYDMzzfh C9emfEoQHYB/KmVDuRfRGxGBVToc+lznrSiNVIO3sKVt1bMAjVEErNSq3L6CxRLQuqgW hlqksSxr0sgrgVZHfFuO9ZDAexOB+z9tJnjHCQ4ryDopBzGNz2IWTLLsM+OzHJzc69ZL u0zQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=jP2SUTiv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id l6-20020a170902f68600b001ca86a9caa9si6925011plg.582.2023.10.23.10.43.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Oct 2023 10:43:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=jP2SUTiv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 82CD28033199; Mon, 23 Oct 2023 10:43:35 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233780AbjJWRnT (ORCPT + 99 others); Mon, 23 Oct 2023 13:43:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39316 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233760AbjJWRnQ (ORCPT ); Mon, 23 Oct 2023 13:43:16 -0400 Received: from mail-oa1-x2e.google.com (mail-oa1-x2e.google.com [IPv6:2001:4860:4864:20::2e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 544BBD7D for ; Mon, 23 Oct 2023 10:43:13 -0700 (PDT) Received: by mail-oa1-x2e.google.com with SMTP id 586e51a60fabf-1e9d3cc6e7aso2476356fac.2 for ; Mon, 23 Oct 2023 10:43:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1698082991; x=1698687791; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=bw5zQKp06M21UFu8ml4r7q055LQP16Jqvc/bc2xTyYM=; b=jP2SUTivaPPJKbyfVNTEkeB6BIOZZmfuB9elArgHzop1qTls73CY44uqW9EXCdBe51 j9S8d2z7gs8H6KEdNi8pPWe+SJlxenzyDLfNBXhWp1t+FwB9Hx04aG1E1K2x6IRqX90P qtmlW1PXVuO/DBT/DHVWvl0A0Oah/Qprpg6mo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698082991; x=1698687791; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bw5zQKp06M21UFu8ml4r7q055LQP16Jqvc/bc2xTyYM=; b=KtvtYJByx+1WYR9l7O1PvsIiBNEBEs3tObDv/UqVMjm80PobWLmskivzFf8U+oxg9K 0QeTZ89X6spRZomgQSUn88hC76BDbauvFKh9GhxbWiSSRZIZRSdcWrCBYnSD452tmSDY oENWRJsCaSi/sN7QjidTN5KPaYCPyA9yT/JNfpLOVr8kH88wOYAlCAgKdZwLRMMQQ6VO /QQZF4oHwAE07cO6pi/KdeRkjYrEBehhHyGiVeklAYCK6jp7LgKU7ZWoygUQK/O2DcT5 xBBH9AgMRH8AwVjIUvyGuQokEl+gU4tnIZBZ0qGfraJ9Xe/0gEb3DnCuzQH+6HHvPqfO 4mbA== X-Gm-Message-State: AOJu0YwAOQRaunU7huqGohBk6odDUCMA+j3aHIYYsstoFMEymNuzKGt8 6XIx1SKEdYturpWF/s64OlPoHZLTsqMdk3IAwF+6ag== X-Received: by 2002:a05:6870:610b:b0:1e9:8b78:899c with SMTP id s11-20020a056870610b00b001e98b78899cmr11960747oae.55.1698082991197; Mon, 23 Oct 2023 10:43:11 -0700 (PDT) MIME-Version: 1.0 References: <20231016143828.647848-1-jeffxu@chromium.org> In-Reply-To: From: Jeff Xu Date: Mon, 23 Oct 2023 10:42:59 -0700 Message-ID: Subject: Re: [RFC PATCH v1 0/8] Introduce mseal() syscall To: Pedro Falcato Cc: Jeff Xu , Matthew Wilcox , akpm@linux-foundation.org, keescook@chromium.org, sroettger@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, jannh@google.com, surenb@google.com, alex.sierra@amd.com, apopple@nvidia.com, aneesh.kumar@linux.ibm.com, axelrasmussen@google.com, ben@decadent.org.uk, catalin.marinas@arm.com, david@redhat.com, dwmw@amazon.co.uk, ying.huang@intel.com, hughd@google.com, joey.gouly@arm.com, corbet@lwn.net, wangkefeng.wang@huawei.com, Liam.Howlett@oracle.com, torvalds@linux-foundation.org, lstoakes@gmail.com, mawupeng1@huawei.com, linmiaohe@huawei.com, namit@vmware.com, peterx@redhat.com, peterz@infradead.org, ryan.roberts@arm.com, shr@devkernel.io, vbabka@suse.cz, xiujianfeng@huawei.com, yu.ma@intel.com, zhangpeng362@huawei.com, dave.hansen@intel.com, luto@kernel.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Mon, 23 Oct 2023 10:43:35 -0700 (PDT) On Thu, Oct 19, 2023 at 3:47=E2=80=AFPM Pedro Falcato wrote: > > On Thu, Oct 19, 2023 at 6:30=E2=80=AFPM Jeff Xu wrote= : > > > > Hi Pedro > > > > Some followup on mmap() + mprotect(): > > > > On Wed, Oct 18, 2023 at 11:20=E2=80=AFAM Jeff Xu wr= ote: > > > > > > On Tue, Oct 17, 2023 at 3:35=E2=80=AFPM Pedro Falcato wrote: > > > > > > > > > > > > > > > > I think it's worth pointing out that this suggestion (with PROT= _*) > > > > > > could easily integrate with mmap() and as such allow for one-sh= ot > > > > > > mmap() + mseal(). > > > > > > If we consider the common case as 'addr =3D mmap(...); mseal(ad= dr);', it > > > > > > definitely sounds like a performance win as we halve the number= of > > > > > > syscalls for a sealed mapping. And if we trivially look at e.g = OpenBSD > > > > > > ld.so code, mmap() + mimmutable() and mprotect() + mimmutable()= seem > > > > > > like common patterns. > > > > > > > > > > > Yes. mmap() can support sealing as well, and memory is allocated = as > > > > > immutable from begining. > > > > > This is orthogonal to mseal() though. > > > > > > > > I don't see how this can be orthogonal to mseal(). > > > > In the case we opt for adding PROT_ bits, we should more or less on= ly > > > > need to adapt calc_vm_prot_bits(), and the rest should work without > > > > issues. > > > > vma merging won't merge vmas with different prots. The current > > > > interfaces (mmap and mprotect) would work just fine. > > > > In this case, mseal() or mimmutable() would only be needed if you n= eed > > > > to set immutability over a range of VMAs with different permissions= . > > > > > > > Agreed. By orthogonal, I meant we can have two APIs: > > > mmap() and mseal()/mprotect() > > > i.e. we can't just rely on mmap() only without mseal()/mprotect()/mim= mutable(). > > > Sealing can be applied after initial memory creation. > > > > > > > Note: modifications should look kinda like this: https://godbolt.or= g/z/Tbjjd14Pe > > > > The only annoying wrench in my plans here is that we have effective= ly > > > > run out of vm_flags bits in 32-bit architectures, so this approach = as > > > > I described is not compatible with 32-bit. > > > > > > > > > In case of ld.so, iiuc, memory can be first allocated as W, then = later > > > > > changed to RO, for example, during symbol resolution. > > > > > The important point is that the application can decide what type = of > > > > > sealing it wants, and when to apply it. There needs to be an api= (), > > > > > that can be mseal() or mprotect2() or mimmutable(), the naming is= not > > > > > important to me. > > > > > > > > > > mprotect() in linux have the following signature: > > > > > int mprotect(void addr[.len], size_t len, int prot); > > > > > the prot bitmasks are all taken here. > > > > > I have not checked the prot field in mmap(), there might be bits = left, > > > > > even not, we could have mmap2(), so that is not an issue. > > > > > > > > I don't see what you mean. We have plenty of prot bits left (32-bit= s, > > > > and we seem to have around 8 different bits used). > > > > And even if we didn't, prot is the same in mprotect and mmap and mm= ap2 :) > > > > > > > > The only issue seems to be that 32-bit ran out of vm_flags, but tha= t > > > > can probably be worked around if need be. > > > > > > > Ah, you are right about this. vm_flags is full, and prot in mprotect(= ) is not. > > > Apology that I was wrong previously and caused confusion. > > > > > > There is a slight difference in the syntax of mprotect and mseal. > > > Each time when mprotect() is called, the kernel takes all of RWX bits > > > and updates vm_flags, > > > In other words, the application sets/unset each RWX, and kernel takes= it. > > > > > > In the mseal() case, the kernel will remember which seal types were > > > applied previously, and the application doesn=E2=80=99t need to repea= t all > > > existing seal types in the next mseal(). Once a seal type is applied= , > > > it can=E2=80=99t be unsealed. > > > > > > So if we want to use mprotect() for sealing, developers need to think > > > of sealing bits differently than the rest of prot bits. It is a > > > different programming model, might or might not be an obvious concept > > > to developers. > > > > > This probably doesn't matter much to developers. > > We can enforce the sealing bit to be the same as the rest of PROT bits. > > If mprotect() tries to unset sealing, it will fail. > > Yep. Erroneous or malicious mprotects would all be caught. However, if > we add a PROT_DOWNGRADEABLE (that could let you, lets say, mprotect() > to less permissions or even downright munmap()) you'd want some care > to preserve that bit when setting permissions. > > > > > > There is a difference in input check and error handling as well. > > > for mseal(), if a given address range has a gap (unallocated memory), > > > or if one of VMA is sealed with MM_SEAL_SEAL flag, none of VMAs is > > > updated. > > > For mprotect(), some VMAs can be updated, till an error happens to a = VMA. > > > > > This difference doesn't matter much. > > > > For mprotect()/mmap(), is Linux implementation limited by POSIX ? > > No. POSIX works merely as a baseline that UNIX systems aim towards. > You can (and very frequently do) extend POSIX interfaces (in fact, > it's how most of POSIX was written, through sheer > "design-by-committee" on a bunch of UNIX systems' extensions). > > > This can be made backward compatible. > > If there is no objection to adding linux specific values in mmap() and > > mprotect(), > > This works for me. > > Linux already has system-specific values for PROT_ (PROT_BTI, > PROT_MTE, PROT_GROWSUP, PROT_GROWSDOWN, etc). > Whether this is the right interface is another question. I do like it > a lot, but there's of course value in being compatible with existing > solutions (like mimmutable()). > Thanks Pedro for providing examples on mm extension to POSIX. This opens more design options on solving the sealing problem. I will take a few days to research design options. -Jeff > -- > Pedro