Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp2030518rdb; Wed, 31 Jan 2024 17:46:56 -0800 (PST) X-Google-Smtp-Source: AGHT+IF3JjXx+B5W8yOeCaSQuq3+QV+5fzfK+CvKYPOqsZFApoYHMFnq3vGmAe+r10TuvM+ZxNS+ X-Received: by 2002:a81:bd13:0:b0:603:ebf7:947b with SMTP id b19-20020a81bd13000000b00603ebf7947bmr3521380ywi.48.1706752015903; Wed, 31 Jan 2024 17:46:55 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706752015; cv=pass; d=google.com; s=arc-20160816; b=J9CSXPbBIVF8rnAsIrbduierfW1T0tBijki+CsrAsLsbNI5Qk++bsBupVcqgydE+wW HuKtKGsua/NcwetF5W6RxePQNv/wE6tjATJN6LwyqTABn0yWFJ0yaUbP1A99QlcLml5D 775aBqeFH6WvZyIz4q/uHV2ql1n6BFmC1cNIMpvgxSBDUjcmxxrpqTqLZEjLrRTrYyEh 6CObAbAqO+o7C+twszaeFdo3uBr6lD0QNIGzW075FUI5K+ktsbshT/a5tIde4/sY64Kw euDpUnXuB16EbJY/Dq7ufQTYXCTNhWDa0D5k/99P64DBXRz51CnaMzkRwqfX+VjgYXJB B9Tg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:date:content-id:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:comments:references:in-reply-to :subject:cc:to:from:dkim-signature; bh=X7Al4M1Z6wI/ZtgJXoj9ZY08fRoXIetDvk+F/GdrWqs=; fh=XDmbaImEMFh7cbmt/G+lMGGpWk+zkEdC1eKrfRxodWw=; b=f7TC47cATLiCjo9jqwfZZIoZwTPzU2v3FA8QJhDXHO0zUZVfGPDr5GJ557E9fyYSPU 4EWQcuQXT+aedU6M+WqwwGMH/UZzBcBLwTcjRa4as46t/+a9Re78Lwwinv5A0gCB+YwF l2eByVK8WXVEBTLC3O6aphjDUyJCHFKwLoSl18JTt5YYDXePtnhBbAEbsSLT9Fh/wjNW cIgic3ejz/ikyefheuCfwlP+X3BIP4L05CAgBhkKI8YR+joSRD9EFpFaoBoClHGD3U9D 41/cYDGS69+ARnDlDSeCU38e97rNzKmYNNKFX8TnBSOtG7QEUd3hCJVMXQRoJqDrCtVM Xs7Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@openbsd.org header.s=selector1 header.b="f/tYr+y7"; arc=pass (i=1 spf=pass spfdomain=openbsd.org dkim=pass dkdomain=openbsd.org); spf=pass (google.com: domain of linux-kernel+bounces-47514-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-47514-linux.lists.archive=gmail.com@vger.kernel.org" X-Forwarded-Encrypted: i=1; AJvYcCUfv12pRGx9x5LpplHiev37IDS0EfeoxpSCZck1dBR81IhOe/yJttbV6hiAkThKxV8Rm+l9hQVuzyPtQRLKdGc38352OeiOmB73qWUZkw== Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id e14-20020ac85dce000000b004298fc29799si13158517qtx.785.2024.01.31.17.46.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Jan 2024 17:46:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-47514-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@openbsd.org header.s=selector1 header.b="f/tYr+y7"; arc=pass (i=1 spf=pass spfdomain=openbsd.org dkim=pass dkdomain=openbsd.org); spf=pass (google.com: domain of linux-kernel+bounces-47514-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-47514-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 4EBA61C229B4 for ; Thu, 1 Feb 2024 01:46:55 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 43A794C75; Thu, 1 Feb 2024 01:46:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=openbsd.org header.i=@openbsd.org header.b="f/tYr+y7" Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 09DD24C60; Thu, 1 Feb 2024 01:46:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=199.185.137.3 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706752007; cv=none; b=hjKn6DIRHbWPDRj6azfsi2dqS+316TYMVIFDyxnVeuP/lHz1brACZHFL8X2XOfHdj0kOw9sD2vq3CKLNjhMDGtAocw64vWMydtnrLAQyNVKmFeskE3/xABtY1Kt7T24Il4LSOF/jO63nMJDLidU1zwSLTxZzQqP5of7c8/34wJM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706752007; c=relaxed/simple; bh=wFBz+k5fFVkfyImExH0Xqsk93XAwSQpXZbD4zCIYg2s=; h=From:To:cc:Subject:In-reply-to:References:MIME-Version: Content-Type:Date:Message-ID; b=J19DZeywM1U+YJRNdNPJCarMR6bxeDfK/3efwe49ElzHZeEt94/0r5wnaFxF1knd9stvDiZ7ODjNA/DgYm4qLH8eXaTDhKCfdRNTXa//JHZLUpdSYLFmvBSVtlCvuBDPVsu8eLlM/ljDoul89x1nBo0FAukRHppQK/rxlT87WVM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=openbsd.org; spf=pass smtp.mailfrom=openbsd.org; dkim=pass (2048-bit key) header.d=openbsd.org header.i=@openbsd.org header.b=f/tYr+y7; arc=none smtp.client-ip=199.185.137.3 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=openbsd.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=openbsd.org DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=selector1; bh=wFBz+k5fFV kfyImExH0Xqsk93XAwSQpXZbD4zCIYg2s=; h=date:references:in-reply-to: subject:cc:to:from; d=openbsd.org; b=f/tYr+y7eDPbWZOF+9LXCLUy2873vJZin cxDmTaOx+Po8NNOY2V+CYGljx5zXiq22sjo1o9/xcaBYwbtKGwpn8twXv67R3Ai4vnQ4ix 0XyP3Rd3wNm9nkGhtobf6PAbq581Np8LbmBq9TDiiUW6dQZd89eLUf25744aecF0ESRJMO CnzeKegKYHs/E+2tPoxHgc19gDJU27v11+fto+1w+T73Oli1/BMB3y2otDUFFgUM8gZfek tMvc1lr97CZMwNiIpuBPL3DiINXijpMN7TBpYukDQAOTDIm5PFlfIzVZ713HXnus/8+uUR 5MSMI/DLDp2p51hL4cf+U0zZyxCtA== Received: from cvs.openbsd.org (localhost [127.0.0.1]) by cvs.openbsd.org (OpenSMTPD) with ESMTP id a86ce6c1; Wed, 31 Jan 2024 18:46:38 -0700 (MST) From: "Theo de Raadt" To: Jeff Xu cc: "Liam R. Howlett" , Jonathan Corbet , akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, sroettger@google.com, willy@infradead.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, usama.anjum@collabora.com, rdunlap@infradead.org, jeffxu@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pedro.falcato@gmail.com, dave.hansen@intel.com, linux-hardening@vger.kernel.org Subject: Re: [PATCH v8 0/4] Introduce mseal In-reply-to: References: <20240131175027.3287009-1-jeffxu@chromium.org> <20240131193411.opisg5yoyxkwoyil@revolver> Comments: In-reply-to Jeff Xu message dated "Wed, 31 Jan 2024 17:27:11 -0800." Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <37065.1706751997.1@cvs.openbsd.org> Date: Wed, 31 Jan 2024 18:46:37 -0700 Message-ID: <92663.1706751997@cvs.openbsd.org> Jeff Xu wrote: > I considered Theo's inputs from OpenBSD's perspective regarding the > difference, and I wasn't convinced that Linux should remove these. In > my view, those are two different kernels code, and the difference in > Linux is not added without reasons (for MAP_SEALABLE, there is a note > in the documentation section with details). That note is describing a fiction. > I would love to hear more from Linux developers on this. I'm not sure you are capable of listening. But I'll repeat for others to stop this train wreck: 1. When execve() maps a programs's .data section, does the kernel set MAP_SEALABLE on that region? Or does it not set MAP_SEALABLE? Does the kernel seal the .data section? It cannot, because of RELRO and IFUNCS. Do you know what those are? (like in OpenBSD) the kernel cannot and will *not* seal the .data section, it lets later code do that. 2. When execve() maps a programs's .bss section, does the kernel set MAP_SEALABLE on that region? Or does it not set MAP_SEALABLE? Does the kernel seal the .bss section? It cannot, because of RELRO and IFUNCS. Do you know what those are? (like in OpenBSD) the kernel cannot and will *not* seal the .bss section, it lets later code do that. In the proposed diff, the kernel does not set MAP_SEALABLE on those regions. How does a userland program seal the .data and .bss regions? It cannot. It is too late to set the MAP_SEALABLE, because the kernel already decided not do to it. So those regions cannot be sealed. 3. When execve() maps a programs's stack, does the kernel set MAP_SEALABLE on that region? Or does it not set MAP_SEALABLE? In the proposed diff, the kernel does not set MAP_SEALABLE. You think you can seal the stack in the kernel?? Sorry to be the bearer of bad news, but glibc has code which on occasion will mprotects the stack executable. But if userland decides that mprotect case won't occur -- how does a userland program seal its stack? It is now too late to set MAP_SEALABLE. So the stack must remain unsealed. 4. What about the text segment? 5. Do you know what a text-relocation is? They are now rare, but there are still compile/linker stages which will produce them, and there is software which requires that to work. It means userland fixes it's own .text, then calls mprotect. The kernel does not know if this will happen. 6. When execve() maps the .text segment, will it set MAP_SEALABLE? If it doesn't set it, userland cannot seal it's text after it makes the decision to do. You can continue to extrapolate those same points for all other segments of a static binary, all segments of a dynamic binary, all segments of the shared library linker. And then you can go further, and recognize the logic that will be needed in the shared library linker to *make the same decisions*. In each case, the *decision* to make a mapping happens in one piece of code, and the decision to use and NOW SEAL THAT MAPPING, happens in a different piece of code. The only answer to these problems will be to always set MAP_SEALABLE. To go through the entire Linux ecosystem, and change every call to mmap() to use this new MAP_SEALABLE flag, and it will look something like this: +#ifndef MAP_SEALABLE +#define MAP_SEALABLE 0 +#endif - ptr = mmap(...., MAP... - ptr = mmap(...., MAP_SEALABLE | MAP... Every single one of them, and you'll need to do it in the kernel. If you had spent a second trying to make this work in a second piece of software, you would have realized that the ONLY way this could work is by adding a flag with the opposite meaning: MAP_NOTSEALABLE But nothing will use that. I promise you > I would love to hear more from Linux developers on this. I'm not sure you are capable of listening.