Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp2030518rdb;
        Wed, 31 Jan 2024 17:46:56 -0800 (PST)
X-Google-Smtp-Source: AGHT+IF3JjXx+B5W8yOeCaSQuq3+QV+5fzfK+CvKYPOqsZFApoYHMFnq3vGmAe+r10TuvM+ZxNS+
X-Received: by 2002:a81:bd13:0:b0:603:ebf7:947b with SMTP id b19-20020a81bd13000000b00603ebf7947bmr3521380ywi.48.1706752015903;
        Wed, 31 Jan 2024 17:46:55 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706752015; cv=pass;
        d=google.com; s=arc-20160816;
        b=J9CSXPbBIVF8rnAsIrbduierfW1T0tBijki+CsrAsLsbNI5Qk++bsBupVcqgydE+wW
         HuKtKGsua/NcwetF5W6RxePQNv/wE6tjATJN6LwyqTABn0yWFJ0yaUbP1A99QlcLml5D
         775aBqeFH6WvZyIz4q/uHV2ql1n6BFmC1cNIMpvgxSBDUjcmxxrpqTqLZEjLrRTrYyEh
         6CObAbAqO+o7C+twszaeFdo3uBr6lD0QNIGzW075FUI5K+ktsbshT/a5tIde4/sY64Kw
         euDpUnXuB16EbJY/Dq7ufQTYXCTNhWDa0D5k/99P64DBXRz51CnaMzkRwqfX+VjgYXJB
         B9Tg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=message-id:date:content-id:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:comments:references:in-reply-to
         :subject:cc:to:from:dkim-signature;
        bh=X7Al4M1Z6wI/ZtgJXoj9ZY08fRoXIetDvk+F/GdrWqs=;
        fh=XDmbaImEMFh7cbmt/G+lMGGpWk+zkEdC1eKrfRxodWw=;
        b=f7TC47cATLiCjo9jqwfZZIoZwTPzU2v3FA8QJhDXHO0zUZVfGPDr5GJ557E9fyYSPU
         4EWQcuQXT+aedU6M+WqwwGMH/UZzBcBLwTcjRa4as46t/+a9Re78Lwwinv5A0gCB+YwF
         l2eByVK8WXVEBTLC3O6aphjDUyJCHFKwLoSl18JTt5YYDXePtnhBbAEbsSLT9Fh/wjNW
         cIgic3ejz/ikyefheuCfwlP+X3BIP4L05CAgBhkKI8YR+joSRD9EFpFaoBoClHGD3U9D
         41/cYDGS69+ARnDlDSeCU38e97rNzKmYNNKFX8TnBSOtG7QEUd3hCJVMXQRoJqDrCtVM
         Xs7Q==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@openbsd.org header.s=selector1 header.b="f/tYr+y7";
       arc=pass (i=1 spf=pass spfdomain=openbsd.org dkim=pass dkdomain=openbsd.org);
       spf=pass (google.com: domain of linux-kernel+bounces-47514-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-47514-linux.lists.archive=gmail.com@vger.kernel.org"
X-Forwarded-Encrypted: i=1; AJvYcCUfv12pRGx9x5LpplHiev37IDS0EfeoxpSCZck1dBR81IhOe/yJttbV6hiAkThKxV8Rm+l9hQVuzyPtQRLKdGc38352OeiOmB73qWUZkw==
Return-Path: <linux-kernel+bounces-47514-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id e14-20020ac85dce000000b004298fc29799si13158517qtx.785.2024.01.31.17.46.55
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 31 Jan 2024 17:46:55 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-47514-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@openbsd.org header.s=selector1 header.b="f/tYr+y7";
       arc=pass (i=1 spf=pass spfdomain=openbsd.org dkim=pass dkdomain=openbsd.org);
       spf=pass (google.com: domain of linux-kernel+bounces-47514-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-47514-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 4EBA61C229B4
	for <linux.lists.archive@gmail.com>; Thu,  1 Feb 2024 01:46:55 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 43A794C75;
	Thu,  1 Feb 2024 01:46:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=openbsd.org header.i=@openbsd.org header.b="f/tYr+y7"
Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 09DD24C60;
	Thu,  1 Feb 2024 01:46:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=199.185.137.3
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1706752007; cv=none; b=hjKn6DIRHbWPDRj6azfsi2dqS+316TYMVIFDyxnVeuP/lHz1brACZHFL8X2XOfHdj0kOw9sD2vq3CKLNjhMDGtAocw64vWMydtnrLAQyNVKmFeskE3/xABtY1Kt7T24Il4LSOF/jO63nMJDLidU1zwSLTxZzQqP5of7c8/34wJM=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1706752007; c=relaxed/simple;
	bh=wFBz+k5fFVkfyImExH0Xqsk93XAwSQpXZbD4zCIYg2s=;
	h=From:To:cc:Subject:In-reply-to:References:MIME-Version:
	 Content-Type:Date:Message-ID; b=J19DZeywM1U+YJRNdNPJCarMR6bxeDfK/3efwe49ElzHZeEt94/0r5wnaFxF1knd9stvDiZ7ODjNA/DgYm4qLH8eXaTDhKCfdRNTXa//JHZLUpdSYLFmvBSVtlCvuBDPVsu8eLlM/ljDoul89x1nBo0FAukRHppQK/rxlT87WVM=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=openbsd.org; spf=pass smtp.mailfrom=openbsd.org; dkim=pass (2048-bit key) header.d=openbsd.org header.i=@openbsd.org header.b=f/tYr+y7; arc=none smtp.client-ip=199.185.137.3
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=openbsd.org
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=openbsd.org
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=selector1; bh=wFBz+k5fFV
	kfyImExH0Xqsk93XAwSQpXZbD4zCIYg2s=; h=date:references:in-reply-to:
	subject:cc:to:from; d=openbsd.org; b=f/tYr+y7eDPbWZOF+9LXCLUy2873vJZin
	cxDmTaOx+Po8NNOY2V+CYGljx5zXiq22sjo1o9/xcaBYwbtKGwpn8twXv67R3Ai4vnQ4ix
	0XyP3Rd3wNm9nkGhtobf6PAbq581Np8LbmBq9TDiiUW6dQZd89eLUf25744aecF0ESRJMO
	CnzeKegKYHs/E+2tPoxHgc19gDJU27v11+fto+1w+T73Oli1/BMB3y2otDUFFgUM8gZfek
	tMvc1lr97CZMwNiIpuBPL3DiINXijpMN7TBpYukDQAOTDIm5PFlfIzVZ713HXnus/8+uUR
	5MSMI/DLDp2p51hL4cf+U0zZyxCtA==
Received: from cvs.openbsd.org (localhost [127.0.0.1])
	by cvs.openbsd.org (OpenSMTPD) with ESMTP id a86ce6c1;
	Wed, 31 Jan 2024 18:46:38 -0700 (MST)
From: "Theo de Raadt" <deraadt@openbsd.org>
To: Jeff Xu <jeffxu@chromium.org>
cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>,
    Jonathan Corbet <corbet@lwn.net>, akpm@linux-foundation.org,
    keescook@chromium.org, jannh@google.com, sroettger@google.com,
    willy@infradead.org, gregkh@linuxfoundation.org,
    torvalds@linux-foundation.org, usama.anjum@collabora.com,
    rdunlap@infradead.org, jeffxu@google.com, jorgelo@chromium.org,
    groeck@chromium.org, linux-kernel@vger.kernel.org,
    linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
    pedro.falcato@gmail.com, dave.hansen@intel.com,
    linux-hardening@vger.kernel.org
Subject: Re: [PATCH v8 0/4] Introduce mseal
In-reply-to: <CABi2SkXOX4SRMs0y8FYccoj+XrEiPCJk2seqT+sgO7Na7NWwLg@mail.gmail.com>
References: <20240131175027.3287009-1-jeffxu@chromium.org> <20240131193411.opisg5yoyxkwoyil@revolver> <CABi2SkXOX4SRMs0y8FYccoj+XrEiPCJk2seqT+sgO7Na7NWwLg@mail.gmail.com>
Comments: In-reply-to Jeff Xu <jeffxu@chromium.org>
   message dated "Wed, 31 Jan 2024 17:27:11 -0800."
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <37065.1706751997.1@cvs.openbsd.org>
Date: Wed, 31 Jan 2024 18:46:37 -0700
Message-ID: <92663.1706751997@cvs.openbsd.org>

Jeff Xu <jeffxu@chromium.org> wrote:

> I considered Theo's inputs from OpenBSD's perspective regarding the
> difference, and I wasn't convinced that Linux should remove these. In
> my view, those are two different kernels code, and the difference in
> Linux is not added without reasons (for MAP_SEALABLE, there is a note
> in the documentation section with details).

That note is describing a fiction.

> I would love to hear more from Linux developers on this.

I'm not sure you are capable of listening.

But I'll repeat for others to stop this train wreck:


1. When execve() maps a programs's .data section, does the kernel set
   MAP_SEALABLE on that region?  Or does it not set MAP_SEALABLE?

   Does the kernel seal the .data section?  It cannot, because of RELRO
   and IFUNCS.  Do you know what those are?  (like in OpenBSD) the kernel
   cannot and will *not* seal the .data section, it lets later code do that.

2. When execve() maps a programs's .bss section, does the kernel set
   MAP_SEALABLE on that region?  Or does it not set MAP_SEALABLE?

   Does the kernel seal the .bss section?  It cannot, because of RELRO
   and IFUNCS.  Do you know what those are?  (like in OpenBSD) the kernel
   cannot and will *not* seal the .bss section, it lets later code do that.

In the proposed diff, the kernel does not set MAP_SEALABLE on those
regions.

How does a userland program seal the .data and .bss regions?

It cannot.  It is too late to set the MAP_SEALABLE, because the kernel
already decided not do to it.

So those regions cannot be sealed.

3. When execve() maps a programs's stack, does the kernel set
   MAP_SEALABLE on that region?  Or does it not set MAP_SEALABLE?

In the proposed diff, the kernel does not set MAP_SEALABLE.

You think you can seal the stack in the kernel??  Sorry to be the bearer
of bad news, but glibc has code which on occasion will mprotects the
stack executable.

But if userland decides that mprotect case won't occur -- how does a
userland program seal its stack?  It is now too late to set MAP_SEALABLE.

So the stack must remain unsealed.

4. What about the text segment?

5. Do you know what a text-relocation is?  They are now rare, but there
   are still compile/linker stages which will produce them, and there is
   software which requires that to work.  It means userland fixes it's
   own .text, then calls mprotect.  The kernel does not know if this will
   happen.

6. When execve() maps the .text segment, will it set MAP_SEALABLE?

If it doesn't set it, userland cannot seal it's text after it makes the
decision to do.


You can continue to extrapolate those same points for all other segments
of a static binary, all segments of a dynamic binary, all segments of the
shared library linker.

And then you can go further, and recognize the logic that will be needed
in the shared library linker to *make the same decisions*.

In each case, the *decision* to make a mapping happens in one piece of
code, and the decision to use and NOW SEAL THAT MAPPING, happens in a
different piece of code.


The only answer to these problems will be to always set MAP_SEALABLE.
To go through the entire Linux ecosystem, and change every call to mmap()
to use this new MAP_SEALABLE flag, and it will look something like this:

+#ifndef MAP_SEALABLE
+#define MAP_SEALABLE 0
+#endif
-	ptr = mmap(...., MAP...
-	ptr = mmap(...., MAP_SEALABLE | MAP...

Every single one of them, and you'll need to do it in the kernel.




If you had spent a second trying to make this work in a second piece of
software, you would have realized that the ONLY way this could work
is by adding a flag with the opposite meaning:

   MAP_NOTSEALABLE

But nothing will use that.  I promise you


> I would love to hear more from Linux developers on this.

I'm not sure you are capable of listening.