Received: by 2002:a05:7412:2a91:b0:fc:a2b0:25d7 with SMTP id u17csp696378rdh; Wed, 14 Feb 2024 08:44:19 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCW5We7uXfP9DmNe0s0RY9HwauS0xjDRnRa/VCnir735+zlLf3FdVq/KrDNMPoiNsbIB88iIWoS5AeUUl9QhEibm0NovZmI4sav04qTsBg== X-Google-Smtp-Source: AGHT+IG2ZehGPPHtBwGRhyMNquSBLcttv5WpmbSJWRoWAy2inpC6Zxxf385/zdjYFhAhhl2rjRcx X-Received: by 2002:a17:90b:3101:b0:296:7d7f:7de7 with SMTP id gc1-20020a17090b310100b002967d7f7de7mr2970204pjb.42.1707929059514; Wed, 14 Feb 2024 08:44:19 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1707929059; cv=pass; d=google.com; s=arc-20160816; b=09gt+FQRVGHdPGsF+/Rzu1nR/jLGV4zgWbKLyWP0745A6hv5GNmrJP9IBx9hHiNp4S EyZqdwpx70ocURIgDMhmewkODbXFO1pHma9SZzTdZ0EMAne/p4k9Z0269oZwbBkBbO3m 1OhfNO4HXJFWZPvvO1JgkMLH23bCnHGmcUptQAxBimNZ3zVc9C/kJXctEP2v7xx/TVzw zzbanCLMtC3d6B1gE0Zs56PvSqk+mwNwW1UiihfQs1mzQdOtnQ3Jj9MP/7/zLzLE62Gm laC6jRruExxOlXOopfTu6SRntVQUIlVSoEbZlvloX4Vq/QFVROT3weuL5WvAjOY3SML0 iO9w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=mWZaJmgfhSWtEVIgRgaY/fsWvIsUU9IZYFtOlNYiHBs=; fh=j8zr+3v6T0Ci+dE1nBJowhsW13qmRTFqBu4BrZJG5EE=; b=InUxFrIP1d9Pxfx1pqzbEMax/cEsjep8/oWIgmBrHl2uGvT6LoCGvK/4If11hzNIls z8Nizo0Vt4P+6Vka/vyxaoUI9eXhv+Qi2TKBN0NaQ9x1J6C40EF1yPZk7F6ek40J2jZA Bk1Oa+mipFgejYPfvX5GPZyVzMECnfJL+gI5FcWugr8IbuvX3S2Ttvxar/4/+tPvjdXu QHtFz5m1BQynQfNrNZKPx++alLbnvR6GQHXkyB+5bU/mdBX/MUgu67F3ImVA58qliHWX mbFF/eU05umU9fR/oUJvRRPy4Nivck4jwi76s1o7I5UivgFJRi0cS4L09wPFbQ9jnhg9 xVqg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@tesarici.cz header.s=mail header.b="KMr/uUb6"; arc=pass (i=1 spf=pass spfdomain=tesarici.cz dkim=pass dkdomain=tesarici.cz dmarc=pass fromdomain=tesarici.cz); spf=pass (google.com: domain of linux-kernel+bounces-65570-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-65570-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=tesarici.cz X-Forwarded-Encrypted: i=2; AJvYcCV8k4XfA8YZUolmakMd2tk63aigw0UIsu1ON/3nOBapDEp/kItoNWfUj00RC5TGh/tWkZmfWdqRHZaLHX17Nauo4mTi+BKbMXzLHBT7qg== Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id lr11-20020a17090b4b8b00b00296fe939aacsi1429770pjb.124.2024.02.14.08.44.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Feb 2024 08:44:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-65570-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@tesarici.cz header.s=mail header.b="KMr/uUb6"; arc=pass (i=1 spf=pass spfdomain=tesarici.cz dkim=pass dkdomain=tesarici.cz dmarc=pass fromdomain=tesarici.cz); spf=pass (google.com: domain of linux-kernel+bounces-65570-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-65570-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=tesarici.cz Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 2660D284E9C for ; Wed, 14 Feb 2024 16:42:34 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2794560DE1; Wed, 14 Feb 2024 16:41:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=tesarici.cz header.i=@tesarici.cz header.b="KMr/uUb6" Received: from bee.tesarici.cz (bee.tesarici.cz [77.93.223.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C3193604CB; Wed, 14 Feb 2024 16:41:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=77.93.223.253 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707928910; cv=none; b=XXQE2m4GetkY4An3zYqC5t7hpM2kEvkUYw0sjiW+DVb7zN1EKxGm8jfyOvw+7tV6299M06MFRMzvTGFZknPtYwkJxSlFPE+FKgqVNFRKOs06o75+MFvK3/9aJiLJgr3cWhphkSKnammuqmhSJobha3CMGP94aZWIlTsGvB4+bmk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707928910; c=relaxed/simple; bh=Q71/BpMJg/AbWqKP1qYJYFEPWrystXrQwaexXADRFQI=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=c/X6K5IUt6nYyDqiF6ToYwdqbSQWTEXss4Ihc76MNupJALGwyPT2UPaxX4/firSvhAwY4BQ0mHsueQA5jnJ5UlkQDsz1Bdib2ZM+Br7nVvAYG8WFxLhFwcv7EMoUG4OeDVuFckQhNlbR/PFlTx5DLi3lSC0IuYuScUAFmGCqy0c= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=tesarici.cz; spf=pass smtp.mailfrom=tesarici.cz; dkim=pass (2048-bit key) header.d=tesarici.cz header.i=@tesarici.cz header.b=KMr/uUb6; arc=none smtp.client-ip=77.93.223.253 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=tesarici.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=tesarici.cz Received: from meshulam.tesarici.cz (dynamic-2a00-1028-83b8-1e7a-4427-cc85-6706-c595.ipv6.o2.cz [IPv6:2a00:1028:83b8:1e7a:4427:cc85:6706:c595]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bee.tesarici.cz (Postfix) with ESMTPSA id ABAE01A3327; Wed, 14 Feb 2024 17:41:44 +0100 (CET) Authentication-Results: mail.tesarici.cz; dmarc=fail (p=quarantine dis=none) header.from=tesarici.cz DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tesarici.cz; s=mail; t=1707928905; bh=mWZaJmgfhSWtEVIgRgaY/fsWvIsUU9IZYFtOlNYiHBs=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=KMr/uUb6j0nYhwom+VKWjHGvMY7NB+megm25xjcgJ1qMcXzqb/MECJqgd3Wj9U6bW dGKUN/hbKMkhuNY0/L9kNi/2Vu2Qd16/7ScV7CWQNWxE13hd6WV7gv7mU8dYK+7Dn3 WCombV/Ju5/DhXQqzSKaUY97Zxwz/MVN76c+3nJjWG7wLSBKdApg46oMgS5RzCRSWw ZVCXhmIc6nS5e2k46nMxJxBcSKiruSLp9ECp73KU3yGyiSw3ky+gZa7PV2uRSUqFSC R/U5HMItUgGvJRUIihuVkRc2mlxbCOaPB51IpKrKTmy1m5TR/5EHWzcE+F7tpPww1M /Q0ONf7ZdyBig== Date: Wed, 14 Feb 2024 17:41:43 +0100 From: Petr =?UTF-8?B?VGVzYcWZw61r?= To: "H. Peter Anvin" Cc: Dave Hansen , Petr Tesarik , Jonathan Corbet , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" , Andy Lutomirski , Oleg Nesterov , Peter Zijlstra , Xin Li , Arnd Bergmann , Andrew Morton , Rick Edgecombe , Kees Cook , "Masami Hiramatsu (Google)" , Pengfei Xu , Josh Poimboeuf , Ze Gao , "Kirill A. Shutemov" , Kai Huang , David Woodhouse , Brian Gerst , Jason Gunthorpe , Joerg Roedel , "Mike Rapoport (IBM)" , Tina Zhang , Jacob Pan , "open list:DOCUMENTATION" , open list , Roberto Sassu , Petr Tesarik Subject: Re: [PATCH v1 0/8] x86_64 SandBox Mode arch hooks Message-ID: <20240214174143.74a4f10c@meshulam.tesarici.cz> In-Reply-To: <34B19756-91D3-4DA1-BE76-BD3122C16E95@zytor.com> References: <20240214113516.2307-1-petrtesarik@huaweicloud.com> <34B19756-91D3-4DA1-BE76-BD3122C16E95@zytor.com> X-Mailer: Claws Mail 4.2.0 (GTK 3.24.39; x86_64-suse-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, 14 Feb 2024 07:28:35 -0800 "H. Peter Anvin" wrote: > On February 14, 2024 6:52:53 AM PST, Dave Hansen = wrote: > >On 2/14/24 03:35, Petr Tesarik wrote: =20 > >> This patch series implements x86_64 arch hooks for the generic SandBox > >> Mode infrastructure. =20 > > > >I think I'm missing a bit of context here. What does one _do_ with > >SandBox Mode? Why is it useful? =20 >=20 > Seriously. On the surface it looks like a really bad idea =E2=80=93 basic= ally an ad hoc, *more* privileged version of user shave. Hi hpa, I agree that it kind of tries to do "user mode without user mode". There are some differences from actual user mode: First, from a process management POV, sandbox mode appears to be running in kernel mode. So, there is no way to use ptrace(2), send malicious signals or otherwise interact with the sandbox. In fact, the process can have three independent contexts: user mode, kernel mode and sandbox mode. Second, a sandbox can run unmodified kernel code and interact directly with other parts of the kernel. It's not really possible with this initial patch series, but the plan is that sandbox mode can share locks with the kernel. Third, sandbox code can be trusted for operations like parsing keys for the trusted keychain if the kernel is locked down, i.e. when even a process with UID 0 is not on the same trust level as kernel mode. HTH Petr T