Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp42309lqb; Tue, 16 Apr 2024 08:18:46 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCX/kSnZoPT/75wAKqaL6pXJqp/wa2UYzJycPrDxDP8n6fa776KEeatL6K/oycXQiVjk51ZE/4Um24NxxhGedz9F697ad6lUk9HGhq62CQ== X-Google-Smtp-Source: AGHT+IFGvrA61tzT9jigCvThD24ih5chVjw74NVrTKLdOoz+KV3Xs/djr3u2FZ6Z1uGed0TXXOVh X-Received: by 2002:a17:903:2286:b0:1e2:718d:f290 with SMTP id b6-20020a170903228600b001e2718df290mr14022854plh.67.1713280726229; Tue, 16 Apr 2024 08:18:46 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713280726; cv=pass; d=google.com; s=arc-20160816; b=jmY4g58Zn7z9yPS+oj2VWHgU6wsaWBDAasTBfQVHNLjfxX6OXzLvFa6tomBam3W87E XzlgdsZD5yQpvubERkF3MGqgehp2fr/MwCP+C1dJkHl7dNRXilscg3rJa4mgNd38X4lh ewTD+J9qhTGOy96HNLaSUb3iLh3H3TxNU2eSx88mR8mEP3Anf5YED5EWl4nUC8RdxYwF ZmKh6YqXOCIDnmMJ5T3TeAh+DGKYhMOpnAJqeu6Y5BtOhT2neAgSAWViJSU+VyDQ9Swx imPYlFGTfCGZ/39Eon+xsG1A9C/q7I+f7hrZtafVT5Y0QfUsrJkrRr9Hy14WJNsSnXkN vDUA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=P7xPJ4NgaRqZ7lnpDudSOzBFLojU78EScRSM6wvzvKk=; fh=WtbN/cvCj6yPuYW4Pn2PvCI7vpWlRYXI64AIpq8KlSY=; b=bt1vO5DajMn/88zXonyhmoMlXgloR96hhAGC0npP37rY5WU6VOJ8eyIhJ9a1TaHGyx 6pyaNrG3Qesxm6Gpj1wKnfRif9pu9bAeIqo5TCQ5sVKZtxaFg3MC47Dd93yf/0usid99 K4J9ff1yHwgcs+ajNne09f4zVP8u4RP/52cIwJQYP/6Ji54LfSt3ezWRATM0iLkuvEVW 2QxoDV9OMpRfsP1nWggtFnuPFEAwwTLWN8Go5w7hosJ5ZnS0ijxs8m+K3iXdYTsUi0ZR XdVPbnitpfyWVH85pqVJ25GZLwmdVBGYvu326m/u8cqlnNgq+V4A8pg49HWtB+93VQmD 3T2Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=UpvJ9gsI; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-147104-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-147104-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id t19-20020a170902d29300b001e5c05b6606si6943835plc.85.2024.04.16.08.18.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Apr 2024 08:18:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-147104-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=UpvJ9gsI; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-147104-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-147104-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id C9A21281F8F for ; Tue, 16 Apr 2024 15:18:45 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9FE02130A76; Tue, 16 Apr 2024 15:18:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="UpvJ9gsI" Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5AD2E1304A9 for ; Tue, 16 Apr 2024 15:18:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.48 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713280717; cv=none; b=pTNzKC66XKX+sVd1qlrB1NbYSgfMxZb4OqhKY1aK4UR8/x2YB/rlh9eUkHyHissnUVGLrouB3okLIRr/vg6YUqFq3c65OVlAy58+ft6h7TeCy7G9t5UOMFzkyJ9OFDFpIgOEVxjjIPNqGXkLYd8DMnvfUnv7K2UoAh334t2FkbQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713280717; c=relaxed/simple; bh=lYE1WwVWduqiUKk0/Fr7P7qfuRFB+3QoYoBsKP9XdJ8=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Content-Type; b=XmQ2r5D3VmJj0zNsNTDaH/Fsf7DDuolNOn+xprhaE4G7UVcy42VWjTKVpO9jXXO4fi6iarnE9l53L/08XA8tHlXTUufjzXsaPn48KUcJPNV65nyTOzIwYqZfbYiRGnsT54ODVLHO7qHyswLUClGf6zT3ZYawPGj8LRGclqRdLb4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=UpvJ9gsI; arc=none smtp.client-ip=209.85.128.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-418426e446bso69035e9.1 for ; Tue, 16 Apr 2024 08:18:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713280715; x=1713885515; darn=vger.kernel.org; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=P7xPJ4NgaRqZ7lnpDudSOzBFLojU78EScRSM6wvzvKk=; b=UpvJ9gsIpBH+Ps2Y70D3crT6/YLyg3Vd0lJL9uf7wy0iUSTcsW4DU9Wwa7A0Jnc5FU vdmqOUZn6r3jUR5jG66giQHj9HPZeO+PWh0a6eyU/ODBAYZW3rLQ/I5m+7lB2DLDJcbT MmPc2cfFBk10fpN3nRHx7qShu1bSc6KZQU0q9KQ37cNSnJDiBzR7A0zvwyv16hlIm/XZ 9SlIHwTJXEmpgMc5LAFSe84NOAgcHrnCihieNv2sGPwTll7Biemdw8TIdHazSw+eedI9 9+MTYgzPhgF+Vv57Y4gaVSo3C8CAPyEeFnE1pBtQhTLCjd4uIN+wNh/VtT7mhBwuW7oN TFjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713280715; x=1713885515; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=P7xPJ4NgaRqZ7lnpDudSOzBFLojU78EScRSM6wvzvKk=; b=JXGCxVq7nj8I3HjRkv6Xsjvi3d+Q7R2L2kVpld5vb0pYPZ8FSp4QYrbBloi5+8j1g/ J6u+ab1Vi96XB2w7GFXNncCZI/XxWseMRw0de2S1fy/rYiWVj90purYBZEy1u/M02O5c b85K+QSDnqe84LyCdzDCRE1kqoGwrjdqiZzlkuKqKH1ZpNc4NQxzuDXLHvww1n5iYteX YkIV+8fvW3pzoN2/A9lpSVfuBBiNjuGhtp41ExmK1I5X6um2sgAhMdIH4wZTvNBJHZ/4 PePcdYIausHmaz/oEIxAjZpAO+t0J80SK6ua/6WNRPlioi2is32hR4WjcwvzSkoJNsem ojHQ== X-Forwarded-Encrypted: i=1; AJvYcCW/ed/Gj4B2QsIkjLUCXs9iyF8nSP7KSoVif/knigIWudmX/iacEGkC4g9NQZJlJV2kJJFWlsc5ExyQxujLq0d+C3wXxM8zC4qv26In X-Gm-Message-State: AOJu0YxqRduH7rFa8YyrFgue7HDNVT2kk2RWyPX/QPoYznPkYGs/U/7+ boIQGC+1jOOc2k/LqSbRKtS6ez0nDQgXBgtTFCuLhqOd0t9INIrdK+htoFUfnqNvEPeGo6WKI6b NPBrcfY5K0vZkdmETnaFl1Dz1aeLKLrwQEX6d X-Received: by 2002:a05:600c:1c8f:b0:416:bc07:a3c9 with SMTP id k15-20020a05600c1c8f00b00416bc07a3c9mr210315wms.6.1713280714469; Tue, 16 Apr 2024 08:18:34 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240415163527.626541-1-jeffxu@chromium.org> <20240415163527.626541-3-jeffxu@chromium.org> In-Reply-To: From: Jann Horn Date: Tue, 16 Apr 2024 17:17:56 +0200 Message-ID: Subject: Re: [PATCH v10 2/5] mseal: add mseal syscall To: "Liam R. Howlett" , akpm@linux-foundation.org, torvalds@linux-foundation.org, jeffxu@chromium.org, keescook@chromium.org, jannh@google.com, sroettger@google.com, willy@infradead.org, gregkh@linuxfoundation.org, usama.anjum@collabora.com, corbet@lwn.net, surenb@google.com, merimus@google.com, rdunlap@infradead.org, jeffxu@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pedro.falcato@gmail.com, dave.hansen@intel.com, linux-hardening@vger.kernel.org, deraadt@openbsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Apr 16, 2024 at 4:59=E2=80=AFPM Liam R. Howlett wrote: > * jeffxu@chromium.org [240415 12:35]: > > From: Jeff Xu > > > > The new mseal() is an syscall on 64 bit CPU, and with > > following signature: > > > > int mseal(void addr, size_t len, unsigned long flags) > > addr/len: memory range. > > flags: reserved. [...] > No per-vma change is checked prior to entering a per-vma modification > loop today. This means that mseal() differs in behaviour in "up-front > failure" vs "partial change failure" that exists in every other > function. > > I'm not saying it's wrong or that it's right - I'm just wondering what > the direction is here. Either we should do as much up-front as > possible or keep with tradition and have (partial) success where > possible. FWIW, in the current version, I think ENOMEM can happen both in the up-front check (for calling the syscall on unmapped ranges) as well as in the later loop (for VMA splitting failure). I think no matter what we do, a process that gets an error other than ENOSYS from mseal() will probably not get much actionable information from the return value... no matter whether sealing worked partly or not at all, the process will have the same choice between either exiting (if it treats sealing failure as a fatal error for security reasons) or continuing as if the sealing had worked.