Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp2977383lqo; Tue, 14 May 2024 16:02:05 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCW3qWOB+vqc4ePLE8dDTh7NLZC9S0Dd2VnAWhbrZ51P58OZmGiKRCY74hBShZPEHGEJeWKeeEEhTzizXH+iofS8WlMrZqGoQIkJH1Wf5g== X-Google-Smtp-Source: AGHT+IG6PW3AdrA7l4fGwcuntzDu1bc8zXlvXH7mAwyUEElExpDTcJAbNOpj1dC4UDOqx2qykB07 X-Received: by 2002:a17:90a:17ef:b0:2b6:ab87:5434 with SMTP id 98e67ed59e1d1-2b6ccd9ec2amr14617741a91.35.1715727724848; Tue, 14 May 2024 16:02:04 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715727724; cv=pass; d=google.com; s=arc-20160816; b=tQ1WhNYvaQqlNhqxaTiKr9mHOFWwOrXX9xOz7Xa1UQhQS1VVkH70IGhVI7GRXd+a3t IE8SUgGmQtRaI86je0tjIFzmThlb4Klw86gBt2olhbJUZWA4nXnJdhLVhdSQOPXWYFzQ 8ELJ/ZmdvaxvajjwmzsV4VRHW4sMAgqXNOOZzNtT9Dp19t7QpDmtXK6Kp3YMxXdbtQKj Ja5v1WUlSRS+a7qjD5OY51nrJZUyxYH9MsX11AxMF8v1ZkbJ8csMFmTSoPtmyn1S15dg jFI1VEv8QRO3B5+rpCmVpHkU5wGhQJzsdCHt8CVv7jfoHPGe5RQxn390lg1f4K5ZLIdI zX/A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=i3BSUGd/EvJv9WX2i6f3wnp/mH3lpJfaV5GH42xnCmU=; fh=lIYgw+6pBWD1Ln5g1HhjOOyPWu9Ja1jjmclpqilxvQQ=; b=Kxw+ttgXLuTskWghaBybrmScB5nIRaWj8QqkTVaSxYhf55qaK66EXnt9c5nIxvMzpA ylMgkf/OR4DGRMVav1NOzwOko+acoalAVgJUkKRTweCOwZblqfAQPjfhyThSK67pV23p mND/HFhggIluBOWRN2DX6BiaZZRtRVmFbHRKifx2uCYo3QOCuXGYX0hsbx3TS7i0hTog 4z1mP4Rxjdc/uVu9CrLTssdH3UavGG/EHnoNqXGXJ0OyjlgAG43kkJ0ZTYKStJ6wbQPG l+u+4rTktqkc9a8lpMEWvRPEP0j7Nd7+7GdHwZY5y0azkf6/hCwqmqdRhop0dgrSN1tg SU+w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=korg header.b=rffGIS+E; arc=pass (i=1 dkim=pass dkdomain=linux-foundation.org); spf=pass (google.com: domain of linux-kernel+bounces-179251-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-179251-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 98e67ed59e1d1-2b85f7703edsi8566109a91.154.2024.05.14.16.02.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 May 2024 16:02:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-179251-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=korg header.b=rffGIS+E; arc=pass (i=1 dkim=pass dkdomain=linux-foundation.org); spf=pass (google.com: domain of linux-kernel+bounces-179251-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-179251-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 4A86B282E28 for ; Tue, 14 May 2024 23:02:04 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 37890182C97; Tue, 14 May 2024 23:01:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b="rffGIS+E" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 16925181D1B; Tue, 14 May 2024 23:01:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715727717; cv=none; b=CZK69uUbFcP38izaa62SNLKkicwQbdUPQFoj2ioTWqY9NHMu7sZ0mZLkO1q3u3qTWJWsVBgqk7p6qsD2hvU4/OvkjNZlxfWNQABSoWuMnL8rlKOP4rrHM/RC42JXuBZmqsqxUt4wUpDO0LKMhNS3iGQFxGWyvqqOz3jPDXDdRic= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715727717; c=relaxed/simple; bh=ql9IruMwPF3jx//u401rl++FzKZuu5086c7g9sy74LI=; h=Date:From:To:Cc:Subject:Message-Id:In-Reply-To:References: Mime-Version:Content-Type; b=FTM37K9i7IWAEraH2xaDiSBVl0YH1qpbF4de+KvzN6H8+fUyc/5S29N1F4+3xv2r/XSk/LLdlo4dpJ0Xt4EWxSJ/bJAHt8d0jLfZ5mAQf2nXxHgY5fjrN8r5CnbtTwSmx6Y43RUNjXXOeKY07oUPozL5jVnaq7yeFfDA7eYM+sY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b=rffGIS+E; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id E06DAC2BD10; Tue, 14 May 2024 23:01:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1715727716; bh=ql9IruMwPF3jx//u401rl++FzKZuu5086c7g9sy74LI=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=rffGIS+E3mt0Fj4i8hRGK7jzBkFBu2+Ts1IckYH+2iO2fXNtNyBfKYrztj3owuT+k kqYni2rDFcl3C36xXwrddcU8GIRwb+1suRtTtsCyCLSAhH3qfBTQkP2NqqbRK7wr5S 05wHzwQfae2uVTicAuWCNkfDhPt5c6OFgiLGDU/I= Date: Tue, 14 May 2024 16:01:50 -0700 From: Andrew Morton To: "Theo de Raadt" Cc: Matthew Wilcox , Jonathan Corbet , jeffxu@chromium.org, keescook@chromium.org, jannh@google.com, sroettger@google.com, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, usama.anjum@collabora.com, Liam.Howlett@oracle.com, surenb@google.com, merimus@google.com, rdunlap@infradead.org, jeffxu@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pedro.falcato@gmail.com, dave.hansen@intel.com, linux-hardening@vger.kernel.org Subject: Re: [PATCH v10 0/5] Introduce mseal Message-Id: <20240514160150.3ed0fda8af5cbd2f17c625e6@linux-foundation.org> In-Reply-To: <56001.1715726927@cvs.openbsd.org> References: <20240415163527.626541-1-jeffxu@chromium.org> <20240514104646.e6af4292f19b834777ec1e32@linux-foundation.org> <871q646rea.fsf@meer.lwn.net> <56001.1715726927@cvs.openbsd.org> X-Mailer: Sylpheed 3.8.0beta1 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Tue, 14 May 2024 16:48:47 -0600 "Theo de Raadt" wrote: > Matthew Wilcox wrote: > > > > Not taking a position on merging, but I have to ask: are we convinced at > > > this point that mseal() isn't a chrome-only system call? Did we ever > > > see the glibc patches that were promised? > > > > I think _this_ version of mseal() is OpenBSD's mimmutable() with a > > basically unused extra 'flags' argument. As such, we have an existance > > proof that it's useful beyond Chrome. > > Yes, it is close enough. > > > I think Liam still had concerns around the > > walk-the-vmas-twice-to-error-out-early part of the implementation? > > Although we can always fix the implementation later; changing the API > > is hard. > > Yes I am a bit worried about the point Liam brings up -- we've discussed > it privately at length. Matthew, to keep it short I have a different > viewpoint: > > Some of the Linux m* system calls have non-conforming, partial-work-then-return-error > behaviour. I cannot find anything like this in any system call in any other > operating system, and I believe there is a defacto rule against doing this, and > Linux has an optimization which violating this, and I think it could be fixed > with fairly minor expense, and can't imagine it affecting a single application. Thanks. > I worry that the non-atomicity will one day be used by an attacker. How might an attacker exploit this?