From: Kees Cook <keescook@google.com>
To: Igor Stoppa <igor.stoppa@huawei.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Michal Hocko <mhocko@kernel.org>,
Dave Hansen <dave.hansen@intel.com>,
Laura Abbott <labbott@redhat.com>, Linux-MM <linux-mm@kvack.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
LKML <linux-kernel@vger.kernel.org>,
Daniel Micay <danielmicay@gmail.com>,
Greg KH <gregkh@linuxfoundation.org>,
James Morris <james.l.morris@oracle.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH 1/1] Sealable memory support
Date: Sun, 28 May 2017 11:23:02 -0700 [thread overview]
Message-ID: <CAGXu5jKEmEzAFssmBu2=kJvXikTZ12CF4f8gQy+7UBh8F24PAw@mail.gmail.com> (raw)
In-Reply-To: <138740ab-ba0b-053c-d5b9-a71d6a5c7187@huawei.com>
On Wed, May 24, 2017 at 10:45 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
> On 23/05/17 23:11, Kees Cook wrote:
>> On Tue, May 23, 2017 at 2:43 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
>> I meant this:
>>
>> CPU 1 CPU 2
>> create
>> alloc
>> write
>> seal
>> ...
>> unseal
>> write
>> write
>> seal
>>
>> The CPU 2 write would be, for example, an attacker using a
>> vulnerability to attempt to write to memory in the sealed area. All it
>> would need to do to succeed would be to trigger an action in the
>> kernel that would do a "legitimate" write (which requires the unseal),
>> and race it. Unsealing should be CPU-local, if the API is going to
>> support this kind of access.
>
> I see.
> If the CPU1 were to forcibly halt anything that can race with it, then
> it would be sure that there was no interference.
Correct. This is actually what ARM does for doing kernel memory
writing when poking stuff for kprobes, etc. It's rather dramatic,
though. :)
> A reactive approach could be, instead, to re-validate the content after
> the sealing, assuming that it is possible.
I would prefer to avoid this, as that allows an attacker to still have
made the changes (which could even result in them then disabling the
re-validation during the attack).
>> I am more concerned about _any_ unseal after initial seal. And even
>> then, it'd be nice to keep things CPU-local. My concerns are related
>> to the write-rarely proposal (https://lkml.org/lkml/2017/3/29/704)
>> which is kind of like this, but focused on the .data section, not
>> dynamic memory. It has similar concerns about CPU-locality.
>> Additionally, even writing to memory and then making it read-only
>> later runs risks (see threads about BPF JIT races vs making things
>> read-only: https://patchwork.kernel.org/patch/9662653/ Alexei's NAK
>> doesn't change the risk this series is fixing: races with attacker
>> writes during assignment but before read-only marking).
>
> If you are talking about an attacker, rather than protection against
> accidental overwrites, how hashing can be enough?
> Couldn't the attacker compromise that too?
In theory, yes, though the goal was to dedicate a register to the
hash, which would make it hard/impossible for an attacker to reach.
(The BPF JIT situation is just an example of this kind of race,
though. I'm still in favor of reducing the write window to init-time
from full run-time.)
>> So, while smalloc would hugely reduce the window an attacker has
>> available to change data contents, this API doesn't eliminate it. (To
>> eliminate it, there would need to be a CPU-local page permission view
>> that let only the current CPU to the page, and then restore it to
>> read-only to match the global read-only view.)
>
> That or, if one is ready to take the hit, freeze every other possible
> attack vector. But I'm not sure this could be justifiable.
I would expect other people would NAK using "stop all other CPUs"
approach. Better to have the CPU-local writes.
>> Ah! In that case, sure. This isn't what the proposed API provided,
>> though, so let's adjust it to only perform the unseal at destroy time.
>> That makes it much saner, IMO. "Write once" dynamic allocations, or
>> "read-only after seal". woalloc? :P yay naming
>
> For now I'm still using smalloc.
> Anything that is either [x]malloc or [yz]malloc is fine, lengthwise.
> Other options might require some re-formatting.
Yeah, I don't have any better idea for names. :)
>> Ah, okay. Most of the LSM is happily covered by __ro_after_init. If we
>> could just drop the runtime disabling of SELinux, we'd be fine.
>
> I am not sure I understand this point.
> If the kernel is properly configured, the master toggle variable
> disappears, right?
> Or do you mean the disabling through modifications of the linked list of
> the hooks?
We might be talking past each-other. Right now, the LSM is marked with
__ro_after_init, which will make all the list structures, entries, etc
read-only already. There is one case where this is not true, and
that's for CONFIG_SECURITY_WRITABLE_HOOKS for
CONFIG_SECURITY_SELINUX_DISABLE, which wants to do run-time removal of
SELinux. Are you talking about the SELinux policy installed during
early boot? Which things did you want to use smalloc() on?
>> It seems like smalloc pools could also be refcounted?
>
> I am not sure what you mean.
> What do you want to count?
> Number of pools? Nodes per pool? Allocations per node?
I meant things that point into an smalloc() pool could keep a refcount
and when nothing was pointing into it, it could be destroyed. (i.e.
using refcount garbage collection instead of explicit destruction.)
> And what for?
It might be easier to reason about later if allocations get complex.
It's certainly not required for the first version of this.
> At least in the case of tearing down a pool, when a module is unloaded,
> nobody needs to free anything that was allocated with smalloc.
> The teardown function will free the pages from each node.
Right, yeah.
>>>>> +#define NODE_HEADER \
>>>>> + struct { \
>>>>> + __SMALLOC_ALIGNED__ struct { \
>>>>> + struct list_head list; \
>>>>> + align_t *free; \
>>>>> + unsigned long available_words; \
>>>>> + }; \
>>>>> + }
>>>
>>> Does this look ok? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> It's probably a sufficient starting point, depending on how the API
>> shakes out. Without unseal-write-seal properties, I case much less
>> about redzoning, etc.
>
> ok, but my question (I am not sure if it was clear) was about the use of
> a macro for the nameless structure that contains the header.
I don't really have an opinion on this. It might be more readable with
a named structure?
> One more thing: how should I tie this allocator to the rest?
> I have verified that is seems to work with both SLUB and SLAB.
> Can I make it depend on either of them being enabled?
It seems totally unrelated. The only relationship I see would be
interaction with hardened usercopy. In a perfect world, none of the
smalloc pools would be allowed to be copied to/from userspace, which
would make integration really easy: if smalloc_pool(ptr) return NOPE;
:P
> Should it be optionally enabled?
> What to default to, if it's not enabled? vmalloc?
I don't see any reason to make it optional.
-Kees
--
Kees Cook
Pixel Security
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@google.com>
To: Igor Stoppa <igor.stoppa@huawei.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Michal Hocko <mhocko@kernel.org>,
Dave Hansen <dave.hansen@intel.com>,
Laura Abbott <labbott@redhat.com>, Linux-MM <linux-mm@kvack.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
LKML <linux-kernel@vger.kernel.org>,
Daniel Micay <danielmicay@gmail.com>,
Greg KH <gregkh@linuxfoundation.org>,
James Morris <james.l.morris@oracle.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH 1/1] Sealable memory support
Date: Sun, 28 May 2017 11:23:02 -0700 [thread overview]
Message-ID: <CAGXu5jKEmEzAFssmBu2=kJvXikTZ12CF4f8gQy+7UBh8F24PAw@mail.gmail.com> (raw)
In-Reply-To: <138740ab-ba0b-053c-d5b9-a71d6a5c7187@huawei.com>
On Wed, May 24, 2017 at 10:45 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
> On 23/05/17 23:11, Kees Cook wrote:
>> On Tue, May 23, 2017 at 2:43 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
>> I meant this:
>>
>> CPU 1 CPU 2
>> create
>> alloc
>> write
>> seal
>> ...
>> unseal
>> write
>> write
>> seal
>>
>> The CPU 2 write would be, for example, an attacker using a
>> vulnerability to attempt to write to memory in the sealed area. All it
>> would need to do to succeed would be to trigger an action in the
>> kernel that would do a "legitimate" write (which requires the unseal),
>> and race it. Unsealing should be CPU-local, if the API is going to
>> support this kind of access.
>
> I see.
> If the CPU1 were to forcibly halt anything that can race with it, then
> it would be sure that there was no interference.
Correct. This is actually what ARM does for doing kernel memory
writing when poking stuff for kprobes, etc. It's rather dramatic,
though. :)
> A reactive approach could be, instead, to re-validate the content after
> the sealing, assuming that it is possible.
I would prefer to avoid this, as that allows an attacker to still have
made the changes (which could even result in them then disabling the
re-validation during the attack).
>> I am more concerned about _any_ unseal after initial seal. And even
>> then, it'd be nice to keep things CPU-local. My concerns are related
>> to the write-rarely proposal (https://lkml.org/lkml/2017/3/29/704)
>> which is kind of like this, but focused on the .data section, not
>> dynamic memory. It has similar concerns about CPU-locality.
>> Additionally, even writing to memory and then making it read-only
>> later runs risks (see threads about BPF JIT races vs making things
>> read-only: https://patchwork.kernel.org/patch/9662653/ Alexei's NAK
>> doesn't change the risk this series is fixing: races with attacker
>> writes during assignment but before read-only marking).
>
> If you are talking about an attacker, rather than protection against
> accidental overwrites, how hashing can be enough?
> Couldn't the attacker compromise that too?
In theory, yes, though the goal was to dedicate a register to the
hash, which would make it hard/impossible for an attacker to reach.
(The BPF JIT situation is just an example of this kind of race,
though. I'm still in favor of reducing the write window to init-time
from full run-time.)
>> So, while smalloc would hugely reduce the window an attacker has
>> available to change data contents, this API doesn't eliminate it. (To
>> eliminate it, there would need to be a CPU-local page permission view
>> that let only the current CPU to the page, and then restore it to
>> read-only to match the global read-only view.)
>
> That or, if one is ready to take the hit, freeze every other possible
> attack vector. But I'm not sure this could be justifiable.
I would expect other people would NAK using "stop all other CPUs"
approach. Better to have the CPU-local writes.
>> Ah! In that case, sure. This isn't what the proposed API provided,
>> though, so let's adjust it to only perform the unseal at destroy time.
>> That makes it much saner, IMO. "Write once" dynamic allocations, or
>> "read-only after seal". woalloc? :P yay naming
>
> For now I'm still using smalloc.
> Anything that is either [x]malloc or [yz]malloc is fine, lengthwise.
> Other options might require some re-formatting.
Yeah, I don't have any better idea for names. :)
>> Ah, okay. Most of the LSM is happily covered by __ro_after_init. If we
>> could just drop the runtime disabling of SELinux, we'd be fine.
>
> I am not sure I understand this point.
> If the kernel is properly configured, the master toggle variable
> disappears, right?
> Or do you mean the disabling through modifications of the linked list of
> the hooks?
We might be talking past each-other. Right now, the LSM is marked with
__ro_after_init, which will make all the list structures, entries, etc
read-only already. There is one case where this is not true, and
that's for CONFIG_SECURITY_WRITABLE_HOOKS for
CONFIG_SECURITY_SELINUX_DISABLE, which wants to do run-time removal of
SELinux. Are you talking about the SELinux policy installed during
early boot? Which things did you want to use smalloc() on?
>> It seems like smalloc pools could also be refcounted?
>
> I am not sure what you mean.
> What do you want to count?
> Number of pools? Nodes per pool? Allocations per node?
I meant things that point into an smalloc() pool could keep a refcount
and when nothing was pointing into it, it could be destroyed. (i.e.
using refcount garbage collection instead of explicit destruction.)
> And what for?
It might be easier to reason about later if allocations get complex.
It's certainly not required for the first version of this.
> At least in the case of tearing down a pool, when a module is unloaded,
> nobody needs to free anything that was allocated with smalloc.
> The teardown function will free the pages from each node.
Right, yeah.
>>>>> +#define NODE_HEADER \
>>>>> + struct { \
>>>>> + __SMALLOC_ALIGNED__ struct { \
>>>>> + struct list_head list; \
>>>>> + align_t *free; \
>>>>> + unsigned long available_words; \
>>>>> + }; \
>>>>> + }
>>>
>>> Does this look ok? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> It's probably a sufficient starting point, depending on how the API
>> shakes out. Without unseal-write-seal properties, I case much less
>> about redzoning, etc.
>
> ok, but my question (I am not sure if it was clear) was about the use of
> a macro for the nameless structure that contains the header.
I don't really have an opinion on this. It might be more readable with
a named structure?
> One more thing: how should I tie this allocator to the rest?
> I have verified that is seems to work with both SLUB and SLAB.
> Can I make it depend on either of them being enabled?
It seems totally unrelated. The only relationship I see would be
interaction with hardened usercopy. In a perfect world, none of the
smalloc pools would be allowed to be copied to/from userspace, which
would make integration really easy: if smalloc_pool(ptr) return NOPE;
:P
> Should it be optionally enabled?
> What to default to, if it's not enabled? vmalloc?
I don't see any reason to make it optional.
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@google.com>
To: Igor Stoppa <igor.stoppa@huawei.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Michal Hocko <mhocko@kernel.org>,
Dave Hansen <dave.hansen@intel.com>,
Laura Abbott <labbott@redhat.com>, Linux-MM <linux-mm@kvack.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
LKML <linux-kernel@vger.kernel.org>,
Daniel Micay <danielmicay@gmail.com>,
Greg KH <gregkh@linuxfoundation.org>,
James Morris <james.l.morris@oracle.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: [kernel-hardening] Re: [PATCH 1/1] Sealable memory support
Date: Sun, 28 May 2017 11:23:02 -0700 [thread overview]
Message-ID: <CAGXu5jKEmEzAFssmBu2=kJvXikTZ12CF4f8gQy+7UBh8F24PAw@mail.gmail.com> (raw)
In-Reply-To: <138740ab-ba0b-053c-d5b9-a71d6a5c7187@huawei.com>
On Wed, May 24, 2017 at 10:45 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
> On 23/05/17 23:11, Kees Cook wrote:
>> On Tue, May 23, 2017 at 2:43 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
>> I meant this:
>>
>> CPU 1 CPU 2
>> create
>> alloc
>> write
>> seal
>> ...
>> unseal
>> write
>> write
>> seal
>>
>> The CPU 2 write would be, for example, an attacker using a
>> vulnerability to attempt to write to memory in the sealed area. All it
>> would need to do to succeed would be to trigger an action in the
>> kernel that would do a "legitimate" write (which requires the unseal),
>> and race it. Unsealing should be CPU-local, if the API is going to
>> support this kind of access.
>
> I see.
> If the CPU1 were to forcibly halt anything that can race with it, then
> it would be sure that there was no interference.
Correct. This is actually what ARM does for doing kernel memory
writing when poking stuff for kprobes, etc. It's rather dramatic,
though. :)
> A reactive approach could be, instead, to re-validate the content after
> the sealing, assuming that it is possible.
I would prefer to avoid this, as that allows an attacker to still have
made the changes (which could even result in them then disabling the
re-validation during the attack).
>> I am more concerned about _any_ unseal after initial seal. And even
>> then, it'd be nice to keep things CPU-local. My concerns are related
>> to the write-rarely proposal (https://lkml.org/lkml/2017/3/29/704)
>> which is kind of like this, but focused on the .data section, not
>> dynamic memory. It has similar concerns about CPU-locality.
>> Additionally, even writing to memory and then making it read-only
>> later runs risks (see threads about BPF JIT races vs making things
>> read-only: https://patchwork.kernel.org/patch/9662653/ Alexei's NAK
>> doesn't change the risk this series is fixing: races with attacker
>> writes during assignment but before read-only marking).
>
> If you are talking about an attacker, rather than protection against
> accidental overwrites, how hashing can be enough?
> Couldn't the attacker compromise that too?
In theory, yes, though the goal was to dedicate a register to the
hash, which would make it hard/impossible for an attacker to reach.
(The BPF JIT situation is just an example of this kind of race,
though. I'm still in favor of reducing the write window to init-time
from full run-time.)
>> So, while smalloc would hugely reduce the window an attacker has
>> available to change data contents, this API doesn't eliminate it. (To
>> eliminate it, there would need to be a CPU-local page permission view
>> that let only the current CPU to the page, and then restore it to
>> read-only to match the global read-only view.)
>
> That or, if one is ready to take the hit, freeze every other possible
> attack vector. But I'm not sure this could be justifiable.
I would expect other people would NAK using "stop all other CPUs"
approach. Better to have the CPU-local writes.
>> Ah! In that case, sure. This isn't what the proposed API provided,
>> though, so let's adjust it to only perform the unseal at destroy time.
>> That makes it much saner, IMO. "Write once" dynamic allocations, or
>> "read-only after seal". woalloc? :P yay naming
>
> For now I'm still using smalloc.
> Anything that is either [x]malloc or [yz]malloc is fine, lengthwise.
> Other options might require some re-formatting.
Yeah, I don't have any better idea for names. :)
>> Ah, okay. Most of the LSM is happily covered by __ro_after_init. If we
>> could just drop the runtime disabling of SELinux, we'd be fine.
>
> I am not sure I understand this point.
> If the kernel is properly configured, the master toggle variable
> disappears, right?
> Or do you mean the disabling through modifications of the linked list of
> the hooks?
We might be talking past each-other. Right now, the LSM is marked with
__ro_after_init, which will make all the list structures, entries, etc
read-only already. There is one case where this is not true, and
that's for CONFIG_SECURITY_WRITABLE_HOOKS for
CONFIG_SECURITY_SELINUX_DISABLE, which wants to do run-time removal of
SELinux. Are you talking about the SELinux policy installed during
early boot? Which things did you want to use smalloc() on?
>> It seems like smalloc pools could also be refcounted?
>
> I am not sure what you mean.
> What do you want to count?
> Number of pools? Nodes per pool? Allocations per node?
I meant things that point into an smalloc() pool could keep a refcount
and when nothing was pointing into it, it could be destroyed. (i.e.
using refcount garbage collection instead of explicit destruction.)
> And what for?
It might be easier to reason about later if allocations get complex.
It's certainly not required for the first version of this.
> At least in the case of tearing down a pool, when a module is unloaded,
> nobody needs to free anything that was allocated with smalloc.
> The teardown function will free the pages from each node.
Right, yeah.
>>>>> +#define NODE_HEADER \
>>>>> + struct { \
>>>>> + __SMALLOC_ALIGNED__ struct { \
>>>>> + struct list_head list; \
>>>>> + align_t *free; \
>>>>> + unsigned long available_words; \
>>>>> + }; \
>>>>> + }
>>>
>>> Does this look ok? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> It's probably a sufficient starting point, depending on how the API
>> shakes out. Without unseal-write-seal properties, I case much less
>> about redzoning, etc.
>
> ok, but my question (I am not sure if it was clear) was about the use of
> a macro for the nameless structure that contains the header.
I don't really have an opinion on this. It might be more readable with
a named structure?
> One more thing: how should I tie this allocator to the rest?
> I have verified that is seems to work with both SLUB and SLAB.
> Can I make it depend on either of them being enabled?
It seems totally unrelated. The only relationship I see would be
interaction with hardened usercopy. In a perfect world, none of the
smalloc pools would be allowed to be copied to/from userspace, which
would make integration really easy: if smalloc_pool(ptr) return NOPE;
:P
> Should it be optionally enabled?
> What to default to, if it's not enabled? vmalloc?
I don't see any reason to make it optional.
-Kees
--
Kees Cook
Pixel Security
next prev parent reply other threads:[~2017-05-28 18:23 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-19 10:38 [RFC v3]mm: ro protection for data allocated dynamically Igor Stoppa
2017-05-19 10:38 ` [kernel-hardening] " Igor Stoppa
2017-05-19 10:38 ` Igor Stoppa
2017-05-19 10:38 ` [PATCH 1/1] Sealable memory support Igor Stoppa
2017-05-19 10:38 ` [kernel-hardening] " Igor Stoppa
2017-05-19 10:38 ` Igor Stoppa
2017-05-20 8:51 ` [kernel-hardening] " Greg KH
2017-05-20 8:51 ` Greg KH
2017-05-21 11:14 ` [PATCH] LSM: Make security_hook_heads a local variable Tetsuo Handa
2017-05-21 11:14 ` [kernel-hardening] " Tetsuo Handa
2017-05-21 11:14 ` Tetsuo Handa
2017-05-21 11:14 ` Tetsuo Handa
2017-05-22 14:03 ` Christoph Hellwig
2017-05-22 14:03 ` [kernel-hardening] " Christoph Hellwig
2017-05-22 14:03 ` Christoph Hellwig
2017-05-22 14:03 ` Christoph Hellwig
2017-05-22 15:09 ` Casey Schaufler
2017-05-22 15:09 ` [kernel-hardening] " Casey Schaufler
2017-05-22 15:09 ` Casey Schaufler
2017-05-22 15:09 ` Casey Schaufler
2017-05-22 19:50 ` Igor Stoppa
2017-05-22 19:50 ` [kernel-hardening] " Igor Stoppa
2017-05-22 19:50 ` Igor Stoppa
2017-05-22 19:50 ` Igor Stoppa
2017-05-22 20:32 ` Casey Schaufler
2017-05-22 20:32 ` [kernel-hardening] " Casey Schaufler
2017-05-22 20:32 ` Casey Schaufler
2017-05-22 20:32 ` Casey Schaufler
2017-05-22 20:43 ` Tetsuo Handa
2017-05-22 20:43 ` [kernel-hardening] " Tetsuo Handa
2017-05-22 20:43 ` Tetsuo Handa
2017-05-22 20:43 ` Tetsuo Handa
2017-05-22 19:45 ` [kernel-hardening] [PATCH 1/1] Sealable memory support Igor Stoppa
2017-05-22 19:45 ` Igor Stoppa
2017-05-22 19:45 ` Igor Stoppa
2017-05-22 21:38 ` Kees Cook
2017-05-22 21:38 ` [kernel-hardening] " Kees Cook
2017-05-22 21:38 ` Kees Cook
2017-05-23 9:43 ` Igor Stoppa
2017-05-23 9:43 ` [kernel-hardening] " Igor Stoppa
2017-05-23 9:43 ` Igor Stoppa
2017-05-23 20:11 ` Kees Cook
2017-05-23 20:11 ` [kernel-hardening] " Kees Cook
2017-05-23 20:11 ` Kees Cook
2017-05-24 17:45 ` Igor Stoppa
2017-05-24 17:45 ` [kernel-hardening] " Igor Stoppa
2017-05-24 17:45 ` Igor Stoppa
2017-05-28 18:23 ` Kees Cook [this message]
2017-05-28 18:23 ` [kernel-hardening] " Kees Cook
2017-05-28 18:23 ` Kees Cook
2017-05-28 18:56 ` [kernel-hardening] " Boris Lukashev
2017-05-28 18:56 ` Boris Lukashev
2017-05-28 18:56 ` Boris Lukashev
2017-05-28 21:32 ` Kees Cook
2017-05-28 21:32 ` Kees Cook
2017-05-28 21:32 ` Kees Cook
2017-05-29 6:04 ` Boris Lukashev
2017-05-29 6:04 ` Boris Lukashev
2017-05-29 6:04 ` Boris Lukashev
2017-05-31 21:22 ` Igor Stoppa
2017-05-31 21:22 ` [kernel-hardening] " Igor Stoppa
2017-05-31 21:22 ` Igor Stoppa
2017-05-31 13:55 ` kbuild test robot
2017-05-31 13:55 ` [kernel-hardening] " kbuild test robot
2017-05-31 13:55 ` kbuild test robot
2017-06-04 2:18 ` kbuild test robot
2017-06-04 2:18 ` [kernel-hardening] " kbuild test robot
2017-06-04 2:18 ` kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5jKEmEzAFssmBu2=kJvXikTZ12CF4f8gQy+7UBh8F24PAw@mail.gmail.com' \
--to=keescook@google.com \
--cc=casey@schaufler-ca.com \
--cc=danielmicay@gmail.com \
--cc=dave.hansen@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=igor.stoppa@huawei.com \
--cc=james.l.morris@oracle.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.