From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753522AbaFQJyi (ORCPT ); Tue, 17 Jun 2014 05:54:38 -0400 Received: from mx1.redhat.com ([209.132.183.28]:63342 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752415AbaFQJyg (ORCPT ); Tue, 17 Jun 2014 05:54:36 -0400 Message-ID: <53A01049.6020502@redhat.com> Date: Tue, 17 Jun 2014 11:54:17 +0200 From: Florian Weimer User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: David Herrmann , Andy Lutomirski CC: "linux-kernel@vger.kernel.org" , Michael Kerrisk , Ryan Lortie , Linus Torvalds , Andrew Morton , "linux-mm@kvack.org" , Linux FS Devel , Linux API , Greg Kroah-Hartman , John Stultz , Lennart Poettering , Daniel Mack , Kay Sievers , Hugh Dickins , Tony Battersby Subject: Re: [PATCH v3 0/7] File Sealing & memfd_create() References: <1402655819-14325-1-git-send-email-dh.herrmann@gmail.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/13/2014 05:33 PM, David Herrmann wrote: > On Fri, Jun 13, 2014 at 5:17 PM, Andy Lutomirski wrote: >> Isn't the point of SEAL_SHRINK to allow servers to mmap and read >> safely without worrying about SIGBUS? > > No, I don't think so. > The point of SEAL_SHRINK is to prevent a file from shrinking. SIGBUS > is an effect, not a cause. It's only a coincidence that "OOM during > reads" and "reading beyond file-boundaries" has the same effect: > SIGBUS. > We only protect against reading beyond file-boundaries due to > shrinking. Therefore, OOM-SIGBUS is unrelated to SEAL_SHRINK. > > Anyone dealing with mmap() _has_ to use mlock() to protect against > OOM-SIGBUS. Making SEAL_SHRINK protect against OOM-SIGBUS would be > redundant, because you can achieve the same with SEAL_SHRINK+mlock(). I don't think this is what potential users expect because mlock requires capabilities which are not available to them. A couple of weeks ago, sealing was to be applied to anonymous shared memory. Has this changed? Why should *reading* it trigger OOM? -- Florian Weimer / Red Hat Product Security Team From mboxrd@z Thu Jan 1 00:00:00 1970 From: Florian Weimer Subject: Re: [PATCH v3 0/7] File Sealing & memfd_create() Date: Tue, 17 Jun 2014 11:54:17 +0200 Message-ID: <53A01049.6020502@redhat.com> References: <1402655819-14325-1-git-send-email-dh.herrmann@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: "linux-kernel@vger.kernel.org" , Michael Kerrisk , Ryan Lortie , Linus Torvalds , Andrew Morton , "linux-mm@kvack.org" , Linux FS Devel , Linux API , Greg Kroah-Hartman , John Stultz , Lennart Poettering , Daniel Mack , Kay Sievers , Hugh Dickins , Tony Battersby To: David Herrmann , Andy Lutomirski Return-path: In-Reply-To: Sender: owner-linux-mm@kvack.org List-Id: linux-fsdevel.vger.kernel.org On 06/13/2014 05:33 PM, David Herrmann wrote: > On Fri, Jun 13, 2014 at 5:17 PM, Andy Lutomirski wrote: >> Isn't the point of SEAL_SHRINK to allow servers to mmap and read >> safely without worrying about SIGBUS? > > No, I don't think so. > The point of SEAL_SHRINK is to prevent a file from shrinking. SIGBUS > is an effect, not a cause. It's only a coincidence that "OOM during > reads" and "reading beyond file-boundaries" has the same effect: > SIGBUS. > We only protect against reading beyond file-boundaries due to > shrinking. Therefore, OOM-SIGBUS is unrelated to SEAL_SHRINK. > > Anyone dealing with mmap() _has_ to use mlock() to protect against > OOM-SIGBUS. Making SEAL_SHRINK protect against OOM-SIGBUS would be > redundant, because you can achieve the same with SEAL_SHRINK+mlock(). I don't think this is what potential users expect because mlock requires capabilities which are not available to them. A couple of weeks ago, sealing was to be applied to anonymous shared memory. Has this changed? Why should *reading* it trigger OOM? -- Florian Weimer / Red Hat Product Security Team -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org