From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from psmtp.com (na3sys010amx119.postini.com [74.125.245.119]) by kanga.kvack.org (Postfix) with SMTP id D23AE6B0006 for ; Mon, 11 Mar 2013 19:57:27 -0400 (EDT) Received: by mail-wg0-f41.google.com with SMTP id ds1so2698176wgb.2 for ; Mon, 11 Mar 2013 16:57:26 -0700 (PDT) MIME-Version: 1.0 Date: Mon, 11 Mar 2013 16:57:25 -0700 Message-ID: Subject: security: restricting access to swap From: Luigi Semenzato Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-linux-mm@kvack.org List-ID: To: linux-mm@kvack.org Greetings linux-mmers, before we can fully deploy zram, we must ensure it conforms to the Chrome OS security requirements. In particular, we do not want to allow user space to read/write the swap device---not even root-owned processes. A similar restriction is available for /dev/mem under CONFIG_STRICT_DEVMEM. There are a few possible approaches to this, but before we go ahead I'd like to ask if anything has happened or is planned in this direction. Otherwise, one idea I am playing with is to add a CONFIG_STRICT_SWAP option that would do this for any swap device (i.e. not specific to zram) and possibly also when swapping to a file. We would add an "internal" open flag, O_KERN_SWAP, as well as clean up a little bit the FMODE_NONOTIFY confusion by adding the kernel flag O_KERN_NONOTIFY and formalizing the sets of external (O_*) and internal (O_KERN_*) open flags. Swapon() and swapoff() would use O_KERN_SWAP internally, and a device opened with that flag would reject user-level opens. Thank you in advance for any input/suggestion! Luigi -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from psmtp.com (na3sys010amx199.postini.com [74.125.245.199]) by kanga.kvack.org (Postfix) with SMTP id 6A1B46B0006 for ; Tue, 12 Mar 2013 09:06:41 -0400 (EDT) Date: Tue, 12 Mar 2013 09:06:36 -0400 From: Konrad Rzeszutek Wilk Subject: Re: security: restricting access to swap Message-ID: <20130312130636.GC17901@phenom.dumpdata.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: owner-linux-mm@kvack.org List-ID: To: Luigi Semenzato Cc: linux-mm@kvack.org On Mon, Mar 11, 2013 at 04:57:25PM -0700, Luigi Semenzato wrote: > Greetings linux-mmers, > > before we can fully deploy zram, we must ensure it conforms to the > Chrome OS security requirements. In particular, we do not want to > allow user space to read/write the swap device---not even root-owned > processes. > > A similar restriction is available for /dev/mem under CONFIG_STRICT_DEVMEM. > > There are a few possible approaches to this, but before we go ahead > I'd like to ask if anything has happened or is planned in this > direction. > > Otherwise, one idea I am playing with is to add a CONFIG_STRICT_SWAP > option that would do this for any swap device (i.e. not specific to > zram) and possibly also when swapping to a file. We would add an > "internal" open flag, O_KERN_SWAP, as well as clean up a little bit > the FMODE_NONOTIFY confusion by adding the kernel flag O_KERN_NONOTIFY > and formalizing the sets of external (O_*) and internal (O_KERN_*) > open flags. > > Swapon() and swapoff() would use O_KERN_SWAP internally, and a device > opened with that flag would reject user-level opens. What/who does the swapon/swapoff calls? Is there an kernel level thread (aka init but in kernel?) that would do this? > > Thank you in advance for any input/suggestion! > Luigi > > -- > To unsubscribe, send a message with 'unsubscribe linux-mm' in > the body to majordomo@kvack.org. For more info on Linux MM, > see: http://www.linux-mm.org/ . > Don't email: email@kvack.org > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from psmtp.com (na3sys010amx137.postini.com [74.125.245.137]) by kanga.kvack.org (Postfix) with SMTP id 2F1296B0006 for ; Tue, 12 Mar 2013 11:46:47 -0400 (EDT) Received: by mail-wi0-f179.google.com with SMTP id ez12so1970319wid.0 for ; Tue, 12 Mar 2013 08:46:45 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20130312130636.GC17901@phenom.dumpdata.com> References: <20130312130636.GC17901@phenom.dumpdata.com> Date: Tue, 12 Mar 2013 08:46:40 -0700 Message-ID: Subject: Re: security: restricting access to swap From: Luigi Semenzato Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-linux-mm@kvack.org List-ID: To: Konrad Rzeszutek Wilk Cc: linux-mm@kvack.org On Tue, Mar 12, 2013 at 6:06 AM, Konrad Rzeszutek Wilk wrote: > On Mon, Mar 11, 2013 at 04:57:25PM -0700, Luigi Semenzato wrote: >> Greetings linux-mmers, >> >> before we can fully deploy zram, we must ensure it conforms to the >> Chrome OS security requirements. In particular, we do not want to >> allow user space to read/write the swap device---not even root-owned >> processes. >> >> A similar restriction is available for /dev/mem under CONFIG_STRICT_DEVMEM. >> >> There are a few possible approaches to this, but before we go ahead >> I'd like to ask if anything has happened or is planned in this >> direction. >> >> Otherwise, one idea I am playing with is to add a CONFIG_STRICT_SWAP >> option that would do this for any swap device (i.e. not specific to >> zram) and possibly also when swapping to a file. We would add an >> "internal" open flag, O_KERN_SWAP, as well as clean up a little bit >> the FMODE_NONOTIFY confusion by adding the kernel flag O_KERN_NONOTIFY >> and formalizing the sets of external (O_*) and internal (O_KERN_*) >> open flags. >> >> Swapon() and swapoff() would use O_KERN_SWAP internally, and a device >> opened with that flag would reject user-level opens. > > What/who does the swapon/swapoff calls? Is there an kernel level thread > (aka init but in kernel?) that would do this? No, swapon() would be typically called from user level shortly after boot by the swapon program to set up swap. Swapoff() would typically not be called at all. The swapon() syscall internally calls filp_open() and that's where it would pass the O_KERN_SWAP flag. It also needs to pass an extra flag in claim_swapfile(). I should probably just send a patch. >> >> Thank you in advance for any input/suggestion! >> Luigi >> >> -- >> To unsubscribe, send a message with 'unsubscribe linux-mm' in >> the body to majordomo@kvack.org. For more info on Linux MM, >> see: http://www.linux-mm.org/ . >> Don't email: email@kvack.org >> -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from psmtp.com (na3sys010amx108.postini.com [74.125.245.108]) by kanga.kvack.org (Postfix) with SMTP id DDF6E6B0006 for ; Tue, 12 Mar 2013 19:32:28 -0400 (EDT) Received: by mail-pb0-f48.google.com with SMTP id wy12so376122pbc.7 for ; Tue, 12 Mar 2013 16:32:28 -0700 (PDT) Message-ID: <513FBB07.9030508@gmail.com> Date: Wed, 13 Mar 2013 07:32:23 +0800 From: Simon Jeons MIME-Version: 1.0 Subject: Re: security: restricting access to swap References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Luigi Semenzato Cc: linux-mm@kvack.org, Johannes Weiner , Hugh Dickins Cc experts Johannes, Hugh, On 03/12/2013 07:57 AM, Luigi Semenzato wrote: > Greetings linux-mmers, > > before we can fully deploy zram, we must ensure it conforms to the > Chrome OS security requirements. In particular, we do not want to > allow user space to read/write the swap device---not even root-owned > processes. > > A similar restriction is available for /dev/mem under CONFIG_STRICT_DEVMEM. > > There are a few possible approaches to this, but before we go ahead > I'd like to ask if anything has happened or is planned in this > direction. > > Otherwise, one idea I am playing with is to add a CONFIG_STRICT_SWAP > option that would do this for any swap device (i.e. not specific to > zram) and possibly also when swapping to a file. We would add an > "internal" open flag, O_KERN_SWAP, as well as clean up a little bit > the FMODE_NONOTIFY confusion by adding the kernel flag O_KERN_NONOTIFY > and formalizing the sets of external (O_*) and internal (O_KERN_*) > open flags. > > Swapon() and swapoff() would use O_KERN_SWAP internally, and a device > opened with that flag would reject user-level opens. > > Thank you in advance for any input/suggestion! > Luigi > > -- > To unsubscribe, send a message with 'unsubscribe linux-mm' in > the body to majordomo@kvack.org. For more info on Linux MM, > see: http://www.linux-mm.org/ . > Don't email: email@kvack.org -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from psmtp.com (na3sys010amx197.postini.com [74.125.245.197]) by kanga.kvack.org (Postfix) with SMTP id D45EB6B0027 for ; Fri, 15 Mar 2013 05:04:26 -0400 (EDT) Received: by mail-pb0-f44.google.com with SMTP id wz12so3527751pbc.31 for ; Fri, 15 Mar 2013 02:04:25 -0700 (PDT) Message-ID: <5142E411.2040005@gmail.com> Date: Fri, 15 Mar 2013 17:04:17 +0800 From: Ric Mason MIME-Version: 1.0 Subject: Re: security: restricting access to swap References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Luigi Semenzato Cc: linux-mm@kvack.org, Johannes Weiner , Hugh Dickins On 03/12/2013 07:57 AM, Luigi Semenzato wrote: > Greetings linux-mmers, > > before we can fully deploy zram, we must ensure it conforms to the > Chrome OS security requirements. In particular, we do not want to > allow user space to read/write the swap device---not even root-owned > processes. Interesting. > > A similar restriction is available for /dev/mem under CONFIG_STRICT_DEVMEM. Sorry, what's /dev/mem used for? and why relevant your topic? > > There are a few possible approaches to this, but before we go ahead > I'd like to ask if anything has happened or is planned in this > direction. > > Otherwise, one idea I am playing with is to add a CONFIG_STRICT_SWAP > option that would do this for any swap device (i.e. not specific to > zram) and possibly also when swapping to a file. We would add an > "internal" open flag, O_KERN_SWAP, as well as clean up a little bit > the FMODE_NONOTIFY confusion by adding the kernel flag O_KERN_NONOTIFY > and formalizing the sets of external (O_*) and internal (O_KERN_*) > open flags. > > Swapon() and swapoff() would use O_KERN_SWAP internally, and a device > opened with that flag would reject user-level opens. > > Thank you in advance for any input/suggestion! > Luigi > > -- > To unsubscribe, send a message with 'unsubscribe linux-mm' in > the body to majordomo@kvack.org. For more info on Linux MM, > see: http://www.linux-mm.org/ . > Don't email: email@kvack.org -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from psmtp.com (na3sys010amx135.postini.com [74.125.245.135]) by kanga.kvack.org (Postfix) with SMTP id 5AB4E6B0038 for ; Fri, 15 Mar 2013 11:48:51 -0400 (EDT) Received: by mail-we0-f176.google.com with SMTP id s43so3226750wey.21 for ; Fri, 15 Mar 2013 08:48:49 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <5142E411.2040005@gmail.com> References: <5142E411.2040005@gmail.com> Date: Fri, 15 Mar 2013 08:48:49 -0700 Message-ID: Subject: Re: security: restricting access to swap From: Luigi Semenzato Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-linux-mm@kvack.org List-ID: To: Ric Mason Cc: linux-mm@kvack.org, Johannes Weiner , Hugh Dickins On Fri, Mar 15, 2013 at 2:04 AM, Ric Mason wrote: > On 03/12/2013 07:57 AM, Luigi Semenzato wrote: >> >> Greetings linux-mmers, >> >> before we can fully deploy zram, we must ensure it conforms to the >> Chrome OS security requirements. In particular, we do not want to >> allow user space to read/write the swap device---not even root-owned >> processes. > > > Interesting. Thank you. >> >> A similar restriction is available for /dev/mem under >> CONFIG_STRICT_DEVMEM. > > > Sorry, what's /dev/mem used for? and why relevant your topic? I don't know what it's used for Chrome OS, but I don't think it matters. The point is that /dev/mem is compiled in the kernel, and without CONFIG_STRICT_DEVMEM it offers a way for a root-owned process to read/write all of physical memory. The situation is not as dire with a swap device, but currently a root-owned process can open a block device used for swap and peek and poke its data, which means that a root-owned process has now potential access to the data segment of any other process, among other things. >> >> There are a few possible approaches to this, but before we go ahead >> I'd like to ask if anything has happened or is planned in this >> direction. >> >> Otherwise, one idea I am playing with is to add a CONFIG_STRICT_SWAP >> option that would do this for any swap device (i.e. not specific to >> zram) and possibly also when swapping to a file. We would add an >> "internal" open flag, O_KERN_SWAP, as well as clean up a little bit >> the FMODE_NONOTIFY confusion by adding the kernel flag O_KERN_NONOTIFY >> and formalizing the sets of external (O_*) and internal (O_KERN_*) >> open flags. >> >> Swapon() and swapoff() would use O_KERN_SWAP internally, and a device >> opened with that flag would reject user-level opens. >> >> Thank you in advance for any input/suggestion! >> Luigi >> >> -- >> To unsubscribe, send a message with 'unsubscribe linux-mm' in >> the body to majordomo@kvack.org. For more info on Linux MM, >> see: http://www.linux-mm.org/ . >> Don't email: email@kvack.org > > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from psmtp.com (na3sys010amx126.postini.com [74.125.245.126]) by kanga.kvack.org (Postfix) with SMTP id 6CAA96B0038 for ; Fri, 15 Mar 2013 12:55:14 -0400 (EDT) Date: Fri, 15 Mar 2013 12:55:09 -0400 From: Johannes Weiner Subject: Re: security: restricting access to swap Message-ID: <20130315165509.GA1108@cmpxchg.org> References: <5142E411.2040005@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: owner-linux-mm@kvack.org List-ID: To: Luigi Semenzato Cc: Ric Mason , linux-mm@kvack.org, Hugh Dickins On Fri, Mar 15, 2013 at 08:48:49AM -0700, Luigi Semenzato wrote: > On Fri, Mar 15, 2013 at 2:04 AM, Ric Mason wrote: > > On 03/12/2013 07:57 AM, Luigi Semenzato wrote: > >> > >> Greetings linux-mmers, > >> > >> before we can fully deploy zram, we must ensure it conforms to the > >> Chrome OS security requirements. In particular, we do not want to > >> allow user space to read/write the swap device---not even root-owned > >> processes. > > > > > > Interesting. > > Thank you. > > >> > >> A similar restriction is available for /dev/mem under > >> CONFIG_STRICT_DEVMEM. > > > > > > Sorry, what's /dev/mem used for? and why relevant your topic? > > I don't know what it's used for Chrome OS, but I don't think it > matters. The point is that /dev/mem is compiled in the kernel, and > without CONFIG_STRICT_DEVMEM it offers a way for a root-owned process > to read/write all of physical memory. The situation is not as dire > with a swap device, but currently a root-owned process can open a > block device used for swap and peek and poke its data, which means > that a root-owned process has now potential access to the data segment > of any other process, among other things. How do you handle /proc//mem? -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from psmtp.com (na3sys010amx148.postini.com [74.125.245.148]) by kanga.kvack.org (Postfix) with SMTP id A56CE6B0037 for ; Fri, 15 Mar 2013 13:27:25 -0400 (EDT) Received: by mail-we0-f170.google.com with SMTP id z53so3404369wey.15 for ; Fri, 15 Mar 2013 10:27:24 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20130315165509.GA1108@cmpxchg.org> References: <5142E411.2040005@gmail.com> <20130315165509.GA1108@cmpxchg.org> Date: Fri, 15 Mar 2013 10:27:23 -0700 Message-ID: Subject: Re: security: restricting access to swap From: Luigi Semenzato Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-linux-mm@kvack.org List-ID: To: Johannes Weiner , Will Drewry Cc: Ric Mason , linux-mm@kvack.org, Hugh Dickins On Fri, Mar 15, 2013 at 9:55 AM, Johannes Weiner wrote: > On Fri, Mar 15, 2013 at 08:48:49AM -0700, Luigi Semenzato wrote: >> On Fri, Mar 15, 2013 at 2:04 AM, Ric Mason wrote: >> > On 03/12/2013 07:57 AM, Luigi Semenzato wrote: >> >> >> >> Greetings linux-mmers, >> >> >> >> before we can fully deploy zram, we must ensure it conforms to the >> >> Chrome OS security requirements. In particular, we do not want to >> >> allow user space to read/write the swap device---not even root-owned >> >> processes. >> > >> > >> > Interesting. >> >> Thank you. >> >> >> >> >> A similar restriction is available for /dev/mem under >> >> CONFIG_STRICT_DEVMEM. >> > >> > >> > Sorry, what's /dev/mem used for? and why relevant your topic? >> >> I don't know what it's used for Chrome OS, but I don't think it >> matters. The point is that /dev/mem is compiled in the kernel, and >> without CONFIG_STRICT_DEVMEM it offers a way for a root-owned process >> to read/write all of physical memory. The situation is not as dire >> with a swap device, but currently a root-owned process can open a >> block device used for swap and peek and poke its data, which means >> that a root-owned process has now potential access to the data segment >> of any other process, among other things. > > How do you handle /proc//mem? Right. We do not. But... we might! We could turn it off and see if it breaks anything important. In any case, we don't like expanding the attack surface. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from psmtp.com (na3sys010amx176.postini.com [74.125.245.176]) by kanga.kvack.org (Postfix) with SMTP id BFCC46B0037 for ; Fri, 15 Mar 2013 18:19:41 -0400 (EDT) Received: by mail-wi0-f175.google.com with SMTP id l13so986581wie.14 for ; Fri, 15 Mar 2013 15:19:40 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: <5142E411.2040005@gmail.com> <20130315165509.GA1108@cmpxchg.org> Date: Fri, 15 Mar 2013 15:19:39 -0700 Message-ID: Subject: Re: security: restricting access to swap From: Luigi Semenzato Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-linux-mm@kvack.org List-ID: To: Johannes Weiner , Will Drewry , Kees Cook Cc: Ric Mason , linux-mm@kvack.org, Hugh Dickins After further reading, it looks as if /proc//mem has a lot of built-in protection already, so that should not be an issue. On Fri, Mar 15, 2013 at 10:27 AM, Luigi Semenzato wrote: > On Fri, Mar 15, 2013 at 9:55 AM, Johannes Weiner wrote: >> On Fri, Mar 15, 2013 at 08:48:49AM -0700, Luigi Semenzato wrote: >>> On Fri, Mar 15, 2013 at 2:04 AM, Ric Mason wrote: >>> > On 03/12/2013 07:57 AM, Luigi Semenzato wrote: >>> >> >>> >> Greetings linux-mmers, >>> >> >>> >> before we can fully deploy zram, we must ensure it conforms to the >>> >> Chrome OS security requirements. In particular, we do not want to >>> >> allow user space to read/write the swap device---not even root-owned >>> >> processes. >>> > >>> > >>> > Interesting. >>> >>> Thank you. >>> >>> >> >>> >> A similar restriction is available for /dev/mem under >>> >> CONFIG_STRICT_DEVMEM. >>> > >>> > >>> > Sorry, what's /dev/mem used for? and why relevant your topic? >>> >>> I don't know what it's used for Chrome OS, but I don't think it >>> matters. The point is that /dev/mem is compiled in the kernel, and >>> without CONFIG_STRICT_DEVMEM it offers a way for a root-owned process >>> to read/write all of physical memory. The situation is not as dire >>> with a swap device, but currently a root-owned process can open a >>> block device used for swap and peek and poke its data, which means >>> that a root-owned process has now potential access to the data segment >>> of any other process, among other things. >> >> How do you handle /proc//mem? > > Right. We do not. But... we might! We could turn it off and see if > it breaks anything important. > > In any case, we don't like expanding the attack surface. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from psmtp.com (na3sys010amx187.postini.com [74.125.245.187]) by kanga.kvack.org (Postfix) with SMTP id 1FF736B0005 for ; Sun, 17 Mar 2013 23:59:04 -0400 (EDT) Received: by mail-da0-f49.google.com with SMTP id t11so1059258daj.22 for ; Sun, 17 Mar 2013 20:59:02 -0700 (PDT) Date: Sun, 17 Mar 2013 20:58:30 -0700 (PDT) From: Hugh Dickins Subject: Re: security: restricting access to swap In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-linux-mm@kvack.org List-ID: To: Luigi Semenzato Cc: linux-mm@kvack.org On Mon, 11 Mar 2013, Luigi Semenzato wrote: > Greetings linux-mmers, > > before we can fully deploy zram, we must ensure it conforms to the > Chrome OS security requirements. In particular, we do not want to > allow user space to read/write the swap device---not even root-owned > processes. > > A similar restriction is available for /dev/mem under CONFIG_STRICT_DEVMEM. > > There are a few possible approaches to this, but before we go ahead > I'd like to ask if anything has happened or is planned in this > direction. > > Otherwise, one idea I am playing with is to add a CONFIG_STRICT_SWAP > option that would do this for any swap device (i.e. not specific to > zram) and possibly also when swapping to a file. We would add an > "internal" open flag, O_KERN_SWAP, as well as clean up a little bit > the FMODE_NONOTIFY confusion by adding the kernel flag O_KERN_NONOTIFY > and formalizing the sets of external (O_*) and internal (O_KERN_*) > open flags. > > Swapon() and swapoff() would use O_KERN_SWAP internally, and a device > opened with that flag would reject user-level opens. > > Thank you in advance for any input/suggestion! > Luigi Your O_KERN_SWAP does not make much sense to me. The open flag would only apply while the device or file is open, yet you would also want this security to apply after it has been closed. And there's not much security if you rely upon zeroing the swap area at swapoff. Maybe it crashes before swapoff. Maybe you have /dev/sda1 open O_KERN_SWAP, but someone is watching through /dev/sda. Maybe you have swapfile open O_KERN_SWAP, but someone is watching through the block device of the filesystem holding swapfile. I think you want to encrypt the pages going out to swap, and encrypt them in such a way that only swap has the key. Whether that's already easily achieved with dm I have no idea. Hugh -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from psmtp.com (na3sys010amx149.postini.com [74.125.245.149]) by kanga.kvack.org (Postfix) with SMTP id A608E6B0005 for ; Mon, 18 Mar 2013 12:05:37 -0400 (EDT) Received: by mail-wi0-f175.google.com with SMTP id l13so2853874wie.8 for ; Mon, 18 Mar 2013 09:05:36 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: Date: Mon, 18 Mar 2013 09:05:35 -0700 Message-ID: Subject: Re: security: restricting access to swap From: Luigi Semenzato Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-linux-mm@kvack.org List-ID: To: Hugh Dickins Cc: linux-mm@kvack.org, Sonny Rao On Sun, Mar 17, 2013 at 8:58 PM, Hugh Dickins wrote: > On Mon, 11 Mar 2013, Luigi Semenzato wrote: >> Greetings linux-mmers, >> >> before we can fully deploy zram, we must ensure it conforms to the >> Chrome OS security requirements. In particular, we do not want to >> allow user space to read/write the swap device---not even root-owned >> processes. >> >> A similar restriction is available for /dev/mem under CONFIG_STRICT_DEVMEM. >> >> There are a few possible approaches to this, but before we go ahead >> I'd like to ask if anything has happened or is planned in this >> direction. >> >> Otherwise, one idea I am playing with is to add a CONFIG_STRICT_SWAP >> option that would do this for any swap device (i.e. not specific to >> zram) and possibly also when swapping to a file. We would add an >> "internal" open flag, O_KERN_SWAP, as well as clean up a little bit >> the FMODE_NONOTIFY confusion by adding the kernel flag O_KERN_NONOTIFY >> and formalizing the sets of external (O_*) and internal (O_KERN_*) >> open flags. >> >> Swapon() and swapoff() would use O_KERN_SWAP internally, and a device >> opened with that flag would reject user-level opens. >> >> Thank you in advance for any input/suggestion! >> Luigi Hugh, thanks for the reply. > Your O_KERN_SWAP does not make much sense to me. > > The open flag would only apply while the device or file is open, yet > you would also want this security to apply after it has been closed. > > And there's not much security if you rely upon zeroing the swap area > at swapoff. Maybe it crashes before swapoff. Yes, that would be a problem. It's not in our case because the swap device is ZRAM. > Maybe you have /dev/sda1 > open O_KERN_SWAP, but someone is watching through /dev/sda. Maybe you > have swapfile open O_KERN_SWAP, but someone is watching through the > block device of the filesystem holding swapfile. Yes, I realize that this works only when using the entire device for swap. > I think you want to encrypt the pages going out to swap, and encrypt > them in such a way that only swap has the key. Whether that's already > easily achieved with dm I have no idea. I think that for our application it may make sense to have a ZRAM-specific solution. Thanks! -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from psmtp.com (na3sys010amx139.postini.com [74.125.245.139]) by kanga.kvack.org (Postfix) with SMTP id 245B86B0005 for ; Mon, 18 Mar 2013 19:42:58 -0400 (EDT) Received: by mail-vc0-f172.google.com with SMTP id hr11so3440913vcb.31 for ; Mon, 18 Mar 2013 16:42:57 -0700 (PDT) Message-ID: <5147A68B.9030207@gmail.com> Date: Mon, 18 Mar 2013 19:43:07 -0400 From: KOSAKI Motohiro MIME-Version: 1.0 Subject: Re: security: restricting access to swap References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Luigi Semenzato Cc: linux-mm@kvack.org, kosaki.motohiro@gmail.com (3/11/13 7:57 PM), Luigi Semenzato wrote: > Greetings linux-mmers, > > before we can fully deploy zram, we must ensure it conforms to the > Chrome OS security requirements. In particular, we do not want to > allow user space to read/write the swap device---not even root-owned > processes. Could you explain Chrome OS security requirement at first? We don't want to guess your requirement. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from psmtp.com (na3sys010amx170.postini.com [74.125.245.170]) by kanga.kvack.org (Postfix) with SMTP id DFA956B00B1 for ; Mon, 25 Mar 2013 21:44:43 -0400 (EDT) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1UKIwi-0007OC-Db for linux-mm@kvack.org; Tue, 26 Mar 2013 02:45:04 +0100 Received: from 173-164-30-65-Nashville.hfc.comcastbusiness.net ([173.164.30.65]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 26 Mar 2013 02:45:04 +0100 Received: from wad by 173-164-30-65-Nashville.hfc.comcastbusiness.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 26 Mar 2013 02:45:04 +0100 From: Will Drewry Subject: Re: security: restricting access to swap Date: Tue, 19 Mar 2013 17:39:44 +0000 (UTC) Message-ID: References: <5147A68B.9030207@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: linux-mm@kvack.org KOSAKI Motohiro gmail.com> writes: > > (3/11/13 7:57 PM), Luigi Semenzato wrote: > > Greetings linux-mmers, > > > > before we can fully deploy zram, we must ensure it conforms to the > > Chrome OS security requirements. In particular, we do not want to > > allow user space to read/write the swap device---not even root-owned > > processes. > > Could you explain Chrome OS security requirement at first? We don't want > to guess your requirement. I'll try to add a little more flavor. We're continuing to reduce the exposure from root-equivalent users wherever possible. Enabling swap support to a block device means an alternative means to access/modify swapped out user-context memory with a single discretionary access control check, bypassing any per-process checks in /proc//mem (like mm_open(..., PTRACE_MODE_ATTACH)), and so on. hth! will -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org