linux-api.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Andy Lutomirski <luto@amacapital.net>
To: David Miller <davem@davemloft.net>
Cc: luto@kernel.org, alexei.starovoitov@gmail.com,
	keescook@chromium.org, ast@kernel.org, tixxdz@gmail.com,
	viro@zeniv.linux.org.uk, daniel@iogearbox.net,
	torvalds@linux-foundation.org, gregkh@linuxfoundation.org,
	mcgrof@kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, kernel-team@fb.com,
	linux-api@vger.kernel.org
Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries
Date: Thu, 8 Mar 2018 19:10:54 -0800	[thread overview]
Message-ID: <3BC1EAA3-D926-4758-901D-A860718B846A@amacapital.net> (raw)
In-Reply-To: <20180308.213153.2003279953084099668.davem@davemloft.net>




> On Mar 8, 2018, at 6:31 PM, David Miller <davem@davemloft.net> wrote:
> 
> From: Andy Lutomirski <luto@kernel.org>
> Date: Fri, 9 Mar 2018 02:12:24 +0000
> 
>> First, compile your user code and emit a staitc binary.  Use objdump
>> fiddling or a trivial .S file to make that static binary into a
>> variable.  Then write a tiny shim module like this:
>> 
>> extern unsigned char __begin_user_code[], __end_user_code[];
>> 
>> int __init init_shim_module(void)
>> {
>>  return call_umh_blob(__begin_user_code, __end_user_code - __begin_user_code);
>> }
>> 
>> By itself, this is clearly a worse solution than yours, but it has two
>> benefits, one small and two big.  The small benefit is that it is
>> completely invisible to userspace: the .ko file is a bona fide module.
> 
> Anything you try to do which makes these binaries "special" is a huge
> negative.

I don’t know what you mean.  Alexei’s approach introduces a whole new kind of special module.  Mine doesn’t. 

> 
>> The big benefits are:
> 
> I don't see those things as benefits at all, and Alexei's scheme can
> easily be made to work in your benefit #1 case too.
> 

How?  I think you’ll find that a non-modular implementation of a bundled ELF binary looks a *lot* like my call_umh_blob().

> It's a user binary.  It's shipped with the kernel and it's signed.
> 
> If we can't trust that, we can't trust much else.

I’m not making any arguments about security at all. I’m talking about functionality. 

If we apply Alexei’s patch as is, then I think we’ll have a situation where ET_EXEC modules are only useful if they can do their jobs without any filesystem access at all.  This is fine for networking, where netlink sockets are used, but I think it’s not so great for other use cases. If we ever try to stick a usb driver into userspace, we’re going to want to instantiate the user task once per device, passed as stdin or similar, and Alexei’s code will make that very awkward.

  reply	other threads:[~2018-03-09  3:10 UTC|newest]

Thread overview: 68+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-06  1:34 [PATCH net-next] modules: allow modprobe load regular elf binaries Alexei Starovoitov
2018-03-06  2:13 ` Randy Dunlap
2018-03-06  3:02   ` Alexei Starovoitov
2018-03-06 11:05 ` Greg KH
2018-03-07  1:07   ` Alexei Starovoitov
2018-03-07  3:24     ` Greg KH
2018-03-06 19:12 ` Linus Torvalds
2018-03-06 23:42   ` Chris Mason
2018-05-02  9:12     ` Jesper Dangaard Brouer
2018-03-06 20:01 ` Andy Lutomirski
2018-03-06 20:26   ` Linus Torvalds
2018-03-07 17:22 ` David Miller
2018-03-08  1:23 ` Luis R. Rodriguez
2018-03-08 23:07   ` Alexei Starovoitov
2018-03-09  1:58     ` Luis R. Rodriguez
2018-03-09  0:24 ` Kees Cook
2018-03-09  0:57   ` Alexei Starovoitov
2018-03-09  1:04     ` Andy Lutomirski
2018-03-09  1:25       ` Alexei Starovoitov
2018-03-09  1:24     ` Kees Cook
2018-03-09  0:59   ` Andy Lutomirski
2018-03-09  1:20     ` Alexei Starovoitov
2018-03-09  2:12       ` Andy Lutomirski
2018-03-09  2:31         ` David Miller
2018-03-09  3:10           ` Andy Lutomirski [this message]
2018-03-09  3:27         ` Alexei Starovoitov
2018-03-09  1:38     ` Linus Torvalds
2018-03-09  1:44       ` Kees Cook
2018-03-09  3:06         ` Linus Torvalds
2018-03-09  3:17           ` Linus Torvalds
2018-03-09  3:54           ` Andy Lutomirski
2018-03-09  5:08             ` Alexei Starovoitov
2018-03-09 15:16               ` Andy Lutomirski
2018-03-09 15:39                 ` Alexei Starovoitov
2018-03-09 16:24                   ` Andy Lutomirski
2018-03-09 17:32                     ` Alexei Starovoitov
2018-03-09 18:15                       ` Greg KH
2018-03-09 18:23                         ` Andy Lutomirski
2018-03-09 18:29                           ` Greg KH
2018-03-09 18:50                           ` Alexei Starovoitov
2018-03-09 18:55                             ` David Miller
2018-03-09 19:37                               ` Andy Lutomirski
2018-03-10  1:43                                 ` Alexei Starovoitov
2018-03-11  2:17                                   ` Andy Lutomirski
2018-03-09 18:17               ` Linus Torvalds
2018-03-09 18:35                 ` David Miller
2018-03-09 18:43                   ` Kees Cook
2018-03-09 18:50                     ` Linus Torvalds
2018-03-09 18:54                       ` Kees Cook
2018-03-09 18:58                       ` Alexei Starovoitov
2018-03-12 12:02                         ` Edward Cree
2018-03-12 17:49                           ` Alexei Starovoitov
2018-03-09 18:48                 ` Andy Lutomirski
2018-03-09 18:53                   ` Linus Torvalds
2018-03-09 18:57                     ` David Miller
2018-03-09 19:12                       ` Linus Torvalds
2018-03-09 19:38                         ` Linus Torvalds
2018-03-09 19:45                           ` Andy Lutomirski
2018-03-10  2:34                           ` Alexei Starovoitov
2018-03-10 14:08                             ` Luis R. Rodriguez
2018-03-10 15:16                               ` Luis R. Rodriguez
2018-03-10 15:34                                 ` Luis R. Rodriguez
2018-03-12 17:22                                   ` Alexei Starovoitov
2018-03-13  8:48                                     ` Greg Kroah-Hartman
2018-03-22 20:54                                 ` Luis R. Rodriguez
2018-03-22 22:15                                   ` Andy Lutomirski
2018-03-22 22:21                                     ` Alexei Starovoitov
2018-03-23  2:47                                     ` Luis R. Rodriguez

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3BC1EAA3-D926-4758-901D-A860718B846A@amacapital.net \
    --to=luto@amacapital.net \
    --cc=alexei.starovoitov@gmail.com \
    --cc=ast@kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=keescook@chromium.org \
    --cc=kernel-team@fb.com \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mcgrof@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=tixxdz@gmail.com \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).