From: Igor Stoppa <igor.stoppa@gmail.com> To: Matthew Wilcox <willy@infradead.org>, Tycho Andersen <tycho@tycho.ws> Cc: Andy Lutomirski <luto@amacapital.net>, Kees Cook <keescook@chromium.org>, Peter Zijlstra <peterz@infradead.org>, Mimi Zohar <zohar@linux.vnet.ibm.com>, Dave Chinner <david@fromorbit.com>, James Morris <jmorris@namei.org>, Michal Hocko <mhocko@kernel.org>, Kernel Hardening <kernel-hardening@lists.openwall.com>, linux-integrity <linux-integrity@vger.kernel.org>, linux-security-module <linux-security-module@vger.kernel.org>, Igor Stoppa <igor.stoppa@huawei.com>, Dave Hansen <dave.hansen@linux.intel.com>, Jonathan Corbet <corbet@lwn.net>, Laura Abbott <labbott@redhat.com>, Randy Dunlap <rdunlap@infradead.org>, Mike Rapoport <rppt@linux.vnet.ibm.com>, "open list:DOCUMENTATION" <linux-doc@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>, Thomas Gleixner <tglx@linutronix.de> Subject: Re: [PATCH 10/17] prmem: documentation Date: Tue, 30 Oct 2018 22:43:14 +0200 Message-ID: <9edbdf8b-b5fb-5a82-43b4-b639f5ec8484@gmail.com> (raw) In-Reply-To: <20181030192021.GC10491@bombadil.infradead.org> On 30/10/2018 21:20, Matthew Wilcox wrote: > On Tue, Oct 30, 2018 at 12:28:41PM -0600, Tycho Andersen wrote: >> On Tue, Oct 30, 2018 at 10:58:14AM -0700, Matthew Wilcox wrote: >>> On Tue, Oct 30, 2018 at 10:06:51AM -0700, Andy Lutomirski wrote: >>>>> On Oct 30, 2018, at 9:37 AM, Kees Cook <keescook@chromium.org> wrote: >>>> I support the addition of a rare-write mechanism to the upstream kernel. >>>> And I think that there is only one sane way to implement it: using an >>>> mm_struct. That mm_struct, just like any sane mm_struct, should only >>>> differ from init_mm in that it has extra mappings in the *user* region. >>> >>> I'd like to understand this approach a little better. In a syscall path, >>> we run with the user task's mm. What you're proposing is that when we >>> want to modify rare data, we switch to rare_mm which contains a >>> writable mapping to all the kernel data which is rare-write. >>> >>> So the API might look something like this: >>> >>> void *p = rare_alloc(...); /* writable pointer */ >>> p->a = x; >>> q = rare_protect(p); /* read-only pointer */ With pools and memory allocated from vmap_areas, I was able to say protect(pool) and that would do a swipe on all the pages currently in use. In the SELinux policyDB, for example, one doesn't really want to individually protect each allocation. The loading phase happens usually at boot, when the system can be assumed to be sane (one might even preload a bare-bone set of rules from initramfs and then replace it later on, with the full blown set). There is no need to process each of these tens of thousands allocations and initialization as write-rare. Would it be possible to do the same here? >>> >>> To subsequently modify q, >>> >>> p = rare_modify(q); >>> q->a = y; >> >> Do you mean >> >> p->a = y; >> >> here? I assume the intent is that q isn't writable ever, but that's >> the one we have in the structure at rest. > > Yes, that was my intent, thanks. > > To handle the list case that Igor has pointed out, you might want to > do something like this: > > list_for_each_entry(x, &xs, entry) { > struct foo *writable = rare_modify(entry); Would this mapping be impossible to spoof by other cores? I'm asking this because, from what I understand, local interrupts are enabled here, so an attack could freeze the core performing the write-rare operation, while another scrapes the memory. But blocking interrupts for the entire body of the loop would make RT latency unpredictable. > kref_get(&writable->ref); > rare_protect(writable); > } > > but we'd probably wrap it in list_for_each_rare_entry(), just to be nicer. This seems suspiciously close to the duplication of kernel interfaces that I was roasted for :-) -- igor
next prev parent reply index Thread overview: 140+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-10-23 21:34 [RFC v1 PATCH 00/17] prmem: protected memory Igor Stoppa 2018-10-23 21:34 ` [PATCH 01/17] prmem: linker section for static write rare Igor Stoppa 2018-10-23 21:34 ` [PATCH 02/17] prmem: write rare for static allocation Igor Stoppa 2018-10-25 0:24 ` Dave Hansen 2018-10-29 18:03 ` Igor Stoppa 2018-10-26 9:41 ` Peter Zijlstra 2018-10-29 20:01 ` Igor Stoppa 2018-10-23 21:34 ` [PATCH 03/17] prmem: vmalloc support for dynamic allocation Igor Stoppa 2018-10-25 0:26 ` Dave Hansen 2018-10-29 18:07 ` Igor Stoppa 2018-10-23 21:34 ` [PATCH 04/17] prmem: " Igor Stoppa 2018-10-23 21:34 ` [PATCH 05/17] prmem: shorthands for write rare on common types Igor Stoppa 2018-10-25 0:28 ` Dave Hansen 2018-10-29 18:12 ` Igor Stoppa 2018-10-23 21:34 ` [PATCH 06/17] prmem: test cases for memory protection Igor Stoppa 2018-10-24 3:27 ` Randy Dunlap 2018-10-24 14:24 ` Igor Stoppa 2018-10-25 16:43 ` Dave Hansen 2018-10-29 18:16 ` Igor Stoppa 2018-10-23 21:34 ` [PATCH 07/17] prmem: lkdtm tests " Igor Stoppa 2018-10-23 21:34 ` [PATCH 08/17] prmem: struct page: track vmap_area Igor Stoppa 2018-10-24 3:12 ` Matthew Wilcox 2018-10-24 23:01 ` Igor Stoppa 2018-10-25 2:13 ` Matthew Wilcox 2018-10-29 18:21 ` Igor Stoppa 2018-10-23 21:34 ` [PATCH 09/17] prmem: hardened usercopy Igor Stoppa 2018-10-29 11:45 ` Chris von Recklinghausen 2018-10-29 18:24 ` Igor Stoppa 2018-10-23 21:34 ` [PATCH 10/17] prmem: documentation Igor Stoppa 2018-10-24 3:48 ` Randy Dunlap 2018-10-24 14:30 ` Igor Stoppa 2018-10-24 23:04 ` Mike Rapoport 2018-10-29 19:05 ` Igor Stoppa 2018-10-26 9:26 ` Peter Zijlstra 2018-10-26 10:20 ` Matthew Wilcox 2018-10-29 19:28 ` Igor Stoppa 2018-10-26 10:46 ` Kees Cook 2018-10-28 18:31 ` Peter Zijlstra 2018-10-29 21:04 ` Igor Stoppa 2018-10-30 15:26 ` Peter Zijlstra 2018-10-30 16:37 ` Kees Cook 2018-10-30 17:06 ` Andy Lutomirski 2018-10-30 17:58 ` Matthew Wilcox 2018-10-30 18:03 ` Dave Hansen 2018-10-31 9:18 ` Peter Zijlstra 2018-10-30 18:28 ` Tycho Andersen 2018-10-30 19:20 ` Matthew Wilcox 2018-10-30 20:43 ` Igor Stoppa [this message] 2018-10-30 21:02 ` Andy Lutomirski 2018-10-30 21:07 ` Kees Cook 2018-10-30 21:25 ` Igor Stoppa 2018-10-30 22:15 ` Igor Stoppa 2018-10-31 10:11 ` Peter Zijlstra 2018-10-31 20:38 ` Andy Lutomirski 2018-10-31 20:53 ` Andy Lutomirski 2018-10-31 9:45 ` Peter Zijlstra 2018-10-30 21:35 ` Matthew Wilcox 2018-10-30 21:49 ` Igor Stoppa 2018-10-31 4:41 ` Andy Lutomirski 2018-10-31 9:08 ` Igor Stoppa 2018-10-31 19:38 ` Igor Stoppa 2018-10-31 10:02 ` Peter Zijlstra 2018-10-31 20:36 ` Andy Lutomirski 2018-10-31 21:00 ` Peter Zijlstra 2018-10-31 22:57 ` Andy Lutomirski 2018-10-31 23:10 ` Igor Stoppa 2018-10-31 23:19 ` Andy Lutomirski 2018-10-31 23:26 ` Igor Stoppa 2018-11-01 8:21 ` Thomas Gleixner 2018-11-01 15:58 ` Igor Stoppa 2018-11-01 17:08 ` Peter Zijlstra 2018-10-30 18:51 ` Andy Lutomirski 2018-10-30 19:14 ` Kees Cook 2018-10-30 21:25 ` Matthew Wilcox 2018-10-30 21:55 ` Igor Stoppa 2018-10-30 22:08 ` Matthew Wilcox 2018-10-31 9:29 ` Peter Zijlstra 2018-10-30 23:18 ` Nadav Amit 2018-10-31 9:08 ` Peter Zijlstra 2018-11-01 16:31 ` Nadav Amit 2018-11-02 21:11 ` Nadav Amit 2018-10-31 9:36 ` Peter Zijlstra 2018-10-31 11:33 ` Matthew Wilcox 2018-11-13 14:25 ` Igor Stoppa 2018-11-13 17:16 ` Andy Lutomirski 2018-11-13 17:43 ` Nadav Amit 2018-11-13 17:47 ` Andy Lutomirski 2018-11-13 18:06 ` Nadav Amit 2018-11-13 18:31 ` Igor Stoppa 2018-11-13 18:33 ` Igor Stoppa 2018-11-13 18:36 ` Andy Lutomirski 2018-11-13 19:03 ` Igor Stoppa 2018-11-21 16:34 ` Igor Stoppa 2018-11-21 17:36 ` Nadav Amit 2018-11-21 18:01 ` Igor Stoppa 2018-11-21 18:15 ` Andy Lutomirski 2018-11-22 19:27 ` Igor Stoppa 2018-11-22 20:04 ` Matthew Wilcox 2018-11-22 20:53 ` Andy Lutomirski 2018-12-04 12:34 ` Igor Stoppa 2018-11-13 18:48 ` Andy Lutomirski 2018-11-13 19:35 ` Igor Stoppa 2018-11-13 18:26 ` Igor Stoppa 2018-11-13 18:35 ` Andy Lutomirski 2018-11-13 19:01 ` Igor Stoppa 2018-10-31 9:27 ` Igor Stoppa 2018-10-26 11:09 ` Markus Heiser 2018-10-29 19:35 ` Igor Stoppa 2018-10-26 15:05 ` Jonathan Corbet 2018-10-29 19:38 ` Igor Stoppa 2018-10-29 20:35 ` Igor Stoppa 2018-10-23 21:34 ` [PATCH 11/17] prmem: llist: use designated initializer Igor Stoppa 2018-10-23 21:34 ` [PATCH 12/17] prmem: linked list: set alignment Igor Stoppa 2018-10-26 9:31 ` Peter Zijlstra 2018-10-23 21:35 ` [PATCH 13/17] prmem: linked list: disable layout randomization Igor Stoppa 2018-10-24 13:43 ` Alexey Dobriyan 2018-10-29 19:40 ` Igor Stoppa 2018-10-26 9:32 ` Peter Zijlstra 2018-10-26 10:17 ` Matthew Wilcox 2018-10-30 15:39 ` Peter Zijlstra 2018-10-23 21:35 ` [PATCH 14/17] prmem: llist, hlist, both plain and rcu Igor Stoppa 2018-10-24 11:37 ` Mathieu Desnoyers 2018-10-24 14:03 ` Igor Stoppa 2018-10-24 14:56 ` Tycho Andersen 2018-10-24 22:52 ` Igor Stoppa 2018-10-25 8:11 ` Tycho Andersen 2018-10-28 9:52 ` Steven Rostedt 2018-10-29 19:43 ` Igor Stoppa 2018-10-26 9:38 ` Peter Zijlstra 2018-10-23 21:35 ` [PATCH 15/17] prmem: test cases for prlist and prhlist Igor Stoppa 2018-10-23 21:35 ` [PATCH 16/17] prmem: pratomic-long Igor Stoppa 2018-10-25 0:13 ` Peter Zijlstra 2018-10-29 21:17 ` Igor Stoppa 2018-10-30 15:58 ` Peter Zijlstra 2018-10-30 16:28 ` Will Deacon 2018-10-31 9:10 ` Peter Zijlstra 2018-11-01 3:28 ` Kees Cook 2018-10-23 21:35 ` [PATCH 17/17] prmem: ima: turn the measurements list write rare Igor Stoppa 2018-10-24 23:03 ` [RFC v1 PATCH 00/17] prmem: protected memory Dave Chinner 2018-10-29 19:47 ` Igor Stoppa
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=9edbdf8b-b5fb-5a82-43b4-b639f5ec8484@gmail.com \ --to=igor.stoppa@gmail.com \ --cc=corbet@lwn.net \ --cc=dave.hansen@linux.intel.com \ --cc=david@fromorbit.com \ --cc=igor.stoppa@huawei.com \ --cc=jmorris@namei.org \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=labbott@redhat.com \ --cc=linux-doc@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=luto@amacapital.net \ --cc=mhocko@kernel.org \ --cc=peterz@infradead.org \ --cc=rdunlap@infradead.org \ --cc=rppt@linux.vnet.ibm.com \ --cc=tglx@linutronix.de \ --cc=tycho@tycho.ws \ --cc=willy@infradead.org \ --cc=zohar@linux.vnet.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux-Security-Module Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \ linux-security-module@vger.kernel.org public-inbox-index linux-security-module Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module AGPL code for this site: git clone https://public-inbox.org/public-inbox.git