From: "Theo de Raadt" <deraadt@openbsd.org>
To: Jeff Xu <jeffxu@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
jeffxu@chromium.org, akpm@linux-foundation.org,
keescook@chromium.org, jannh@google.com, sroettger@google.com,
willy@infradead.org, gregkh@linuxfoundation.org,
jorgelo@chromium.org, groeck@chromium.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-mm@kvack.org, pedro.falcato@gmail.com,
dave.hansen@intel.com, linux-hardening@vger.kernel.org
Subject: Re: [RFC PATCH v3 11/11] mseal:add documentation
Date: Wed, 13 Dec 2023 18:09:38 -0700 [thread overview]
Message-ID: <58421.1702516178@cvs.openbsd.org> (raw)
In-Reply-To: <CALmYWFu39nzHvBmRsA326GcmV9u=eM-2aCGOvLK31rrb2R9NEw@mail.gmail.com>
Jeff Xu <jeffxu@google.com> wrote:
> > Or when would you *ever* say "seal this area, but mprotect()" is ok.
> >
> The fact that openBSD allows RW=>RO transaction, as in its man page [2]
>
> " At present, mprotect(2) may reduce permissions on immutable pages
> marked PROT_READ | PROT_WRITE to the less permissive PROT_READ."
Let me explain this.
We encountered two places that needed this less-permission-transition.
Both of these problems were found in either .data or bss, which the
kernel makes immutable by default. The OpenBSD kernel makes those
regions immutable BY DEFAULT, and there is no way to turn that off.
One was in our libc malloc, which after initialization, wants to protect
a control data structure from being written in the future.
The other was in chrome v8, for the v8_flags variable, this is
similarily mprotected to less permission after initialization to avoid
tampering (because it's an amazing relative-address located control
gadget).
We introduced a different mechanism to solve these problem.
So we added a new ELF section which annotates objects you need to be
MUTABLE. If these are .data or .bss, they are placed in the MUTABLE
region annotated with the following Program Header:
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
OPENBSD_MUTABLE 0x0e9000 0x00000000000ec000 0x00000000000ec000 0x001000 0x001000 RW 0x1000
associated with this Section Header
[20] .openbsd.mutable PROGBITS 00000000000ec000 0e9000 001000 00 WA 0 0 4096
(It is vaguely similar to RELRO).
You can place objects there using the a compiler __attribute__((section
declaration, like this example from our libc/malloc.c code
static union {
struct malloc_readonly mopts;
u_char _pad[MALLOC_PAGESIZE];
} malloc_readonly __attribute__((aligned(MALLOC_PAGESIZE)))
__attribute__((section(".openbsd.mutable")));
During startup the code can set the protection and then the immutability
of the object correctly.
Since we have no purpose left for this permission reduction semantic
upon immutable mappings, we may be deleting that behaviour in the
future. I wrote that code, because I needed it to make progress with some
difficult pieces of code. But we found a better way.
next prev parent reply other threads:[~2023-12-14 1:16 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-12 23:16 [RFC PATCH v3 00/11] Introduce mseal() jeffxu
2023-12-12 23:16 ` [RFC PATCH v3 01/11] mseal: Add mseal syscall jeffxu
2023-12-13 7:24 ` Greg KH
2023-12-12 23:16 ` [RFC PATCH v3 02/11] mseal: Wire up " jeffxu
2023-12-12 23:16 ` [RFC PATCH v3 03/11] mseal: add can_modify_mm and can_modify_vma jeffxu
2023-12-12 23:16 ` [RFC PATCH v3 04/11] mseal: add MM_SEAL_BASE jeffxu
2023-12-12 23:16 ` [RFC PATCH v3 05/11] mseal: add MM_SEAL_PROT_PKEY jeffxu
2023-12-12 23:17 ` [RFC PATCH v3 06/11] mseal: add sealing support for mmap jeffxu
2023-12-12 23:17 ` [RFC PATCH v3 07/11] mseal: make sealed VMA mergeable jeffxu
2023-12-12 23:17 ` [RFC PATCH v3 08/11] mseal: add MM_SEAL_DISCARD_RO_ANON jeffxu
2023-12-12 23:17 ` [RFC PATCH v3 09/11] mseal: add MAP_SEALABLE to mmap() jeffxu
2023-12-12 23:17 ` [RFC PATCH v3 10/11] selftest mm/mseal memory sealing jeffxu
2023-12-31 6:39 ` Muhammad Usama Anjum
2023-12-12 23:17 ` [RFC PATCH v3 11/11] mseal:add documentation jeffxu
2023-12-13 0:39 ` Linus Torvalds
2023-12-14 0:35 ` Jeff Xu
2023-12-14 1:09 ` Theo de Raadt [this message]
2023-12-14 1:31 ` Linus Torvalds
2023-12-14 18:06 ` Stephen Röttger
2023-12-14 20:11 ` Pedro Falcato
2023-12-14 20:14 ` Linus Torvalds
2023-12-14 22:52 ` Jeff Xu
2024-01-20 15:23 ` Theo de Raadt
2024-01-20 16:40 ` Linus Torvalds
2024-01-20 16:59 ` Theo de Raadt
2024-01-21 0:16 ` Jeff Xu
2024-01-21 0:43 ` Theo de Raadt
2023-12-14 15:04 ` Theo de Raadt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=58421.1702516178@cvs.openbsd.org \
--to=deraadt@openbsd.org \
--cc=akpm@linux-foundation.org \
--cc=dave.hansen@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=groeck@chromium.org \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=jeffxu@google.com \
--cc=jorgelo@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pedro.falcato@gmail.com \
--cc=sroettger@google.com \
--cc=torvalds@linux-foundation.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).