From: "Theo de Raadt" <deraadt@openbsd.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jeff Xu <jeffxu@chromium.org>,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
Jonathan Corbet <corbet@lwn.net>,
akpm@linux-foundation.org, keescook@chromium.org,
jannh@google.com, sroettger@google.com, willy@infradead.org,
gregkh@linuxfoundation.org, usama.anjum@collabora.com,
rdunlap@infradead.org, jeffxu@google.com, jorgelo@chromium.org,
groeck@chromium.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
pedro.falcato@gmail.com, dave.hansen@intel.com,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH v8 0/4] Introduce mseal
Date: Thu, 01 Feb 2024 17:26:25 -0700 [thread overview]
Message-ID: <7481.1706833585@cvs.openbsd.org> (raw)
In-Reply-To: <CAHk-=wjqozic6JuRimXD=RamnJmD6FoaQki7RtNYrezzx_OfOg@mail.gmail.com>
Linus Torvalds <torvalds@linux-foundation.org> wrote:
> and using PROT_SEAL at mmap() time is similarly the same obvious
> notion of "map this, and then seal that mapping".
The usual way is:
ptr = mmap(NULL, len PROT_READ|PROT_WRITE, ...)
initialize region between ptr, ptr+len
mprotect(ptr, len, PROT_READ)
mseal(ptr, len, 0);
Our source tree contains one place where a locking happens very close
to a mmap().
It is the shared-library-linker 'hints file', this is a file that gets
mapped PROT_READ and then we lock it.
It feels like that could be one operation? It can't be.
addr = (void *)mmap(0, hsize, PROT_READ, MAP_PRIVATE, hfd, 0);
if (_dl_mmap_error(addr))
goto bad_hints;
hheader = (struct hints_header *)addr;
if (HH_BADMAG(*hheader) || hheader->hh_ehints > hsize)
goto bad_hints;
/* couple more error checks */
mimmutable(addr, hsize);
close(hfd);
return (0);
bad_hints:
munmap(addr, hsize);
...
See the problem? It unmaps it if the contents are broken. So even that
case cannot use something like "PROT_SEAL".
These are not hypotheticals. I'm grepping an entire Unix kernel and
userland source tree, and I know what 100,000+ applications do. I found
piece of code that could almost use it, but upon inspection it can't,
and it is obvious why: it is best idiom to allow a programmer to insert
an inspection operation between two disctinct operations, and especially
critical if the 2nd operation cannot be reversed.
Noone needs PROT_SEAL as a shortcut operation in mmap() or mprotect().
Throwing around ideas without proving their use in practice is very
unscientific.
next prev parent reply other threads:[~2024-02-02 0:26 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-31 17:50 [PATCH v8 0/4] Introduce mseal jeffxu
2024-01-31 17:50 ` [PATCH v8 1/4] mseal: Wire up mseal syscall jeffxu
2024-01-31 17:50 ` [PATCH v8 2/4] mseal: add " jeffxu
2024-02-01 23:11 ` Eric Biggers
2024-02-02 3:30 ` Jeff Xu
2024-02-02 3:54 ` Theo de Raadt
2024-02-02 4:03 ` Jeff Xu
2024-02-02 4:10 ` Theo de Raadt
2024-02-02 4:22 ` Jeff Xu
2024-01-31 17:50 ` [PATCH v8 3/4] selftest mm/mseal memory sealing jeffxu
2024-01-31 17:50 ` [PATCH v8 4/4] mseal:add documentation jeffxu
2024-01-31 19:34 ` [PATCH v8 0/4] Introduce mseal Liam R. Howlett
2024-02-01 1:27 ` Jeff Xu
2024-02-01 1:46 ` Theo de Raadt
2024-02-01 16:56 ` Bird, Tim
2024-02-01 1:55 ` Theo de Raadt
2024-02-01 20:45 ` Liam R. Howlett
2024-02-01 22:24 ` Theo de Raadt
2024-02-02 1:06 ` Greg KH
2024-02-02 3:24 ` Jeff Xu
2024-02-02 3:29 ` Linus Torvalds
2024-02-02 3:46 ` Jeff Xu
2024-02-02 15:18 ` Greg KH
2024-02-01 22:37 ` Jeff Xu
2024-02-01 22:54 ` Theo de Raadt
2024-02-01 23:15 ` Linus Torvalds
2024-02-01 23:43 ` Theo de Raadt
2024-02-02 0:26 ` Theo de Raadt [this message]
2024-02-02 3:20 ` Jeff Xu
2024-02-02 4:05 ` Theo de Raadt
2024-02-02 4:54 ` Jeff Xu
2024-02-02 5:00 ` Theo de Raadt
2024-02-02 17:58 ` Jeff Xu
2024-02-02 18:51 ` Pedro Falcato
2024-02-02 21:20 ` Jeff Xu
2024-02-04 19:39 ` David Laight
2024-02-02 17:05 ` Theo de Raadt
2024-02-02 21:02 ` Jeff Xu
2024-02-02 3:14 ` Jeff Xu
2024-02-02 15:13 ` Liam R. Howlett
2024-02-02 17:24 ` Jeff Xu
2024-02-02 19:21 ` Liam R. Howlett
2024-02-02 19:32 ` Theo de Raadt
2024-02-02 20:36 ` Linus Torvalds
2024-02-02 20:57 ` Jeff Xu
2024-02-02 21:18 ` Liam R. Howlett
2024-02-02 23:36 ` Linus Torvalds
2024-02-03 4:45 ` Liam R. Howlett
2024-02-05 22:13 ` Suren Baghdasaryan
2024-02-02 20:14 ` Jeff Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7481.1706833585@cvs.openbsd.org \
--to=deraadt@openbsd.org \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=corbet@lwn.net \
--cc=dave.hansen@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=groeck@chromium.org \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=jeffxu@google.com \
--cc=jorgelo@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pedro.falcato@gmail.com \
--cc=rdunlap@infradead.org \
--cc=sroettger@google.com \
--cc=torvalds@linux-foundation.org \
--cc=usama.anjum@collabora.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).