From: "Stephen Röttger" <sroettger@google.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: jeffxu@chromium.org, akpm@linux-foundation.org,
keescook@chromium.org, jannh@google.com, willy@infradead.org,
gregkh@linuxfoundation.org, jeffxu@google.com,
jorgelo@chromium.org, groeck@chromium.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-mm@kvack.org, surenb@google.com, alex.sierra@amd.com,
apopple@nvidia.com, aneesh.kumar@linux.ibm.com,
axelrasmussen@google.com, ben@decadent.org.uk,
catalin.marinas@arm.com, david@redhat.com, dwmw@amazon.co.uk,
ying.huang@intel.com, hughd@google.com, joey.gouly@arm.com,
corbet@lwn.net, wangkefeng.wang@huawei.com,
Liam.Howlett@oracle.com, lstoakes@gmail.com,
mawupeng1@huawei.com, linmiaohe@huawei.com, namit@vmware.com,
peterx@redhat.com, peterz@infradead.org, ryan.roberts@arm.com,
shr@devkernel.io, vbabka@suse.cz, xiujianfeng@huawei.com,
yu.ma@intel.com, zhangpeng362@huawei.com, dave.hansen@intel.com,
luto@kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [RFC PATCH v2 7/8] mseal:Check seal flag for mmap(2)
Date: Thu, 19 Oct 2023 09:27:03 +0200 [thread overview]
Message-ID: <CAEAAPHYakbZxf7CYbhGVJ-sGM3KFP3vCMJ9kErbMpi75Ekg20A@mail.gmail.com> (raw)
In-Reply-To: <CAHk-=whchB_=Qx_oNAg3KBe-erNg9R2p_91ikaRZhsNY_2-G7g@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 937 bytes --]
> Without that practical reason, I think the only two sane sealing operations are:
>
> - SEAL_MUNMAP: "don't allow this mapping address to go away"
>
> IOW no unmap, no shrinking, no moving mremap
>
> - SEAL_MPROTECT: "don't allow any mapping permission changes"
>
> Again, that permission case might end up being "don't allow
> _additional_ permissions" and "don't allow taking permissions away".
> Or it could be split by operation (ie "don't allow permission changes
> to writability / readability / executability respectively").
>
> I suspect there isn't a real-life example of splitting the
> SEAL_MPROTECT (the same way I doubt there's a real-life example for
> splitting the UNMAP into "unmap vs move"), so unless there is some
> real reason, I'd keep the sealing minimal and to just those two flags.
These two flags are exactly what we would use in Chrome. I can't think of a
use case for a more fine grained split either.
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4005 bytes --]
next prev parent reply other threads:[~2023-10-19 7:27 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-17 9:08 [RFC PATCH v2 0/8] Introduce mseal() syscall jeffxu
2023-10-17 9:08 ` [RFC PATCH v2 1/8] mseal: Add mseal(2) syscall jeffxu
2023-10-17 15:45 ` Randy Dunlap
2023-10-17 9:08 ` [RFC PATCH v2 2/8] mseal: Wire up mseal syscall jeffxu
2023-10-17 9:08 ` [RFC PATCH v2 3/8] mseal: add can_modify_mm and can_modify_vma jeffxu
2023-10-17 9:08 ` [RFC PATCH v2 4/8] mseal: Check seal flag for mprotect(2) jeffxu
2023-10-17 9:08 ` [RFC PATCH v2 5/8] mseal: Check seal flag for munmap(2) jeffxu
2023-10-17 16:54 ` Linus Torvalds
2023-10-18 15:08 ` Jeff Xu
2023-10-18 17:14 ` Jeff Xu
2023-10-18 18:27 ` Linus Torvalds
2023-10-18 19:07 ` Jeff Xu
2023-10-17 9:08 ` [RFC PATCH v2 6/8] mseal: Check seal flag for mremap(2) jeffxu
2023-10-20 13:56 ` Muhammad Usama Anjum
2023-10-17 9:08 ` [RFC PATCH v2 7/8] mseal:Check seal flag for mmap(2) jeffxu
2023-10-17 17:04 ` Linus Torvalds
2023-10-17 17:43 ` Linus Torvalds
2023-10-18 7:01 ` Jeff Xu
2023-10-19 7:27 ` Stephen Röttger [this message]
2023-10-17 9:08 ` [RFC PATCH v2 8/8] selftest mm/mseal mprotect/munmap/mremap/mmap jeffxu
2023-10-20 14:24 ` Muhammad Usama Anjum
2023-10-20 15:23 ` Peter Zijlstra
2023-10-20 16:33 ` Muhammad Usama Anjum
2023-10-19 9:19 ` [RFC PATCH v2 0/8] Introduce mseal() syscall David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEAAPHYakbZxf7CYbhGVJ-sGM3KFP3vCMJ9kErbMpi75Ekg20A@mail.gmail.com \
--to=sroettger@google.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=alex.sierra@amd.com \
--cc=aneesh.kumar@linux.ibm.com \
--cc=apopple@nvidia.com \
--cc=axelrasmussen@google.com \
--cc=ben@decadent.org.uk \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@intel.com \
--cc=david@redhat.com \
--cc=dwmw@amazon.co.uk \
--cc=gregkh@linuxfoundation.org \
--cc=groeck@chromium.org \
--cc=hughd@google.com \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=jeffxu@google.com \
--cc=joey.gouly@arm.com \
--cc=jorgelo@chromium.org \
--cc=keescook@chromium.org \
--cc=linmiaohe@huawei.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lstoakes@gmail.com \
--cc=luto@kernel.org \
--cc=mawupeng1@huawei.com \
--cc=namit@vmware.com \
--cc=peterx@redhat.com \
--cc=peterz@infradead.org \
--cc=ryan.roberts@arm.com \
--cc=shr@devkernel.io \
--cc=surenb@google.com \
--cc=torvalds@linux-foundation.org \
--cc=vbabka@suse.cz \
--cc=wangkefeng.wang@huawei.com \
--cc=willy@infradead.org \
--cc=xiujianfeng@huawei.com \
--cc=ying.huang@intel.com \
--cc=yu.ma@intel.com \
--cc=zhangpeng362@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).