From: Linus Torvalds <torvalds@linux-foundation.org>
To: Theo de Raadt <deraadt@openbsd.org>
Cc: Jeff Xu <jeffxu@chromium.org>,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
Jonathan Corbet <corbet@lwn.net>,
akpm@linux-foundation.org, keescook@chromium.org,
jannh@google.com, sroettger@google.com, willy@infradead.org,
gregkh@linuxfoundation.org, usama.anjum@collabora.com,
rdunlap@infradead.org, jeffxu@google.com, jorgelo@chromium.org,
groeck@chromium.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
pedro.falcato@gmail.com, dave.hansen@intel.com,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH v8 0/4] Introduce mseal
Date: Thu, 1 Feb 2024 15:15:27 -0800 [thread overview]
Message-ID: <CAHk-=wjqozic6JuRimXD=RamnJmD6FoaQki7RtNYrezzx_OfOg@mail.gmail.com> (raw)
In-Reply-To: <58408.1706828083@cvs.openbsd.org>
On Thu, 1 Feb 2024 at 14:54, Theo de Raadt <deraadt@openbsd.org> wrote:
>
> Linus, you are in for a shock when the proposal doesn't work for glibc
> and all the applications!
Heh. I've enjoyed seeing your argumentative style that made you so
famous back in the days. Maybe it's always been there, but I haven't
seen the BSD people in so long that I'd forgotten all about it.
That said, famously argumentative or not, I think Theo is right, and I
do think the MAP_SEALABLE bit is nonsensical.
If somebody wants to mseal() a memory region, why would they need to
express that ahead of time?
So the part I think is sane is the mseal() system call itself, in that
it allows *potential* future expansion of the semantics.
But hopefully said future expansion isn't even needed, and all users
want the base experience, which is why I think PROT_SEAL (both to mmap
and to mprotect) makes sense as an alternative form.
So yes, to my mind
mprotect(addr, len, PROT_READ);
mseal(addr, len, 0);
should basically give identical results to
mprotect(addr, len, PROT_READ | PROT_SEAL);
and using PROT_SEAL at mmap() time is similarly the same obvious
notion of "map this, and then seal that mapping".
The reason for having "mseal()" as a separate call at all from the
PROT_SEAL bit is that it does allow possible future expansion (while
PROT_SEAL is just a single bit, and it won't change semantics) but
also so that you can do whatever prep-work in stages if you want to,
and then just go "now we seal it all".
Linus
next prev parent reply other threads:[~2024-02-01 23:15 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-31 17:50 [PATCH v8 0/4] Introduce mseal jeffxu
2024-01-31 17:50 ` [PATCH v8 1/4] mseal: Wire up mseal syscall jeffxu
2024-01-31 17:50 ` [PATCH v8 2/4] mseal: add " jeffxu
2024-02-01 23:11 ` Eric Biggers
2024-02-02 3:30 ` Jeff Xu
2024-02-02 3:54 ` Theo de Raadt
2024-02-02 4:03 ` Jeff Xu
2024-02-02 4:10 ` Theo de Raadt
2024-02-02 4:22 ` Jeff Xu
2024-01-31 17:50 ` [PATCH v8 3/4] selftest mm/mseal memory sealing jeffxu
2024-01-31 17:50 ` [PATCH v8 4/4] mseal:add documentation jeffxu
2024-01-31 19:34 ` [PATCH v8 0/4] Introduce mseal Liam R. Howlett
2024-02-01 1:27 ` Jeff Xu
2024-02-01 1:46 ` Theo de Raadt
2024-02-01 16:56 ` Bird, Tim
2024-02-01 1:55 ` Theo de Raadt
2024-02-01 20:45 ` Liam R. Howlett
2024-02-01 22:24 ` Theo de Raadt
2024-02-02 1:06 ` Greg KH
2024-02-02 3:24 ` Jeff Xu
2024-02-02 3:29 ` Linus Torvalds
2024-02-02 3:46 ` Jeff Xu
2024-02-02 15:18 ` Greg KH
2024-02-01 22:37 ` Jeff Xu
2024-02-01 22:54 ` Theo de Raadt
2024-02-01 23:15 ` Linus Torvalds [this message]
2024-02-01 23:43 ` Theo de Raadt
2024-02-02 0:26 ` Theo de Raadt
2024-02-02 3:20 ` Jeff Xu
2024-02-02 4:05 ` Theo de Raadt
2024-02-02 4:54 ` Jeff Xu
2024-02-02 5:00 ` Theo de Raadt
2024-02-02 17:58 ` Jeff Xu
2024-02-02 18:51 ` Pedro Falcato
2024-02-02 21:20 ` Jeff Xu
2024-02-04 19:39 ` David Laight
2024-02-02 17:05 ` Theo de Raadt
2024-02-02 21:02 ` Jeff Xu
2024-02-02 3:14 ` Jeff Xu
2024-02-02 15:13 ` Liam R. Howlett
2024-02-02 17:24 ` Jeff Xu
2024-02-02 19:21 ` Liam R. Howlett
2024-02-02 19:32 ` Theo de Raadt
2024-02-02 20:36 ` Linus Torvalds
2024-02-02 20:57 ` Jeff Xu
2024-02-02 21:18 ` Liam R. Howlett
2024-02-02 23:36 ` Linus Torvalds
2024-02-03 4:45 ` Liam R. Howlett
2024-02-05 22:13 ` Suren Baghdasaryan
2024-02-02 20:14 ` Jeff Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHk-=wjqozic6JuRimXD=RamnJmD6FoaQki7RtNYrezzx_OfOg@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=corbet@lwn.net \
--cc=dave.hansen@intel.com \
--cc=deraadt@openbsd.org \
--cc=gregkh@linuxfoundation.org \
--cc=groeck@chromium.org \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=jeffxu@google.com \
--cc=jorgelo@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pedro.falcato@gmail.com \
--cc=rdunlap@infradead.org \
--cc=sroettger@google.com \
--cc=usama.anjum@collabora.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).