From: Pedro Falcato <pedro.falcato@gmail.com>
To: Matthew Wilcox <willy@infradead.org>
Cc: jeffxu@chromium.org, akpm@linux-foundation.org,
keescook@chromium.org, sroettger@google.com, jeffxu@google.com,
jorgelo@chromium.org, groeck@chromium.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-mm@kvack.org, jannh@google.com, surenb@google.com,
alex.sierra@amd.com, apopple@nvidia.com,
aneesh.kumar@linux.ibm.com, axelrasmussen@google.com,
ben@decadent.org.uk, catalin.marinas@arm.com, david@redhat.com,
dwmw@amazon.co.uk, ying.huang@intel.com, hughd@google.com,
joey.gouly@arm.com, corbet@lwn.net, wangkefeng.wang@huawei.com,
Liam.Howlett@oracle.com, torvalds@linux-foundation.org,
lstoakes@gmail.com, mawupeng1@huawei.com, linmiaohe@huawei.com,
namit@vmware.com, peterx@redhat.com, peterz@infradead.org,
ryan.roberts@arm.com, shr@devkernel.io, vbabka@suse.cz,
xiujianfeng@huawei.com, yu.ma@intel.com, zhangpeng362@huawei.com,
dave.hansen@intel.com, luto@kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [RFC PATCH v1 0/8] Introduce mseal() syscall
Date: Tue, 17 Oct 2023 16:29:58 +0100 [thread overview]
Message-ID: <CAKbZUD2A+=bp_sd+Q0Yif7NJqMu8p__eb4yguq0agEcmLH8SDQ@mail.gmail.com> (raw)
In-Reply-To: <ZS1URCBgwGGj9JtM@casper.infradead.org>
On Mon, Oct 16, 2023 at 4:18 PM Matthew Wilcox <willy@infradead.org> wrote:
>
> On Mon, Oct 16, 2023 at 02:38:19PM +0000, jeffxu@chromium.org wrote:
> > Modern CPUs support memory permissions such as RW and NX bits. Linux has
> > supported NX since the release of kernel version 2.6.8 in August 2004 [1].
>
> This seems like a confusing way to introduce the subject. Here, you're
> talking about page permissions, whereas (as far as I can tell), mseal() is
> about making _virtual_ addresses immutable, for some value of immutable.
>
> > Memory sealing additionally protects the mapping itself against
> > modifications. This is useful to mitigate memory corruption issues where
> > a corrupted pointer is passed to a memory management syscall. For example,
> > such an attacker primitive can break control-flow integrity guarantees
> > since read-only memory that is supposed to be trusted can become writable
> > or .text pages can get remapped. Memory sealing can automatically be
> > applied by the runtime loader to seal .text and .rodata pages and
> > applications can additionally seal security critical data at runtime.
> > A similar feature already exists in the XNU kernel with the
> > VM_FLAGS_PERMANENT [3] flag and on OpenBSD with the mimmutable syscall [4].
> > Also, Chrome wants to adopt this feature for their CFI work [2] and this
> > patchset has been designed to be compatible with the Chrome use case.
>
> This [2] seems very generic and wide-ranging, not helpful. [5] was more
> useful to understand what you're trying to do.
>
> > The new mseal() is an architecture independent syscall, and with
> > following signature:
> >
> > mseal(void addr, size_t len, unsigned int types, unsigned int flags)
> >
> > addr/len: memory range. Must be continuous/allocated memory, or else
> > mseal() will fail and no VMA is updated. For details on acceptable
> > arguments, please refer to comments in mseal.c. Those are also fully
> > covered by the selftest.
>
> Mmm. So when you say "continuous/allocated" what you really mean is
> "Must have contiguous VMAs" rather than "All pages in this range must
> be populated", yes?
>
> > types: bit mask to specify which syscall to seal, currently they are:
> > MM_SEAL_MSEAL 0x1
> > MM_SEAL_MPROTECT 0x2
> > MM_SEAL_MUNMAP 0x4
> > MM_SEAL_MMAP 0x8
> > MM_SEAL_MREMAP 0x10
>
> I don't understand why we want this level of granularity. The OpenBSD
> and XNU examples just say "This must be immutable*". For values of
> immutable that allow downgrading access (eg RW to RO or RX to RO),
> but not upgrading access (RW->RX, RO->*, RX->RW).
>
> > Each bit represents sealing for one specific syscall type, e.g.
> > MM_SEAL_MPROTECT will deny mprotect syscall. The consideration of bitmask
> > is that the API is extendable, i.e. when needed, the sealing can be
> > extended to madvise, mlock, etc. Backward compatibility is also easy.
>
> Honestly, it feels too flexible. Why not just two flags to mprotect()
> -- PROT_IMMUTABLE and PROT_DOWNGRADABLE. I can see a use for that --
> maybe for some things we want to be able to downgrade and for other
> things, we don't.
I think it's worth pointing out that this suggestion (with PROT_*)
could easily integrate with mmap() and as such allow for one-shot
mmap() + mseal().
If we consider the common case as 'addr = mmap(...); mseal(addr);', it
definitely sounds like a performance win as we halve the number of
syscalls for a sealed mapping. And if we trivially look at e.g OpenBSD
ld.so code, mmap() + mimmutable() and mprotect() + mimmutable() seem
like common patterns.
--
Pedro
next prev parent reply other threads:[~2023-10-17 15:30 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-16 14:38 [RFC PATCH v1 0/8] Introduce mseal() syscall jeffxu
2023-10-16 14:38 ` [RFC PATCH v1 1/8] Add mseal syscall jeffxu
2023-10-16 15:05 ` Greg KH
2023-10-17 6:50 ` Jeff Xu
2023-10-16 14:38 ` [RFC PATCH v1 2/8] Wire up " jeffxu
2023-10-16 14:38 ` [RFC PATCH v1 3/8] mseal: add can_modify_mm and can_modify_vma jeffxu
2023-10-16 14:38 ` [RFC PATCH v1 4/8] mseal: seal mprotect jeffxu
2023-10-16 14:38 ` [RFC PATCH v1 5/8] mseal munmap jeffxu
2023-10-16 14:38 ` [RFC PATCH v1 6/8] mseal mremap jeffxu
2023-10-16 14:38 ` [RFC PATCH v1 7/8] mseal mmap jeffxu
2023-10-16 14:38 ` [RFC PATCH v1 8/8] selftest mm/mseal mprotect/munmap/mremap/mmap jeffxu
2023-10-16 15:18 ` [RFC PATCH v1 0/8] Introduce mseal() syscall Matthew Wilcox
2023-10-17 8:34 ` Jeff Xu
2023-10-17 12:56 ` Matthew Wilcox
2023-10-17 15:29 ` Pedro Falcato [this message]
2023-10-17 21:33 ` Jeff Xu
2023-10-17 22:35 ` Pedro Falcato
2023-10-18 18:20 ` Jeff Xu
2023-10-19 17:30 ` Jeff Xu
2023-10-19 22:47 ` Pedro Falcato
2023-10-19 23:06 ` Linus Torvalds
2023-10-23 17:44 ` Jeff Xu
2023-10-23 17:42 ` Jeff Xu
2023-10-16 17:23 ` Linus Torvalds
2023-10-17 9:07 ` Jeff Xu
2023-10-17 17:22 ` Linus Torvalds
2023-10-17 18:20 ` Theo de Raadt
2023-10-17 18:38 ` Linus Torvalds
2023-10-17 18:55 ` Theo de Raadt
2023-10-19 8:00 ` Stephen Röttger
2023-10-20 16:27 ` Theo de Raadt
2023-10-24 10:42 ` Stephen Röttger
2023-10-17 23:01 ` Jeff Xu
2023-10-17 23:56 ` Theo de Raadt
2023-10-18 3:18 ` Jeff Xu
2023-10-18 3:37 ` Theo de Raadt
2023-10-18 15:17 ` Matthew Wilcox
2023-10-18 18:54 ` Jeff Xu
2023-10-18 20:36 ` Theo de Raadt
2023-10-19 8:28 ` Stephen Röttger
2023-10-20 15:55 ` Theo de Raadt
2023-10-16 17:34 ` Jann Horn
2023-10-17 8:42 ` Jeff Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKbZUD2A+=bp_sd+Q0Yif7NJqMu8p__eb4yguq0agEcmLH8SDQ@mail.gmail.com' \
--to=pedro.falcato@gmail.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=alex.sierra@amd.com \
--cc=aneesh.kumar@linux.ibm.com \
--cc=apopple@nvidia.com \
--cc=axelrasmussen@google.com \
--cc=ben@decadent.org.uk \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@intel.com \
--cc=david@redhat.com \
--cc=dwmw@amazon.co.uk \
--cc=groeck@chromium.org \
--cc=hughd@google.com \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=jeffxu@google.com \
--cc=joey.gouly@arm.com \
--cc=jorgelo@chromium.org \
--cc=keescook@chromium.org \
--cc=linmiaohe@huawei.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lstoakes@gmail.com \
--cc=luto@kernel.org \
--cc=mawupeng1@huawei.com \
--cc=namit@vmware.com \
--cc=peterx@redhat.com \
--cc=peterz@infradead.org \
--cc=ryan.roberts@arm.com \
--cc=shr@devkernel.io \
--cc=sroettger@google.com \
--cc=surenb@google.com \
--cc=torvalds@linux-foundation.org \
--cc=vbabka@suse.cz \
--cc=wangkefeng.wang@huawei.com \
--cc=willy@infradead.org \
--cc=xiujianfeng@huawei.com \
--cc=ying.huang@intel.com \
--cc=yu.ma@intel.com \
--cc=zhangpeng362@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).