| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 6 Apr 2013 05:01:13 +0200 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: Al Viro <viro@...IV.linux.org.uk> Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, Linus Torvalds <torvalds@...ux-foundation.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Rik van Riel <riel@...hat.com>, Andrew Morton <akpm@...ux-foundation.org>, Alexey Dobriyan <adobriyan@...il.com> Subject: Re: [RFC] revoke(2) and generic handling of things like remove_proc_entry() On Fri, Apr 05, 2013 at 05:29:32AM +0100, Al Viro wrote: > 4) nasty semantics issue - mmap() vs. revoke (of any sort, including > remove_proc_entry(), etc.). Suppose a revokable file had been mmapped; > now it's going away. What should we do to its VMAs? Right now sysfs > and procfs get away with that, but only because there's only one thing > that has ->mmap() there - /proc/bus/pci and sysfs equivalents. I've > no idea how does pci_mmap_page_range() interact with PCI hotplug (and > I'm not at all sure that whatever it does isn't racy wrt device removal), > but I suspect that it strongly depends on lack of ->fault() for those > VMAs, which makes killing all PTEs pointing to pages in question enough. > How generic do we want to make it? Anybody wanting to add more files > that could be mmapped in procfs/sysfs/debugfs deserves to be hurt, but > if we start playing with revoke(2), restriction might become inconvenient. > I'm not sure what kind of behaviour do we want there - *BSD at least > used to have revoke(2) only for character devices that had no mmap()... I am seeing possible problems in software implementing their own memory management ontop SIGSEGV e.g. java. I hope they sanely distinguish between heap mappings and file mmaps. FreeBSD allowes tearing down a mmap on MAC security relabel. Two possible actions are available: SIGSEGV generation by tearing down the mapping forcefully or enable some kind of copy-on-write semantics on revoke: http://svnweb.freebsd.org/base/head/sys/security/mac/mac_process.c?revision=248084&view=markup I like to see something like revoke being worked on, thanks! Greetings, Hannes -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists