lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAEAAPHbB0yZfpXGMib4bbH8z5diKfur5M6mAfZuB6qi9UVpcPw@mail.gmail.com>
Date: Thu, 19 Oct 2023 10:28:32 +0200
From: Stephen Röttger <sroettger@...gle.com>
To: Theo de Raadt <deraadt@...nbsd.org>
Cc: Jeff Xu <jeffxu@...gle.com>, Matthew Wilcox <willy@...radead.org>, 
	Linus Torvalds <torvalds@...ux-foundation.org>, jeffxu@...omium.org, 
	akpm@...ux-foundation.org, keescook@...omium.org, jorgelo@...omium.org, 
	groeck@...omium.org, linux-kernel@...r.kernel.org, 
	linux-kselftest@...r.kernel.org, linux-mm@...ck.org, jannh@...gle.com, 
	surenb@...gle.com, alex.sierra@....com, apopple@...dia.com, 
	aneesh.kumar@...ux.ibm.com, axelrasmussen@...gle.com, ben@...adent.org.uk, 
	catalin.marinas@....com, david@...hat.com, dwmw@...zon.co.uk, 
	ying.huang@...el.com, hughd@...gle.com, joey.gouly@....com, corbet@....net, 
	wangkefeng.wang@...wei.com, Liam.Howlett@...cle.com, lstoakes@...il.com, 
	mawupeng1@...wei.com, linmiaohe@...wei.com, namit@...are.com, 
	peterx@...hat.com, peterz@...radead.org, ryan.roberts@....com, 
	shr@...kernel.io, vbabka@...e.cz, xiujianfeng@...wei.com, yu.ma@...el.com, 
	zhangpeng362@...wei.com, dave.hansen@...el.com, luto@...nel.org, 
	linux-hardening@...r.kernel.org
Subject: Re: [RFC PATCH v1 0/8] Introduce mseal() syscall

> > IMO: The approaches mimmutable() and mseal() took are different, but
> > we all want to seal the memory from attackers and make the linux
> > application safer.
>
> I think you are building mseal for chrome, and chrome alone.
>
> I do not think this will work out for the rest of the application space
> because
>
> 1) it is too complicated
> 2) experience with mimmutable() says that applications don't do any of it
>    themselves, it is all in execve(), libc initialization, and ld.so.
>    You don't strike me as an execve, libc, or ld.so developer.

We do want to build this in a way that it can be applied automatically by ld.so
and we appreciate all your feedback on this. The intention of
splitting the sealing
by syscall was to provide flexibility while still allowing ld.so to
seal all operations.
But it's clear from the feedback that both the fine grained split and
the per-syscall
approach are not the right way to go.
Does Linus' proposal to just split munmap / mprotect sealing address your
complexity concerns? ld.so would always use both flags which should then behave
similar to mimmutable().

Download attachment "smime.p7s" of type "application/pkcs7-signature" (4005 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ