[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAEAAPHbB0yZfpXGMib4bbH8z5diKfur5M6mAfZuB6qi9UVpcPw@mail.gmail.com>
Date: Thu, 19 Oct 2023 10:28:32 +0200
From: Stephen Röttger <sroettger@...gle.com>
To: Theo de Raadt <deraadt@...nbsd.org>
Cc: Jeff Xu <jeffxu@...gle.com>, Matthew Wilcox <willy@...radead.org>,
Linus Torvalds <torvalds@...ux-foundation.org>, jeffxu@...omium.org,
akpm@...ux-foundation.org, keescook@...omium.org, jorgelo@...omium.org,
groeck@...omium.org, linux-kernel@...r.kernel.org,
linux-kselftest@...r.kernel.org, linux-mm@...ck.org, jannh@...gle.com,
surenb@...gle.com, alex.sierra@....com, apopple@...dia.com,
aneesh.kumar@...ux.ibm.com, axelrasmussen@...gle.com, ben@...adent.org.uk,
catalin.marinas@....com, david@...hat.com, dwmw@...zon.co.uk,
ying.huang@...el.com, hughd@...gle.com, joey.gouly@....com, corbet@....net,
wangkefeng.wang@...wei.com, Liam.Howlett@...cle.com, lstoakes@...il.com,
mawupeng1@...wei.com, linmiaohe@...wei.com, namit@...are.com,
peterx@...hat.com, peterz@...radead.org, ryan.roberts@....com,
shr@...kernel.io, vbabka@...e.cz, xiujianfeng@...wei.com, yu.ma@...el.com,
zhangpeng362@...wei.com, dave.hansen@...el.com, luto@...nel.org,
linux-hardening@...r.kernel.org
Subject: Re: [RFC PATCH v1 0/8] Introduce mseal() syscall
> > IMO: The approaches mimmutable() and mseal() took are different, but
> > we all want to seal the memory from attackers and make the linux
> > application safer.
>
> I think you are building mseal for chrome, and chrome alone.
>
> I do not think this will work out for the rest of the application space
> because
>
> 1) it is too complicated
> 2) experience with mimmutable() says that applications don't do any of it
> themselves, it is all in execve(), libc initialization, and ld.so.
> You don't strike me as an execve, libc, or ld.so developer.
We do want to build this in a way that it can be applied automatically by ld.so
and we appreciate all your feedback on this. The intention of
splitting the sealing
by syscall was to provide flexibility while still allowing ld.so to
seal all operations.
But it's clear from the feedback that both the fine grained split and
the per-syscall
approach are not the right way to go.
Does Linus' proposal to just split munmap / mprotect sealing address your
complexity concerns? ld.so would always use both flags which should then behave
similar to mimmutable().
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4005 bytes)
Powered by blists - more mailing lists