[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAEAAPHbJnamLELDrJ5G4_VLenfAm9WtPj49uDo0Jk4MzuwbjOA@mail.gmail.com>
Date: Tue, 24 Oct 2023 12:42:59 +0200
From: Stephen Röttger <sroettger@...gle.com>
To: Theo de Raadt <deraadt@...nbsd.org>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Jeff Xu <jeffxu@...gle.com>, jeffxu@...omium.org,
akpm@...ux-foundation.org, keescook@...omium.org,
jorgelo@...omium.org, groeck@...omium.org,
linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
linux-mm@...ck.org, jannh@...gle.com, surenb@...gle.com,
alex.sierra@....com, apopple@...dia.com,
aneesh.kumar@...ux.ibm.com, axelrasmussen@...gle.com,
ben@...adent.org.uk, catalin.marinas@....com, david@...hat.com,
dwmw@...zon.co.uk, ying.huang@...el.com, hughd@...gle.com,
joey.gouly@....com, corbet@....net, wangkefeng.wang@...wei.com,
Liam.Howlett@...cle.com, lstoakes@...il.com, willy@...radead.org,
mawupeng1@...wei.com, linmiaohe@...wei.com, namit@...are.com,
peterx@...hat.com, peterz@...radead.org, ryan.roberts@....com,
shr@...kernel.io, vbabka@...e.cz, xiujianfeng@...wei.com,
yu.ma@...el.com, zhangpeng362@...wei.com, dave.hansen@...el.com,
luto@...nel.org, linux-hardening@...r.kernel.org
Subject: Re: [RFC PATCH v1 0/8] Introduce mseal() syscall
> The problem you seem to have with fully locked mseal() in chrome seems
> to be here:
>
> > about permission changes but sometimes we do need to mprotect data only
> > pages.
>
> Does that data have to be in the same region? Can your allocator not
> put the non-code pieces of the JIT elsewhere, with a different
> permission, fully immutable / msealed -- and perhaps even managed with a
> different PKEY if neccessary?
No we can't. We investigated this extensively since this also poses some
difficulties on MacOS. We implemented different approaches but any such
change to the allocator introduces too much of a performance impact.
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4005 bytes)
Powered by blists - more mailing lists