| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Feb 2024 12:30:30 +0100 From: Petr Tesarik <petrtesarik@...weicloud.com> To: Jonathan Corbet <corbet@....net>, David Kaplan <david.kaplan@....com>, Larry Dewey <larry.dewey@....com>, Elena Reshetova <elena.reshetova@...el.com>, Carlos Bilbao <carlos.bilbao@....com>, "Masami Hiramatsu (Google)" <mhiramat@...nel.org>, Andrew Morton <akpm@...ux-foundation.org>, Randy Dunlap <rdunlap@...radead.org>, Petr Mladek <pmladek@...e.com>, "Paul E. McKenney" <paulmck@...nel.org>, Eric DeVolder <eric.devolder@...cle.com>, Marc Aurèle La France <tsi@...oix.net>, "Gustavo A. R. Silva" <gustavoars@...nel.org>, Nhat Pham <nphamcs@...il.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, "Christian Brauner (Microsoft)" <brauner@...nel.org>, Douglas Anderson <dianders@...omium.org>, Luis Chamberlain <mcgrof@...nel.org>, Guenter Roeck <groeck@...omium.org>, Mike Christie <michael.christie@...cle.com>, Kent Overstreet <kent.overstreet@...ux.dev>, Maninder Singh <maninder1.s@...sung.com>, linux-doc@...r.kernel.org (open list:DOCUMENTATION), linux-kernel@...r.kernel.org (open list) Cc: Roberto Sassu <roberto.sassu@...weicloud.com>, petr@...arici.cz, Petr Tesarik <petr.tesarik1@...wei-partners.com> Subject: [PATCH v1 0/5] Introduce SandBox Mode (SBM) From: Petr Tesarik <petr.tesarik1@...wei-partners.com> The ultimate goal of SandBox Mode is to execute native kernel code in an environment which permits memory access only to predefined addresses, so potential vulnerabilities cannot be exploited or will have no impact on the rest of the kernel. This patch series adds the API and arch-independent infrastructure of SandBox Mode to the kernel. It runs the target function on a vmalloc()'ed copy of all input and output data. This alone prevents some out-of-bounds accesses thanks to guard pages. Patch 4/5 adds KUnit tests. It is also a good starting point to understand how SandBox Mode is supposed to be used. Detailed description of SandBox Mode goals, usage and future plans can be found in patch 5/5 of this series and is not repeated in this cover letter. Petr Tesarik (5): sbm: SandBox Mode core data types and functions sbm: sandbox input and output buffers sbm: call helpers and thunks sbm: SandBox Mode KUnit test suite sbm: SandBox Mode documentation Documentation/security/index.rst | 1 + Documentation/security/sandbox-mode.rst | 180 ++++++ include/linux/sbm.h | 516 +++++++++++++++++ init/Kconfig | 2 + kernel/Kconfig.sbm | 43 ++ kernel/Makefile | 2 + kernel/sbm.c | 133 +++++ kernel/sbm_test.c | 735 ++++++++++++++++++++++++ 8 files changed, 1612 insertions(+) create mode 100644 Documentation/security/sandbox-mode.rst create mode 100644 include/linux/sbm.h create mode 100644 kernel/Kconfig.sbm create mode 100644 kernel/sbm.c create mode 100644 kernel/sbm_test.c -- 2.34.1
Powered by blists - more mailing lists