From: Dave Chinner <dchinner@redhat.com>
To: Matthew Wilcox <willy@infradead.org>
Cc: Igor Stoppa <igor.stoppa@huawei.com>,
Kees Cook <keescook@chromium.org>,
Randy Dunlap <rdunlap@infradead.org>,
Jonathan Corbet <corbet@lwn.net>,
Michal Hocko <mhocko@kernel.org>,
Laura Abbott <labbott@redhat.com>,
Jerome Glisse <jglisse@redhat.com>,
Christoph Hellwig <hch@infradead.org>,
Christoph Lameter <cl@linux.com>,
linux-security-module <linux-security-module@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [RFC PATCH v16 0/6] mm: security: ro protection for dynamic data
Date: Wed, 21 Feb 2018 12:36:36 +1100 [thread overview]
Message-ID: <20180221013636.GE3728@rh> (raw)
In-Reply-To: <20180220235600.GA3706@bombadil.infradead.org>
On Tue, Feb 20, 2018 at 03:56:00PM -0800, Matthew Wilcox wrote:
> On Wed, Feb 21, 2018 at 08:36:04AM +1100, Dave Chinner wrote:
> > FWIW, I'm not wanting to use it to replace static variables. All the
> > structures are dynamically allocated right now, and get assigned to
> > other dynamically allocated pointers. I'd likely split the current
> > structures into a "ro after init" structure and rw structure, so
> > how does the "__ro_after_init" attribute work in that case? Is it
> > something like this?
> >
> > struct xfs_mount {
> > struct xfs_mount_ro{
> > .......
> > } *ro __ro_after_init;
^^^^^^^^
pointer, not embedded structure....
> > ......
>
> No, you'd do:
>
> struct xfs_mount_ro {
> [...]
> };
>
> struct xfs_mount {
> const struct xfs_mount_ro *ro;
> [...]
> };
.... so that's pretty much the same thing :P
> > Also, what compile time checks are in place to catch writes to
> > ro structure members? Is sparse going to be able to check this sort
> > of thing, like is does with endian-specific variables?
>
> Just labelling the pointer const should be enough for the compiler to
> catch unintended writes.
Ok.
> > > I'd be interested to have your review of the pmalloc API, if you think
> > > something is missing, once I send out the next revision.
> >
> > I'll look at it in more depth when it comes past again. :P
>
> I think the key question is whether you want a slab-style interface
> or whether you want a kmalloc-style interface. I'd been assuming
> the former, but Igor has implemented the latter already.
Slabs are rally only useful when you have lots of a specific type of
object. I'm concerned mostly about one-off per-mount point
structures, of which there are relatively few. A heap-like pool per
mount is fine for this.
Cheers,
Dave.
--
Dave Chinner
dchinner@redhat.com
WARNING: multiple messages have this Message-ID (diff)
From: dchinner@redhat.com (Dave Chinner)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH v16 0/6] mm: security: ro protection for dynamic data
Date: Wed, 21 Feb 2018 12:36:36 +1100 [thread overview]
Message-ID: <20180221013636.GE3728@rh> (raw)
In-Reply-To: <20180220235600.GA3706@bombadil.infradead.org>
On Tue, Feb 20, 2018 at 03:56:00PM -0800, Matthew Wilcox wrote:
> On Wed, Feb 21, 2018 at 08:36:04AM +1100, Dave Chinner wrote:
> > FWIW, I'm not wanting to use it to replace static variables. All the
> > structures are dynamically allocated right now, and get assigned to
> > other dynamically allocated pointers. I'd likely split the current
> > structures into a "ro after init" structure and rw structure, so
> > how does the "__ro_after_init" attribute work in that case? Is it
> > something like this?
> >
> > struct xfs_mount {
> > struct xfs_mount_ro{
> > .......
> > } *ro __ro_after_init;
^^^^^^^^
pointer, not embedded structure....
> > ......
>
> No, you'd do:
>
> struct xfs_mount_ro {
> [...]
> };
>
> struct xfs_mount {
> const struct xfs_mount_ro *ro;
> [...]
> };
.... so that's pretty much the same thing :P
> > Also, what compile time checks are in place to catch writes to
> > ro structure members? Is sparse going to be able to check this sort
> > of thing, like is does with endian-specific variables?
>
> Just labelling the pointer const should be enough for the compiler to
> catch unintended writes.
Ok.
> > > I'd be interested to have your review of the pmalloc API, if you think
> > > something is missing, once I send out the next revision.
> >
> > I'll look at it in more depth when it comes past again. :P
>
> I think the key question is whether you want a slab-style interface
> or whether you want a kmalloc-style interface. I'd been assuming
> the former, but Igor has implemented the latter already.
Slabs are rally only useful when you have lots of a specific type of
object. I'm concerned mostly about one-off per-mount point
structures, of which there are relatively few. A heap-like pool per
mount is fine for this.
Cheers,
Dave.
--
Dave Chinner
dchinner at redhat.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Dave Chinner <dchinner@redhat.com>
To: Matthew Wilcox <willy@infradead.org>
Cc: Igor Stoppa <igor.stoppa@huawei.com>,
Kees Cook <keescook@chromium.org>,
Randy Dunlap <rdunlap@infradead.org>,
Jonathan Corbet <corbet@lwn.net>,
Michal Hocko <mhocko@kernel.org>,
Laura Abbott <labbott@redhat.com>,
Jerome Glisse <jglisse@redhat.com>,
Christoph Hellwig <hch@infradead.org>,
Christoph Lameter <cl@linux.com>,
linux-security-module <linux-security-module@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [RFC PATCH v16 0/6] mm: security: ro protection for dynamic data
Date: Wed, 21 Feb 2018 12:36:36 +1100 [thread overview]
Message-ID: <20180221013636.GE3728@rh> (raw)
In-Reply-To: <20180220235600.GA3706@bombadil.infradead.org>
On Tue, Feb 20, 2018 at 03:56:00PM -0800, Matthew Wilcox wrote:
> On Wed, Feb 21, 2018 at 08:36:04AM +1100, Dave Chinner wrote:
> > FWIW, I'm not wanting to use it to replace static variables. All the
> > structures are dynamically allocated right now, and get assigned to
> > other dynamically allocated pointers. I'd likely split the current
> > structures into a "ro after init" structure and rw structure, so
> > how does the "__ro_after_init" attribute work in that case? Is it
> > something like this?
> >
> > struct xfs_mount {
> > struct xfs_mount_ro{
> > .......
> > } *ro __ro_after_init;
^^^^^^^^
pointer, not embedded structure....
> > ......
>
> No, you'd do:
>
> struct xfs_mount_ro {
> [...]
> };
>
> struct xfs_mount {
> const struct xfs_mount_ro *ro;
> [...]
> };
.... so that's pretty much the same thing :P
> > Also, what compile time checks are in place to catch writes to
> > ro structure members? Is sparse going to be able to check this sort
> > of thing, like is does with endian-specific variables?
>
> Just labelling the pointer const should be enough for the compiler to
> catch unintended writes.
Ok.
> > > I'd be interested to have your review of the pmalloc API, if you think
> > > something is missing, once I send out the next revision.
> >
> > I'll look at it in more depth when it comes past again. :P
>
> I think the key question is whether you want a slab-style interface
> or whether you want a kmalloc-style interface. I'd been assuming
> the former, but Igor has implemented the latter already.
Slabs are rally only useful when you have lots of a specific type of
object. I'm concerned mostly about one-off per-mount point
structures, of which there are relatively few. A heap-like pool per
mount is fine for this.
Cheers,
Dave.
--
Dave Chinner
dchinner@redhat.com
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2018-02-21 1:36 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-12 16:52 [RFC PATCH v16 0/6] mm: security: ro protection for dynamic data Igor Stoppa
2018-02-12 16:52 ` Igor Stoppa
2018-02-12 16:52 ` Igor Stoppa
2018-02-12 16:52 ` Igor Stoppa
2018-02-12 16:52 ` [PATCH 1/6] genalloc: track beginning of allocations Igor Stoppa
2018-02-12 16:52 ` Igor Stoppa
2018-02-12 16:52 ` Igor Stoppa
2018-02-12 16:52 ` Igor Stoppa
2018-02-12 23:52 ` Kees Cook
2018-02-12 23:52 ` Kees Cook
2018-02-12 23:52 ` Kees Cook
2018-02-20 17:07 ` Igor Stoppa
2018-02-20 17:07 ` Igor Stoppa
2018-02-20 17:07 ` Igor Stoppa
2018-02-21 22:29 ` Kees Cook
2018-02-21 22:29 ` Kees Cook
2018-02-21 22:29 ` Kees Cook
2018-02-21 22:35 ` Jonathan Corbet
2018-02-21 22:35 ` Jonathan Corbet
2018-02-21 22:35 ` Jonathan Corbet
2018-02-12 16:52 ` [PATCH 2/6] genalloc: selftest Igor Stoppa
2018-02-12 16:52 ` Igor Stoppa
2018-02-12 16:52 ` Igor Stoppa
2018-02-12 16:52 ` Igor Stoppa
2018-02-12 23:50 ` Kees Cook
2018-02-12 23:50 ` Kees Cook
2018-02-12 23:50 ` Kees Cook
2018-02-20 16:59 ` Igor Stoppa
2018-02-20 16:59 ` Igor Stoppa
2018-02-20 16:59 ` Igor Stoppa
2018-02-21 22:28 ` Kees Cook
2018-02-21 22:28 ` Kees Cook
2018-02-21 22:28 ` Kees Cook
2018-02-22 9:14 ` Igor Stoppa
2018-02-22 9:14 ` Igor Stoppa
2018-02-22 9:14 ` Igor Stoppa
2018-02-22 18:28 ` Igor Stoppa
2018-02-22 18:28 ` Igor Stoppa
2018-02-22 18:28 ` Igor Stoppa
2018-02-12 16:52 ` [PATCH 3/6] struct page: add field for vm_struct Igor Stoppa
2018-02-12 16:52 ` Igor Stoppa
2018-02-12 16:52 ` Igor Stoppa
2018-02-12 16:52 ` Igor Stoppa
2018-02-12 16:52 ` [PATCH 4/6] Protectable Memory Igor Stoppa
2018-02-12 16:52 ` Igor Stoppa
2018-02-12 16:52 ` Igor Stoppa
2018-02-12 16:52 ` Igor Stoppa
2018-02-12 16:53 ` [PATCH 5/6] Pmalloc: self-test Igor Stoppa
2018-02-12 16:53 ` Igor Stoppa
2018-02-12 16:53 ` Igor Stoppa
2018-02-12 16:53 ` Igor Stoppa
2018-02-12 23:43 ` Kees Cook
2018-02-12 23:43 ` Kees Cook
2018-02-12 23:43 ` Kees Cook
2018-02-20 16:40 ` Igor Stoppa
2018-02-20 16:40 ` Igor Stoppa
2018-02-20 16:40 ` Igor Stoppa
2018-02-21 22:24 ` Kees Cook
2018-02-21 22:24 ` Kees Cook
2018-02-21 22:24 ` Kees Cook
2018-02-22 9:01 ` Igor Stoppa
2018-02-22 9:01 ` Igor Stoppa
2018-02-22 9:01 ` Igor Stoppa
2018-02-12 16:53 ` [PATCH 6/6] Documentation for Pmalloc Igor Stoppa
2018-02-12 16:53 ` Igor Stoppa
2018-02-12 16:53 ` Igor Stoppa
2018-02-12 16:53 ` Igor Stoppa
2018-02-12 23:32 ` [RFC PATCH v16 0/6] mm: security: ro protection for dynamic data Kees Cook
2018-02-12 23:32 ` Kees Cook
2018-02-12 23:32 ` Kees Cook
2018-02-20 1:21 ` Dave Chinner
2018-02-20 1:21 ` Dave Chinner
2018-02-20 1:21 ` Dave Chinner
2018-02-20 18:03 ` Igor Stoppa
2018-02-20 18:03 ` Igor Stoppa
2018-02-20 18:03 ` Igor Stoppa
2018-02-20 21:36 ` Dave Chinner
2018-02-20 21:36 ` Dave Chinner
2018-02-20 21:36 ` Dave Chinner
2018-02-20 23:56 ` Matthew Wilcox
2018-02-20 23:56 ` Matthew Wilcox
2018-02-20 23:56 ` Matthew Wilcox
2018-02-21 1:36 ` Dave Chinner [this message]
2018-02-21 1:36 ` Dave Chinner
2018-02-21 1:36 ` Dave Chinner
2018-02-21 9:56 ` Igor Stoppa
2018-02-21 9:56 ` Igor Stoppa
2018-02-21 9:56 ` Igor Stoppa
2018-02-21 21:36 ` Dave Chinner
2018-02-21 21:36 ` Dave Chinner
2018-02-21 21:36 ` Dave Chinner
2018-02-22 8:58 ` Igor Stoppa
2018-02-22 8:58 ` Igor Stoppa
2018-02-22 8:58 ` Igor Stoppa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180221013636.GE3728@rh \
--to=dchinner@redhat.com \
--cc=cl@linux.com \
--cc=corbet@lwn.net \
--cc=hch@infradead.org \
--cc=igor.stoppa@huawei.com \
--cc=jglisse@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mhocko@kernel.org \
--cc=rdunlap@infradead.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.