From: "Theo de Raadt" <deraadt@openbsd.org>
To: jeffxu@chromium.org
Cc: akpm@linux-foundation.org, keescook@chromium.org,
jannh@google.com, sroettger@google.com, willy@infradead.org,
gregkh@linuxfoundation.org, torvalds@linux-foundation.org,
usama.anjum@collabora.com, rdunlap@infradead.org,
jeffxu@google.com, jorgelo@chromium.org, groeck@chromium.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-mm@kvack.org, pedro.falcato@gmail.com,
dave.hansen@intel.com, linux-hardening@vger.kernel.org
Subject: Re: [PATCH v7 0/4] Introduce mseal()
Date: Mon, 22 Jan 2024 08:49:39 -0700 [thread overview]
Message-ID: <726.1705938579@cvs.openbsd.org> (raw)
In-Reply-To: <20240122152905.2220849-1-jeffxu@chromium.org>
Regarding these pieces
> The PROT_SEAL bit in prot field of mmap(). When present, it marks
> the map sealed since creation.
OpenBSD won't be doing this. I had PROT_IMMUTABLE as a draft. In my
research I found basically zero circumstances when you userland does
that. The most common circumstance is you create a RW mapping, fill it,
and then change to a more restrictve mapping, and lock it.
There are a few regions in the addressspace that can be locked while RW.
For instance, the stack. But the kernel does that, not userland. I
found regions where the kernel wants to do this to the address space,
but there is no need to export useless functionality to userland.
OpenBSD now uses this for a high percent of the address space. It might
be worth re-reading a description of the split of responsibility regarding
who locks different types of memory in a process;
- kernel (the majority, based upon what ELF layout tell us),
- shared library linker (the next majority, dealing with shared
library mappings and left-overs not determinable at kernel time),
- libc (a small minority, mostly regarding forced mutable objects)
- and the applications themselves (only 1 application today)
https://lwn.net/Articles/915662/
> The MAP_SEALABLE bit in the flags field of mmap(). When present, it marks
> the map as sealable. A map created without MAP_SEALABLE will not support
> sealing, i.e. mseal() will fail.
We definately won't be doing this. We allow a process to lock any and all
it's memory that isn't locked already, even if it means it is shooting
itself in the foot.
I think you are going to severely hurt the power of this mechanism,
because you won't be able to lock memory that has been allocated by a
different callsite not under your source-code control which lacks the
MAP_SEALABLE flag. (Which is extremely common with the system-parts of
a process, meaning not just libc but kernel allocated objects).
It may be fine inside a program like chrome, but I expect that flag to make
it harder to use in libc, and it will hinder adoption.
next prev parent reply other threads:[~2024-01-22 15:49 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-22 15:28 [PATCH v7 0/4] Introduce mseal() jeffxu
2024-01-22 15:28 ` [PATCH v7 1/4] mseal: Wire up mseal syscall jeffxu
2024-01-22 15:28 ` [PATCH v7 2/4] mseal: add " jeffxu
2024-01-23 18:14 ` Liam R. Howlett
2024-01-24 17:50 ` Jeff Xu
2024-01-24 20:06 ` Liam R. Howlett
2024-01-24 20:37 ` Theo de Raadt
2024-01-24 20:51 ` Theo de Raadt
2024-01-24 22:49 ` Jeff Xu
2024-01-25 2:04 ` Jeff Xu
2024-01-22 15:28 ` [PATCH v7 3/4] selftest mm/mseal memory sealing jeffxu
2024-01-22 15:28 ` [PATCH v7 4/4] mseal:add documentation jeffxu
2024-01-22 15:49 ` Theo de Raadt [this message]
2024-01-22 22:10 ` [PATCH v7 0/4] Introduce mseal() Jeff Xu
2024-01-22 22:34 ` Theo de Raadt
2024-01-23 17:33 ` Liam R. Howlett
2024-01-23 18:58 ` Theo de Raadt
2024-01-24 18:56 ` Jeff Xu
2024-01-24 18:55 ` Jeff Xu
2024-01-24 19:17 ` Theo de Raadt
2024-01-29 22:36 ` Jonathan Corbet
2024-01-31 17:49 ` Jeff Xu
2024-01-31 20:51 ` Jonathan Corbet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=726.1705938579@cvs.openbsd.org \
--to=deraadt@openbsd.org \
--cc=akpm@linux-foundation.org \
--cc=dave.hansen@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=groeck@chromium.org \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=jeffxu@google.com \
--cc=jorgelo@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pedro.falcato@gmail.com \
--cc=rdunlap@infradead.org \
--cc=sroettger@google.com \
--cc=torvalds@linux-foundation.org \
--cc=usama.anjum@collabora.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.