Re: + mseal-update-msealrst.patch added to mm-hotfixes-unstable branch

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Theo de Raadt <deraadt@cvs.openbsd.org>
To: akpm@linux-foundation.org, corbet@lwn.net, deraadt@openbsd.org,
	enh@google.com, gregkh@linuxfoundation.org, groeck@chromium.org,
	jannh@google.com, jeffxu@chromium.org, jorgelo@chromium.org,
	keescook@chromium.org, Liam.Howlett@oracle.com,
	lorenzo.stoakes@oracle.com, mm-commits@vger.kernel.org,
	pedro.falcato@gmail.com, rdunlap@infradead.org,
	sroettger@google.com, surenb@google.com,
	torvalds@linux-foundation.org, usama.anjum@collabora.com,
	willy@infradead.org
Subject: Re: + mseal-update-msealrst.patch added to mm-hotfixes-unstable branch
Date: Tue, 8 Oct 2024 13:01:54 -0600 (MDT)	[thread overview]
Message-ID: <f3c123e0624a07e0@cvs.openbsd.org> (raw)

>-Additional notes:
>-=================
> As Jann Horn pointed out in [3], there are still a few ways to write
>-to RO memory, which is, in a way, by design. Those cases are not covered
>-by mseal(). If applications want to block such cases, sandbox tools (such as
>-seccomp, LSM, etc) might be considered.
>+to RO memory, which is, in a way, by design. And those could be blocked
>+by different security measures.
> 
> Those cases are:
> 
>-- Write to read-only memory through /proc/self/mem interface.
>-- Write to read-only memory through ptrace (such as PTRACE_POKETEXT).
>-- userfaultfd.
>+   - Write to read-only memory through /proc/self/mem interface (FOLL_FORCE).
>+   - Write to read-only memory through ptrace (such as PTRACE_POKETEXT).
>+   - userfaultfd.

This block of notes keeps bothering me, because I've encountered a bunch
of people who walk away with "oh but what's the purpose of this thing then
it is useless".

mimmutable and mseal are about restricting playing with the permission of
the *MAPPING* of memory, not about restricting the memory itself.

If it is going to remain, should it also say?

   - Write to a non-readonly mapping of the same memory object shared
     by a a different process, or shared to a different address in the
     same process, which is not read-only  (and this is a thing many
     older JIT do)

To wit, this is not because of mseal.  It is not because of the mapping
of the memory.  It is not because of the mapping of the memory.  It is
because a different interface to reach the same memory can always act.
It is because the permissions on one mapping obviously do not apply to
another mapping or access method.  Permissions apply to mappings, not to
memory.

A note: many decades ago, the Sun / CSRG named these calls mmap, munmap,
and mprotect.  The word "map" in mmap suggests the leading "m" is "memory".
With mprotect this gets confusing, because with shared mappings on the
same memory, it does not protect the memory, only the access via the
mapping region. "mseal" and "mimmutable" fall into the same catagory
where "m" refers to "mapping", not to "memory"; memory is actual bits
and bytes which may be mapped twice or more in circumstances.

next             reply	other threads:[~2024-10-08 19:02 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-08 19:01 Theo de Raadt [this message]
2024-10-11  0:47 ` + mseal-update-msealrst.patch added to mm-hotfixes-unstable branch Jeff Xu
  -- strict thread matches above, loose matches on Subject: below --
2024-10-08 18:29 Andrew Morton
2024-09-27 20:00 Andrew Morton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f3c123e0624a07e0@cvs.openbsd.org \
    --to=deraadt@cvs.openbsd.org \
    --cc=Liam.Howlett@oracle.com \
    --cc=akpm@linux-foundation.org \
    --cc=corbet@lwn.net \
    --cc=deraadt@openbsd.org \
    --cc=enh@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=groeck@chromium.org \
    --cc=jannh@google.com \
    --cc=jeffxu@chromium.org \
    --cc=jorgelo@chromium.org \
    --cc=keescook@chromium.org \
    --cc=lorenzo.stoakes@oracle.com \
    --cc=mm-commits@vger.kernel.org \
    --cc=pedro.falcato@gmail.com \
    --cc=rdunlap@infradead.org \
    --cc=sroettger@google.com \
    --cc=surenb@google.com \
    --cc=torvalds@linux-foundation.org \
    --cc=usama.anjum@collabora.com \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.