Re: [PATCH v3 00/11] Symbol Namespaces

From: Matthias Maennich <maennich@google.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: kstewart@linuxfoundation.org, oneukum@suse.com,
	linux-aspeed@lists.ozlabs.org,
	Peter Zijlstra <peterz@infradead.org>,
	Toru Komatsu <k0ma@utam0k.jp>,
	Mauro Carvalho Chehab <mchehab+samsung@kernel.org>,
	Nicolas Ferre <nicolas.ferre@microchip.com>,
	David Howells <dhowells@redhat.com>,
	yamada.masahiro@socionext.com, Will Deacon <will@kernel.org>,
	patches@opensource.cirrus.com,
	Michael Ellerman <mpe@ellerman.id.au>,
	hpa@zytor.com, joel@joelfernandes.org,
	bcm-kernel-feedback-list@broadcom.com, sam@ravnborg.org,
	cocci@systeme.lip6.fr, linux-arch@vger.kernel.org,
	linux-samsung-soc@vger.kernel.org,
	Benjamin Fair <benjaminfair@google.com>,
	linux-scsi@vger.kernel.org, Nancy Yuen <yuenn@google.com>,
	Fabio Estevam <festevam@gmail.com>,
	openbmc@lists.ozlabs.org, x86@kernel.org,
	lucas.de.marchi@gmail.com, usb-storage@lists.one-eyed-alien.net,
	mingo@redhat.com, geert@linux-m68k.org,
	NXP Linux Team <linux-imx@nxp.com>,
	Johannes Weiner <hannes@cmpxchg.org>,
	Patrick Venture <venture@google.com>,
	stern@rowland.harvard.edu, kernel-team@android.com,
	Ingo Molnar <mingo@kernel.org>,
	linux-rtc@vger.kernel.org,
	Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>,
	sspatil@google.com, linux-watchdog@vger.kernel.org,
	arnd@arndb.de, linux-kbuild@vger.kernel.org,
	Jani Nikula <jani.nikula@intel.com>,
	linux-arm-msm@vger.kernel.org, pombredanne@nexb.com,
	Dan Williams <dan.j.williams@intel.com>,
	Julia Lawall <julia.lawall@lip6.fr>,
	linux-m68k@lists.linux-m68k.org,
	linux-mediatek@lists.infradead.org,
	linux-rpi-kernel@lists.infradead.org,
	linux-tegra@vger.kernel.org, linux-amlogic@lists.infradead.org,
	tglx@linutronix.de, maco@android.com,
	linux-arm-kernel@lists.infradead.org,
	Adrian Reber <adrian@lisas.de>,
	linux-hwmon@vger.kernel.org, michal.lkml@markovi.net,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Andrew Jeffery <andrew@aj.id.au>,
	Alexey Gladkov <gladkov.alexey@gmail.com>,
	linux-usb@vger.kernel.org,
	linux-stm32@st-md-mailman.stormreply.com,
	linux-kernel@vger.kernel.org, Nicolas Pitre <nico@fluxnic.net>,
	Patrick Bellasi <patrick.bellasi@arm.com>,
	Richard Guy Briggs <rgb@redhat.com>,
	maco@google.com, Pengutronix Kernel Team <kernel@pengutronix.de>,
	jeyu@kernel.org, Tejun Heo <tj@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	"David S. Miller" <davem@davemloft.net>,
	linux-modules@vger.kernel.org
Subject: Re: [PATCH v3 00/11] Symbol Namespaces
Date: Wed, 21 Aug 2019 15:03:41 +0100	[thread overview]
Message-ID: <20190821140341.GA126314@google.com> (raw)
In-Reply-To: <20190821133846.GC4890@kroah.com>

On Wed, 21 Aug, 06:38, Greg Kroah-Hartman wrote:
>On Wed, Aug 21, 2019 at 03:11:40PM +0200, Peter Zijlstra wrote:
>> On Wed, Aug 21, 2019 at 12:49:15PM +0100, Matthias Maennich wrote:
>> > As of Linux 5.3-rc5, there are 31205 [1] exported symbols in the kernel.
>> > That is a growth of roughly 1000 symbols since 4.17 (30206 [2]).  There
>> > seems to be some consensus amongst kernel devs that the export surface
>> > is too large, and hard to reason about.
>> >
>> > Generally, these symbols fall in one of these categories:
>> > 1) Symbols actually meant for drivers
>> > 2) Symbols that are only exported because functionality is split over
>> >    multiple modules, yet they really shouldn't be used by modules outside
>> >    of their own subsystem
>> > 3) Symbols really only meant for in-tree use
>> >
>> > When module developers try to upstream their code, it regularly turns
>> > out that they are using exported symbols that they really shouldn't be
>> > using. This problem is even bigger for drivers that are currently
>> > out-of-tree, which may be using many symbols that they shouldn't be
>> > using, and that break when those symbols are removed or modified.
>> >
>> > This patch allows subsystem maintainers to partition their exported
>> > symbols into separate namespaces, and module authors to import such
>> > namespaces only when needed.
>> >
>> > This allows subsystem maintainers to more easily limit availability of
>> > these namespaced symbols to other parts of the kernel. It can also be
>> > used to partition the set of exported symbols for documentation
>> > purposes; for example, a set of symbols that is really only used for
>> > debugging could be in a "SUBSYSTEM_DEBUG" namespace.
>>
>> I'm missing how one can prohibit these random out of tree modules from
>> doing MODULE_IMPORT_NS().
>
>Nothing, but then they are explicitly being "bad" :)
>

As a side effect of this implementation (namespace imports via modinfo
tags), imports are very visible for (out-of-tree) modules, e.g.

$ modinfo drivers/usb/storage/ums-usbat.ko
  filename:       drivers/usb/storage/ums-usbat.ko
  import_ns:      USB_STORAGE
  license:        GPL
  author:         ...
  ...

>> That is; suppose I stick all the preempt_notifier symbols in a KVM
>> namespace, how do I enforce no out-of-tree modules ever do
>> MODULE_IMPORT_NS(KVM) and gain access?
>>

That is actually a feature worth following up: Restricting the
namespaces that can be imported by modules. I am afraid it is not part
of this series, but should not be too hard once agreed how such a list
will be defined.

>> (the above would basically break virtualbox, which I knows uses preempt
>> notifiers too, but I don't give a rats arse about that)
>
>It's a huge red flag for anyone reviewing the code that this module is
>doing something it probably really should not be doing at all.  It will
>make reviewing code easier, this isn't there to try to "prevent bad
>actors" at all, sorry.
>

Cheers,
Matthias

_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic