From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE608C001DF for ; Fri, 20 Oct 2023 15:55:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 204B38D00BF; Fri, 20 Oct 2023 11:55:33 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 1B5058D0003; Fri, 20 Oct 2023 11:55:33 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0A4728D00BF; Fri, 20 Oct 2023 11:55:33 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id F09948D0003 for ; Fri, 20 Oct 2023 11:55:32 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id C3E591411B7 for ; Fri, 20 Oct 2023 15:55:32 +0000 (UTC) X-FDA: 81366289704.13.A07C93E Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by imf18.hostedemail.com (Postfix) with ESMTP id 11C081C0010 for ; Fri, 20 Oct 2023 15:55:29 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=openbsd.org header.s=selector1 header.b="5uh8cM/3"; dmarc=none; spf=pass (imf18.hostedemail.com: domain of deraadt@openbsd.org designates 199.185.137.3 as permitted sender) smtp.mailfrom=deraadt@openbsd.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1697817330; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=EmfjtDaBCNaGSN6ySlDz1epA9OKwqW9fwLW6EzYe1nk=; b=hJt43qYWxwbAfxgN1PJC9VbDLL4y0kx6vNK3EkHy4t7KztBS/fXwlbMI7NVvs3dvdfl5jP 8eoYUu9SkSzOcfVMeCk/KdirJRRmplO0pYV/jZ8sDZyfUYsz3GURUuKqWJCjz7VBYP0B9V AeUicZVuqgnnO/0whCS7ckpHdV6b6oQ= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=openbsd.org header.s=selector1 header.b="5uh8cM/3"; dmarc=none; spf=pass (imf18.hostedemail.com: domain of deraadt@openbsd.org designates 199.185.137.3 as permitted sender) smtp.mailfrom=deraadt@openbsd.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697817330; a=rsa-sha256; cv=none; b=AfdVgGHVJ6ZhcnsxECw941Q/cNfnTtbClcCVRmsBQwpgSfJxyiBYYPn/avOIKaFz+EaI0v JqLxq/ml2d/9jR3Cr/yUD9Memtqhkm7IZPuTJkW32c6VUhrsJKz4pLDFdmwrhHTqP23Mqo WwBET9ZJ84tEK21uY/NWiJB75qp+OYg= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=selector1; bh=4Wxr8YyJBV Ji9dsEnvrWsVWlX7GW5YDL5ggU4ht88YY=; h=date:references:in-reply-to: subject:cc:to:from; d=openbsd.org; b=5uh8cM/3362zsHWWsOJQQ46mNmFkN73zH KtMFfu5/V5BQjgUqramyy6DLokJoEDDFiTXDZ9iUmZ33ICuFYcRAWnD1u1Dy6mL5GBBpzV cK0utCgesrjOUEgYntUsl8hY0EbCeuyTBqgYTMKlXmvilryrzM8byogl9HLQCThr3rMysD L82kOgtwM7VU3G72B8IDyDKGiKO5YgnzU3kOkbpogCOzuEGaVauGn0Zg2M1eCSwbcPzmIM GVGqBq3zKy+Lc0W0r82Inq0AQq5NBneSdFBScYh0F+MKxTGmaENtL7eSiIGg+yuhmKUFy/ CQE/qsUjQmJsRTTtKDVa+NXOPLbbg== Received: from cvs.openbsd.org (localhost [127.0.0.1]) by cvs.openbsd.org (OpenSMTPD) with ESMTP id 8d5b7bfa; Fri, 20 Oct 2023 09:55:28 -0600 (MDT) From: "Theo de Raadt" To: =?us-ascii?Q?=3D=3FUTF-8=3FQ=3FStephen=5FR=3DC3=3DB6ttger=3F=3D?= cc: Jeff Xu , Matthew Wilcox , Linus Torvalds , jeffxu@chromium.org, akpm@linux-foundation.org, keescook@chromium.org, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, jannh@google.com, surenb@google.com, alex.sierra@amd.com, apopple@nvidia.com, aneesh.kumar@linux.ibm.com, axelrasmussen@google.com, ben@decadent.org.uk, catalin.marinas@arm.com, david@redhat.com, dwmw@amazon.co.uk, ying.huang@intel.com, hughd@google.com, joey.gouly@arm.com, corbet@lwn.net, wangkefeng.wang@huawei.com, Liam.Howlett@oracle.com, lstoakes@gmail.com, mawupeng1@huawei.com, linmiaohe@huawei.com, namit@vmware.com, peterx@redhat.com, peterz@infradead.org, ryan.roberts@arm.com, shr@devkernel.io, vbabka@suse.cz, xiujianfeng@huawei.com, yu.ma@intel.com, zhangpeng362@huawei.com, dave.hansen@intel.com, luto@kernel.org, linux-hardening@vger.kernel.org Subject: Re: [RFC PATCH v1 0/8] Introduce mseal() syscall In-reply-to: References: <20231016143828.647848-1-jeffxu@chromium.org> <55960.1697566804@cvs.openbsd.org> <95482.1697587015@cvs.openbsd.org> <7071.1697661373@cvs.openbsd.org> Comments: In-reply-to =?us-ascii?Q?=3D=3FUTF-8=3FQ=3FStephen=5FR=3DC3=3DB6?= =?us-ascii?Q?ttger=3F=3D?= message dated "Thu, 19 Oct 2023 10:28:32 +0200." MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Date: Fri, 20 Oct 2023 09:55:28 -0600 Message-ID: <20251.1697817328@cvs.openbsd.org> X-Rspam-User: X-Stat-Signature: s688r81oz6bwyw8gt6xho3163z54jopn X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 11C081C0010 X-HE-Tag: 1697817329-142625 X-HE-Meta: U2FsdGVkX1/dWXJD5v8OKCchh9rScpda//OYAr6uoWRxaif1JB1sJpzCaPgmwWgKXCqwWeWONFe1Q1VAkXS18SBWLu9Qs4n7P1X8+JW96KKk3u6PL6467FYMMu34h8MrXlVe4dOUaWvfVXD2cBuBE14uzdJjINM0CP3tYZqt6ttGvrX3velc5WcuDcFCYRv5p5dgjg6J20iGU9dedT3DlBde1QM36m2dYt0XBxEte0VPBCr151H4dhrB8wzqKyk0+wtDdYIc4qJI+mQSUU5rwq8Amafxp6D0XIZHMQME2VS1nfoqLErAk2ysQJKnn5DbxrCOeEn8tyTjSTAloEPK4Q7/GwE2cURUugwPI7qFIP7PYAmIW2bT3V1ZE/o30YbD8yvXoiJ7cMlIVkLBZarTP6N09vXgOi0/47oSTduREle4fjUXZC+49u8UN8XYVuGfb1vJenpJINqkfGIPVGLnL2YdUQLceQyutY7j+klzybaj4OIryM+gO/2jqGD4AbxQGuefZ5MmOszYEDVBiFtgH1l9+q5zW1CP7qXfonXGDyI0Rvc94aPtFmtOTFAX0hdt0lGd1p/dz4ddbU77yDv4kcyVh8f9p44A/EgtU5BNRMBgxYEOJaddyvIe46YDcEWtqOpASXRvcrsLQP8KZLql0F31SPHlv9IrLWcJcshCqV2Pc+JV9lp5YsNsZ/nOdZaY92/VIjpN6QsIkfuKYmJ/rZvesweBCmUNcFAvLQLwQgj+k9qjEc35lk7dOv7xJgQckUZGPQQOusz774FHZhm33pyZq+fI3zebQREDWOSJttPSELclQv63Fbgu65uswkC/hn/UleH1rzzN3mK7ubVb4oOzs8TXWEEqhW7OqK0kRJkw+lUkTG4K/ZTqQtw7RjDy3ry88RzFHvuEJdh37PLLmW8EWGj9gbeE126lDpncoxF/Kyb8lOcbPaBlix/W097TPX/gUwd18OxILkpKZnm VCKN/uTC 2MsEwB2akKcaEF4BY+01exNzZ6d+B17qz51lWOV1xlfuw2CJUHYg4efSReeLtWerbFg+um8NC0OeCx6GJ0IEf28U7h7vKt/dbm5wNju5XJxThmznG4blDmAEJ9kWJcHNYf2wbrKhI3OKQ1rY//X0+C8LyfqFcR9Oumtv293OWgGEjlyjorAmof3cdj4ozwrm2Xnw0+l+JU181gxOtHHO7cectvPoWqikdL4hPTuiC72HalFh9qkVlvvtMUGfKWpWKqEDNKr8fY6Po2wK++HCPOQAlqA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Stephen R=C3=B6ttger wrote: > > > IMO: The approaches mimmutable() and mseal() took are different, but > > > we all want to seal the memory from attackers and make the linux > > > application safer. > > > > I think you are building mseal for chrome, and chrome alone. > > > > I do not think this will work out for the rest of the application space > > because > > > > 1) it is too complicated > > 2) experience with mimmutable() says that applications don't do any of = it > > themselves, it is all in execve(), libc initialization, and ld.so. > > You don't strike me as an execve, libc, or ld.so developer. >=20 > We do want to build this in a way that it can be applied automatically by= ld.so > and we appreciate all your feedback on this. Hi Stephen, I am pretty sure your mechanism will be useable by ld.so. What bothers me is the complex many-bits approach may encourage people to set only a subset of the bits, and then believe they have a security primitive. Partial sealing is not safe. I define partial sealing as "blocking munmap, but not mprotect". Or "blocking mprotect, but not madvise or mmap". In Message-id Matthew stated there that there are two aspects being locked: which object is mapped, and the permission of that mapping. When additional system calls msync() and madvi= se() are included in the picture, there are 3 actions being prevented: - Can someone replace the object - Can someone change the permission - Can someone throw away the cached pages, reverting to original content of the object (that is the madvise / msync) In Message-id: Jan reminded us of this piece. I'm taking this as a long-standing security hole in some sub-operations of msync/madvise which can write to data regions that aren't actually writeable. Sub-operations with this problem are MADV_= FREE, MADV_DONTNEED, POSIX_MADV_DONTNEED, MS_INVALIDATE.. on Linux MADV_WIPEONFOR= K, and probably a whole bunch of others. I am testing OpenBSD changes which demand PROT_WRITE permission for these sub-operations. Perhaps some systems are already careful. If you leave any of these operators available, the object is not actually s= ealed against abuse. I believe an attacker will simply switch to a different ope= rator (mmap, munmap, mprotect, madvise, msync) to achieve a similar objective of damaging the permission or contents. Since mseal() is designed to create partial sealings, the name of the propo= sed system call really smells. > The intention of > splitting the sealing > by syscall was to provide flexibility while still allowing ld.so to > seal all operations. Yes, you will have ld.so set all the bits, and the same in C runtime initialization. If you convince glibc to stop make the stack executable in dlopen(), the kernel could automatically do it.. With Linux backwards compat management, getting there would be an extremely long long long roadmap. But anyways the idea would be "set all the bits". Because otherw= ise the object or data isn't safe. > Does Linus' proposal to just split munmap / mprotect sealing address your > complexity concerns? ld.so would always use both flags which should then = behave > similar to mimmutable(). No, I think it is weak, because it isn't sealed. A seperate mail in the thread from you says this is about chrome wanting to use PKU on RWX objects. I think that's the reason for wanting to seperate the sealing (I haven't heard of other applications wanting that). How about we explore that in the other subthread..