* Re: security: restricting access to swap
2013-03-11 23:57 security: restricting access to swap Luigi Semenzato
@ 2013-03-12 13:06 ` Konrad Rzeszutek Wilk
2013-03-12 15:46 ` Luigi Semenzato
2013-03-12 23:32 ` Simon Jeons
` (3 subsequent siblings)
4 siblings, 1 reply; 13+ messages in thread
From: Konrad Rzeszutek Wilk @ 2013-03-12 13:06 UTC (permalink / raw)
To: Luigi Semenzato; +Cc: linux-mm
On Mon, Mar 11, 2013 at 04:57:25PM -0700, Luigi Semenzato wrote:
> Greetings linux-mmers,
>
> before we can fully deploy zram, we must ensure it conforms to the
> Chrome OS security requirements. In particular, we do not want to
> allow user space to read/write the swap device---not even root-owned
> processes.
>
> A similar restriction is available for /dev/mem under CONFIG_STRICT_DEVMEM.
>
> There are a few possible approaches to this, but before we go ahead
> I'd like to ask if anything has happened or is planned in this
> direction.
>
> Otherwise, one idea I am playing with is to add a CONFIG_STRICT_SWAP
> option that would do this for any swap device (i.e. not specific to
> zram) and possibly also when swapping to a file. We would add an
> "internal" open flag, O_KERN_SWAP, as well as clean up a little bit
> the FMODE_NONOTIFY confusion by adding the kernel flag O_KERN_NONOTIFY
> and formalizing the sets of external (O_*) and internal (O_KERN_*)
> open flags.
>
> Swapon() and swapoff() would use O_KERN_SWAP internally, and a device
> opened with that flag would reject user-level opens.
What/who does the swapon/swapoff calls? Is there an kernel level thread
(aka init but in kernel?) that would do this?
>
> Thank you in advance for any input/suggestion!
> Luigi
>
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in
> the body to majordomo@kvack.org. For more info on Linux MM,
> see: http://www.linux-mm.org/ .
> Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: security: restricting access to swap
2013-03-12 13:06 ` Konrad Rzeszutek Wilk
@ 2013-03-12 15:46 ` Luigi Semenzato
0 siblings, 0 replies; 13+ messages in thread
From: Luigi Semenzato @ 2013-03-12 15:46 UTC (permalink / raw)
To: Konrad Rzeszutek Wilk; +Cc: linux-mm
On Tue, Mar 12, 2013 at 6:06 AM, Konrad Rzeszutek Wilk
<konrad.wilk@oracle.com> wrote:
> On Mon, Mar 11, 2013 at 04:57:25PM -0700, Luigi Semenzato wrote:
>> Greetings linux-mmers,
>>
>> before we can fully deploy zram, we must ensure it conforms to the
>> Chrome OS security requirements. In particular, we do not want to
>> allow user space to read/write the swap device---not even root-owned
>> processes.
>>
>> A similar restriction is available for /dev/mem under CONFIG_STRICT_DEVMEM.
>>
>> There are a few possible approaches to this, but before we go ahead
>> I'd like to ask if anything has happened or is planned in this
>> direction.
>>
>> Otherwise, one idea I am playing with is to add a CONFIG_STRICT_SWAP
>> option that would do this for any swap device (i.e. not specific to
>> zram) and possibly also when swapping to a file. We would add an
>> "internal" open flag, O_KERN_SWAP, as well as clean up a little bit
>> the FMODE_NONOTIFY confusion by adding the kernel flag O_KERN_NONOTIFY
>> and formalizing the sets of external (O_*) and internal (O_KERN_*)
>> open flags.
>>
>> Swapon() and swapoff() would use O_KERN_SWAP internally, and a device
>> opened with that flag would reject user-level opens.
>
> What/who does the swapon/swapoff calls? Is there an kernel level thread
> (aka init but in kernel?) that would do this?
No, swapon() would be typically called from user level shortly after
boot by the swapon program to set up swap. Swapoff() would typically
not be called at all.
The swapon() syscall internally calls filp_open() and that's where it
would pass the O_KERN_SWAP flag. It also needs to pass an extra flag
in claim_swapfile().
I should probably just send a patch.
>>
>> Thank you in advance for any input/suggestion!
>> Luigi
>>
>> --
>> To unsubscribe, send a message with 'unsubscribe linux-mm' in
>> the body to majordomo@kvack.org. For more info on Linux MM,
>> see: http://www.linux-mm.org/ .
>> Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
>>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: security: restricting access to swap
2013-03-11 23:57 security: restricting access to swap Luigi Semenzato
2013-03-12 13:06 ` Konrad Rzeszutek Wilk
@ 2013-03-12 23:32 ` Simon Jeons
2013-03-15 9:04 ` Ric Mason
` (2 subsequent siblings)
4 siblings, 0 replies; 13+ messages in thread
From: Simon Jeons @ 2013-03-12 23:32 UTC (permalink / raw)
To: Luigi Semenzato; +Cc: linux-mm, Johannes Weiner, Hugh Dickins
Cc experts Johannes, Hugh,
On 03/12/2013 07:57 AM, Luigi Semenzato wrote:
> Greetings linux-mmers,
>
> before we can fully deploy zram, we must ensure it conforms to the
> Chrome OS security requirements. In particular, we do not want to
> allow user space to read/write the swap device---not even root-owned
> processes.
>
> A similar restriction is available for /dev/mem under CONFIG_STRICT_DEVMEM.
>
> There are a few possible approaches to this, but before we go ahead
> I'd like to ask if anything has happened or is planned in this
> direction.
>
> Otherwise, one idea I am playing with is to add a CONFIG_STRICT_SWAP
> option that would do this for any swap device (i.e. not specific to
> zram) and possibly also when swapping to a file. We would add an
> "internal" open flag, O_KERN_SWAP, as well as clean up a little bit
> the FMODE_NONOTIFY confusion by adding the kernel flag O_KERN_NONOTIFY
> and formalizing the sets of external (O_*) and internal (O_KERN_*)
> open flags.
>
> Swapon() and swapoff() would use O_KERN_SWAP internally, and a device
> opened with that flag would reject user-level opens.
>
> Thank you in advance for any input/suggestion!
> Luigi
>
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in
> the body to majordomo@kvack.org. For more info on Linux MM,
> see: http://www.linux-mm.org/ .
> Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: security: restricting access to swap
2013-03-11 23:57 security: restricting access to swap Luigi Semenzato
2013-03-12 13:06 ` Konrad Rzeszutek Wilk
2013-03-12 23:32 ` Simon Jeons
@ 2013-03-15 9:04 ` Ric Mason
2013-03-15 15:48 ` Luigi Semenzato
2013-03-18 3:58 ` Hugh Dickins
2013-03-18 23:43 ` KOSAKI Motohiro
4 siblings, 1 reply; 13+ messages in thread
From: Ric Mason @ 2013-03-15 9:04 UTC (permalink / raw)
To: Luigi Semenzato; +Cc: linux-mm, Johannes Weiner, Hugh Dickins
On 03/12/2013 07:57 AM, Luigi Semenzato wrote:
> Greetings linux-mmers,
>
> before we can fully deploy zram, we must ensure it conforms to the
> Chrome OS security requirements. In particular, we do not want to
> allow user space to read/write the swap device---not even root-owned
> processes.
Interesting.
>
> A similar restriction is available for /dev/mem under CONFIG_STRICT_DEVMEM.
Sorry, what's /dev/mem used for? and why relevant your topic?
>
> There are a few possible approaches to this, but before we go ahead
> I'd like to ask if anything has happened or is planned in this
> direction.
>
> Otherwise, one idea I am playing with is to add a CONFIG_STRICT_SWAP
> option that would do this for any swap device (i.e. not specific to
> zram) and possibly also when swapping to a file. We would add an
> "internal" open flag, O_KERN_SWAP, as well as clean up a little bit
> the FMODE_NONOTIFY confusion by adding the kernel flag O_KERN_NONOTIFY
> and formalizing the sets of external (O_*) and internal (O_KERN_*)
> open flags.
>
> Swapon() and swapoff() would use O_KERN_SWAP internally, and a device
> opened with that flag would reject user-level opens.
>
> Thank you in advance for any input/suggestion!
> Luigi
>
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in
> the body to majordomo@kvack.org. For more info on Linux MM,
> see: http://www.linux-mm.org/ .
> Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: security: restricting access to swap
2013-03-15 9:04 ` Ric Mason
@ 2013-03-15 15:48 ` Luigi Semenzato
2013-03-15 16:55 ` Johannes Weiner
0 siblings, 1 reply; 13+ messages in thread
From: Luigi Semenzato @ 2013-03-15 15:48 UTC (permalink / raw)
To: Ric Mason; +Cc: linux-mm, Johannes Weiner, Hugh Dickins
On Fri, Mar 15, 2013 at 2:04 AM, Ric Mason <ric.masonn@gmail.com> wrote:
> On 03/12/2013 07:57 AM, Luigi Semenzato wrote:
>>
>> Greetings linux-mmers,
>>
>> before we can fully deploy zram, we must ensure it conforms to the
>> Chrome OS security requirements. In particular, we do not want to
>> allow user space to read/write the swap device---not even root-owned
>> processes.
>
>
> Interesting.
Thank you.
>>
>> A similar restriction is available for /dev/mem under
>> CONFIG_STRICT_DEVMEM.
>
>
> Sorry, what's /dev/mem used for? and why relevant your topic?
I don't know what it's used for Chrome OS, but I don't think it
matters. The point is that /dev/mem is compiled in the kernel, and
without CONFIG_STRICT_DEVMEM it offers a way for a root-owned process
to read/write all of physical memory. The situation is not as dire
with a swap device, but currently a root-owned process can open a
block device used for swap and peek and poke its data, which means
that a root-owned process has now potential access to the data segment
of any other process, among other things.
>>
>> There are a few possible approaches to this, but before we go ahead
>> I'd like to ask if anything has happened or is planned in this
>> direction.
>>
>> Otherwise, one idea I am playing with is to add a CONFIG_STRICT_SWAP
>> option that would do this for any swap device (i.e. not specific to
>> zram) and possibly also when swapping to a file. We would add an
>> "internal" open flag, O_KERN_SWAP, as well as clean up a little bit
>> the FMODE_NONOTIFY confusion by adding the kernel flag O_KERN_NONOTIFY
>> and formalizing the sets of external (O_*) and internal (O_KERN_*)
>> open flags.
>>
>> Swapon() and swapoff() would use O_KERN_SWAP internally, and a device
>> opened with that flag would reject user-level opens.
>>
>> Thank you in advance for any input/suggestion!
>> Luigi
>>
>> --
>> To unsubscribe, send a message with 'unsubscribe linux-mm' in
>> the body to majordomo@kvack.org. For more info on Linux MM,
>> see: http://www.linux-mm.org/ .
>> Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
>
>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: security: restricting access to swap
2013-03-15 15:48 ` Luigi Semenzato
@ 2013-03-15 16:55 ` Johannes Weiner
2013-03-15 17:27 ` Luigi Semenzato
0 siblings, 1 reply; 13+ messages in thread
From: Johannes Weiner @ 2013-03-15 16:55 UTC (permalink / raw)
To: Luigi Semenzato; +Cc: Ric Mason, linux-mm, Hugh Dickins
On Fri, Mar 15, 2013 at 08:48:49AM -0700, Luigi Semenzato wrote:
> On Fri, Mar 15, 2013 at 2:04 AM, Ric Mason <ric.masonn@gmail.com> wrote:
> > On 03/12/2013 07:57 AM, Luigi Semenzato wrote:
> >>
> >> Greetings linux-mmers,
> >>
> >> before we can fully deploy zram, we must ensure it conforms to the
> >> Chrome OS security requirements. In particular, we do not want to
> >> allow user space to read/write the swap device---not even root-owned
> >> processes.
> >
> >
> > Interesting.
>
> Thank you.
>
> >>
> >> A similar restriction is available for /dev/mem under
> >> CONFIG_STRICT_DEVMEM.
> >
> >
> > Sorry, what's /dev/mem used for? and why relevant your topic?
>
> I don't know what it's used for Chrome OS, but I don't think it
> matters. The point is that /dev/mem is compiled in the kernel, and
> without CONFIG_STRICT_DEVMEM it offers a way for a root-owned process
> to read/write all of physical memory. The situation is not as dire
> with a swap device, but currently a root-owned process can open a
> block device used for swap and peek and poke its data, which means
> that a root-owned process has now potential access to the data segment
> of any other process, among other things.
How do you handle /proc/<pid>/mem?
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: security: restricting access to swap
2013-03-15 16:55 ` Johannes Weiner
@ 2013-03-15 17:27 ` Luigi Semenzato
2013-03-15 22:19 ` Luigi Semenzato
0 siblings, 1 reply; 13+ messages in thread
From: Luigi Semenzato @ 2013-03-15 17:27 UTC (permalink / raw)
To: Johannes Weiner, Will Drewry; +Cc: Ric Mason, linux-mm, Hugh Dickins
On Fri, Mar 15, 2013 at 9:55 AM, Johannes Weiner <hannes@cmpxchg.org> wrote:
> On Fri, Mar 15, 2013 at 08:48:49AM -0700, Luigi Semenzato wrote:
>> On Fri, Mar 15, 2013 at 2:04 AM, Ric Mason <ric.masonn@gmail.com> wrote:
>> > On 03/12/2013 07:57 AM, Luigi Semenzato wrote:
>> >>
>> >> Greetings linux-mmers,
>> >>
>> >> before we can fully deploy zram, we must ensure it conforms to the
>> >> Chrome OS security requirements. In particular, we do not want to
>> >> allow user space to read/write the swap device---not even root-owned
>> >> processes.
>> >
>> >
>> > Interesting.
>>
>> Thank you.
>>
>> >>
>> >> A similar restriction is available for /dev/mem under
>> >> CONFIG_STRICT_DEVMEM.
>> >
>> >
>> > Sorry, what's /dev/mem used for? and why relevant your topic?
>>
>> I don't know what it's used for Chrome OS, but I don't think it
>> matters. The point is that /dev/mem is compiled in the kernel, and
>> without CONFIG_STRICT_DEVMEM it offers a way for a root-owned process
>> to read/write all of physical memory. The situation is not as dire
>> with a swap device, but currently a root-owned process can open a
>> block device used for swap and peek and poke its data, which means
>> that a root-owned process has now potential access to the data segment
>> of any other process, among other things.
>
> How do you handle /proc/<pid>/mem?
Right. We do not. But... we might! We could turn it off and see if
it breaks anything important.
In any case, we don't like expanding the attack surface.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: security: restricting access to swap
2013-03-15 17:27 ` Luigi Semenzato
@ 2013-03-15 22:19 ` Luigi Semenzato
0 siblings, 0 replies; 13+ messages in thread
From: Luigi Semenzato @ 2013-03-15 22:19 UTC (permalink / raw)
To: Johannes Weiner, Will Drewry, Kees Cook; +Cc: Ric Mason, linux-mm, Hugh Dickins
After further reading, it looks as if /proc/<pid>/mem has a lot of
built-in protection already, so that should not be an issue.
On Fri, Mar 15, 2013 at 10:27 AM, Luigi Semenzato <semenzato@google.com> wrote:
> On Fri, Mar 15, 2013 at 9:55 AM, Johannes Weiner <hannes@cmpxchg.org> wrote:
>> On Fri, Mar 15, 2013 at 08:48:49AM -0700, Luigi Semenzato wrote:
>>> On Fri, Mar 15, 2013 at 2:04 AM, Ric Mason <ric.masonn@gmail.com> wrote:
>>> > On 03/12/2013 07:57 AM, Luigi Semenzato wrote:
>>> >>
>>> >> Greetings linux-mmers,
>>> >>
>>> >> before we can fully deploy zram, we must ensure it conforms to the
>>> >> Chrome OS security requirements. In particular, we do not want to
>>> >> allow user space to read/write the swap device---not even root-owned
>>> >> processes.
>>> >
>>> >
>>> > Interesting.
>>>
>>> Thank you.
>>>
>>> >>
>>> >> A similar restriction is available for /dev/mem under
>>> >> CONFIG_STRICT_DEVMEM.
>>> >
>>> >
>>> > Sorry, what's /dev/mem used for? and why relevant your topic?
>>>
>>> I don't know what it's used for Chrome OS, but I don't think it
>>> matters. The point is that /dev/mem is compiled in the kernel, and
>>> without CONFIG_STRICT_DEVMEM it offers a way for a root-owned process
>>> to read/write all of physical memory. The situation is not as dire
>>> with a swap device, but currently a root-owned process can open a
>>> block device used for swap and peek and poke its data, which means
>>> that a root-owned process has now potential access to the data segment
>>> of any other process, among other things.
>>
>> How do you handle /proc/<pid>/mem?
>
> Right. We do not. But... we might! We could turn it off and see if
> it breaks anything important.
>
> In any case, we don't like expanding the attack surface.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: security: restricting access to swap
2013-03-11 23:57 security: restricting access to swap Luigi Semenzato
` (2 preceding siblings ...)
2013-03-15 9:04 ` Ric Mason
@ 2013-03-18 3:58 ` Hugh Dickins
2013-03-18 16:05 ` Luigi Semenzato
2013-03-18 23:43 ` KOSAKI Motohiro
4 siblings, 1 reply; 13+ messages in thread
From: Hugh Dickins @ 2013-03-18 3:58 UTC (permalink / raw)
To: Luigi Semenzato; +Cc: linux-mm
On Mon, 11 Mar 2013, Luigi Semenzato wrote:
> Greetings linux-mmers,
>
> before we can fully deploy zram, we must ensure it conforms to the
> Chrome OS security requirements. In particular, we do not want to
> allow user space to read/write the swap device---not even root-owned
> processes.
>
> A similar restriction is available for /dev/mem under CONFIG_STRICT_DEVMEM.
>
> There are a few possible approaches to this, but before we go ahead
> I'd like to ask if anything has happened or is planned in this
> direction.
>
> Otherwise, one idea I am playing with is to add a CONFIG_STRICT_SWAP
> option that would do this for any swap device (i.e. not specific to
> zram) and possibly also when swapping to a file. We would add an
> "internal" open flag, O_KERN_SWAP, as well as clean up a little bit
> the FMODE_NONOTIFY confusion by adding the kernel flag O_KERN_NONOTIFY
> and formalizing the sets of external (O_*) and internal (O_KERN_*)
> open flags.
>
> Swapon() and swapoff() would use O_KERN_SWAP internally, and a device
> opened with that flag would reject user-level opens.
>
> Thank you in advance for any input/suggestion!
> Luigi
Your O_KERN_SWAP does not make much sense to me.
The open flag would only apply while the device or file is open, yet
you would also want this security to apply after it has been closed.
And there's not much security if you rely upon zeroing the swap area
at swapoff. Maybe it crashes before swapoff. Maybe you have /dev/sda1
open O_KERN_SWAP, but someone is watching through /dev/sda. Maybe you
have swapfile open O_KERN_SWAP, but someone is watching through the
block device of the filesystem holding swapfile.
I think you want to encrypt the pages going out to swap, and encrypt
them in such a way that only swap has the key. Whether that's already
easily achieved with dm I have no idea.
Hugh
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: security: restricting access to swap
2013-03-18 3:58 ` Hugh Dickins
@ 2013-03-18 16:05 ` Luigi Semenzato
0 siblings, 0 replies; 13+ messages in thread
From: Luigi Semenzato @ 2013-03-18 16:05 UTC (permalink / raw)
To: Hugh Dickins; +Cc: linux-mm, Sonny Rao
On Sun, Mar 17, 2013 at 8:58 PM, Hugh Dickins <hughd@google.com> wrote:
> On Mon, 11 Mar 2013, Luigi Semenzato wrote:
>> Greetings linux-mmers,
>>
>> before we can fully deploy zram, we must ensure it conforms to the
>> Chrome OS security requirements. In particular, we do not want to
>> allow user space to read/write the swap device---not even root-owned
>> processes.
>>
>> A similar restriction is available for /dev/mem under CONFIG_STRICT_DEVMEM.
>>
>> There are a few possible approaches to this, but before we go ahead
>> I'd like to ask if anything has happened or is planned in this
>> direction.
>>
>> Otherwise, one idea I am playing with is to add a CONFIG_STRICT_SWAP
>> option that would do this for any swap device (i.e. not specific to
>> zram) and possibly also when swapping to a file. We would add an
>> "internal" open flag, O_KERN_SWAP, as well as clean up a little bit
>> the FMODE_NONOTIFY confusion by adding the kernel flag O_KERN_NONOTIFY
>> and formalizing the sets of external (O_*) and internal (O_KERN_*)
>> open flags.
>>
>> Swapon() and swapoff() would use O_KERN_SWAP internally, and a device
>> opened with that flag would reject user-level opens.
>>
>> Thank you in advance for any input/suggestion!
>> Luigi
Hugh, thanks for the reply.
> Your O_KERN_SWAP does not make much sense to me.
>
> The open flag would only apply while the device or file is open, yet
> you would also want this security to apply after it has been closed.
>
> And there's not much security if you rely upon zeroing the swap area
> at swapoff. Maybe it crashes before swapoff.
Yes, that would be a problem. It's not in our case because the swap
device is ZRAM.
> Maybe you have /dev/sda1
> open O_KERN_SWAP, but someone is watching through /dev/sda. Maybe you
> have swapfile open O_KERN_SWAP, but someone is watching through the
> block device of the filesystem holding swapfile.
Yes, I realize that this works only when using the entire device for swap.
> I think you want to encrypt the pages going out to swap, and encrypt
> them in such a way that only swap has the key. Whether that's already
> easily achieved with dm I have no idea.
I think that for our application it may make sense to have a
ZRAM-specific solution.
Thanks!
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: security: restricting access to swap
2013-03-11 23:57 security: restricting access to swap Luigi Semenzato
` (3 preceding siblings ...)
2013-03-18 3:58 ` Hugh Dickins
@ 2013-03-18 23:43 ` KOSAKI Motohiro
2013-03-19 17:39 ` Will Drewry
4 siblings, 1 reply; 13+ messages in thread
From: KOSAKI Motohiro @ 2013-03-18 23:43 UTC (permalink / raw)
To: Luigi Semenzato; +Cc: linux-mm, kosaki.motohiro
(3/11/13 7:57 PM), Luigi Semenzato wrote:
> Greetings linux-mmers,
>
> before we can fully deploy zram, we must ensure it conforms to the
> Chrome OS security requirements. In particular, we do not want to
> allow user space to read/write the swap device---not even root-owned
> processes.
Could you explain Chrome OS security requirement at first? We don't want
to guess your requirement.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: security: restricting access to swap
2013-03-18 23:43 ` KOSAKI Motohiro
@ 2013-03-19 17:39 ` Will Drewry
0 siblings, 0 replies; 13+ messages in thread
From: Will Drewry @ 2013-03-19 17:39 UTC (permalink / raw)
To: linux-mm
KOSAKI Motohiro <kosaki.motohiro <at> gmail.com> writes:
>
> (3/11/13 7:57 PM), Luigi Semenzato wrote:
> > Greetings linux-mmers,
> >
> > before we can fully deploy zram, we must ensure it conforms to the
> > Chrome OS security requirements. In particular, we do not want to
> > allow user space to read/write the swap device---not even root-owned
> > processes.
>
> Could you explain Chrome OS security requirement at first? We don't want
> to guess your requirement.
I'll try to add a little more flavor. We're continuing to reduce the
exposure from root-equivalent users wherever possible. Enabling swap
support to a block device means an alternative means to access/modify
swapped out user-context memory with a single discretionary access
control check, bypassing any per-process checks in /proc/<pid>/mem
(like mm_open(..., PTRACE_MODE_ATTACH)), and so on.
hth!
will
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 13+ messages in thread