From: why2jjj.linux@gmail.com (J Freyensee)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 7/7] Documentation for Pmalloc
Date: Fri, 23 Feb 2018 16:26:49 -0800 [thread overview]
Message-ID: <98b2fecf-c1b3-aa5e-ba70-2770940bb965@gmail.com> (raw)
In-Reply-To: <20180223144807.1180-8-igor.stoppa@huawei.com>
On 2/23/18 6:48 AM, Igor Stoppa wrote:
> Detailed documentation about the protectable memory allocator.
>
> Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com>
> ---
> Documentation/core-api/index.rst | 1 +
> Documentation/core-api/pmalloc.rst | 114 +++++++++++++++++++++++++++++++++++++
> 2 files changed, 115 insertions(+)
> create mode 100644 Documentation/core-api/pmalloc.rst
>
> diff --git a/Documentation/core-api/index.rst b/Documentation/core-api/index.rst
> index c670a8031786..8f5de42d6571 100644
> --- a/Documentation/core-api/index.rst
> +++ b/Documentation/core-api/index.rst
> @@ -25,6 +25,7 @@ Core utilities
> genalloc
> errseq
> printk-formats
> + pmalloc
>
> Interfaces for kernel debugging
> ===============================
> diff --git a/Documentation/core-api/pmalloc.rst b/Documentation/core-api/pmalloc.rst
> new file mode 100644
> index 000000000000..d9725870444e
> --- /dev/null
> +++ b/Documentation/core-api/pmalloc.rst
> @@ -0,0 +1,114 @@
> +.. SPDX-License-Identifier: GPL-2.0
> +
> +Protectable memory allocator
> +============================
> +
> +Purpose
> +-------
> +
> +The pmalloc library is meant to provide R/O status to data that, for some
> +reason, could neither be declared as constant, nor could it take advantage
> +of the qualifier __ro_after_init, but is write-once and read-only in spirit.
> +It protects data from both accidental and malicious overwrites.
> +
> +Example: A policy that is loaded from userspace.
> +
> +
> +Concept
> +-------
> +
> +pmalloc builds on top of genalloc, using the same concept of memory pools.
> +
> +The value added by pmalloc is that now the memory contained in a pool can
> +become R/O, for the rest of the life of the pool.
> +
> +Different kernel drivers and threads can use different pools, for finer
> +control of what becomes R/O and when. And for improved lockless concurrency.
> +
> +
> +Caveats
> +-------
> +
> +- Memory freed while a pool is not yet protected will be reused.
> +
> +- Once a pool is protected, it's not possible to allocate any more memory
> + from it.
> +
> +- Memory "freed" from a protected pool indicates that such memory is not
> + in use anymore by the requester; however, it will not become available
> + for further use, until the pool is destroyed.
> +
> +- Before destroying a pool, all the memory allocated from it must be
> + released.
Is that true?? pmalloc_destroy_pool() has:
.
.
+??? pmalloc_pool_set_protection(pool, false);
+??? gen_pool_for_each_chunk(pool, pmalloc_chunk_free, NULL);
+??? gen_pool_destroy(pool);
+??? kfree(data);
which to me looks like is the opposite, the data (ie, "memory") is being
released first, then the pool is destroyed.
> +
> +- pmalloc does not provide locking support with respect to allocating vs
> + protecting an individual pool, for performance reasons.
What is the recommendation to using locks then, as the computing
real-world mainly operates in multi-threaded/process world?? Maybe show
an example of an issue that occur if locks aren't used and give a coding
example.
> + It is recommended not to share the same pool between unrelated functions.
> + Should sharing be a necessity, the user of the shared pool is expected
> + to implement locking for that pool.
> +
> +- pmalloc uses genalloc to optimize the use of the space it allocates
> + through vmalloc. Some more TLB entries will be used, however less than
> + in the case of using vmalloc directly. The exact number depends on the
> + size of each allocation request and possible slack.
> +
> +- Considering that not much data is supposed to be dynamically allocated
> + and then marked as read-only, it shouldn't be an issue that the address
> + range for pmalloc is limited, on 32-bit systems.
Why is 32-bit systems mentioned and not 64-bit?? Is there a problem with
64-bit here?
Thanks,
Jay
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-02-24 0:26 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-23 14:48 [RFC PATCH v17 0/7] mm: security: ro protection for dynamic data Igor Stoppa
2018-02-23 14:48 ` [PATCH 1/7] genalloc: track beginning of allocations Igor Stoppa
2018-02-23 22:28 ` J Freyensee
2018-02-26 12:09 ` Igor Stoppa
2018-02-26 17:32 ` J Freyensee
2018-02-26 18:44 ` Igor Stoppa
2018-02-25 3:37 ` kbuild test robot
2018-02-23 14:48 ` [PATCH 2/7] genalloc: selftest Igor Stoppa
2018-02-23 22:42 ` J Freyensee
2018-02-26 12:11 ` Igor Stoppa
2018-02-26 17:46 ` J Freyensee
2018-02-26 18:00 ` Igor Stoppa
2018-02-26 19:12 ` Matthew Wilcox
2018-02-26 19:26 ` Igor Stoppa
2018-02-23 14:48 ` [PATCH 3/7] struct page: add field for vm_struct Igor Stoppa
2018-02-25 3:38 ` Matthew Wilcox
2018-02-26 16:37 ` Igor Stoppa
2018-02-23 14:48 ` [PATCH 4/7] Protectable Memory Igor Stoppa
2018-02-24 0:10 ` J Freyensee
2018-02-26 14:28 ` Igor Stoppa
2018-02-26 18:25 ` J Freyensee
2018-02-25 2:33 ` kbuild test robot
2018-02-23 14:48 ` [PATCH 5/7] Pmalloc selftest Igor Stoppa
2018-03-06 16:59 ` J Freyensee
2018-02-23 14:48 ` [PATCH 6/7] lkdtm: crash on overwriting protected pmalloc var Igor Stoppa
2018-02-25 3:46 ` kbuild test robot
2018-03-06 17:05 ` J Freyensee
2018-03-06 17:08 ` J Freyensee
2018-02-23 14:48 ` [PATCH 7/7] Documentation for Pmalloc Igor Stoppa
2018-02-24 0:26 ` J Freyensee [this message]
2018-02-26 15:39 ` Igor Stoppa
2018-02-26 18:32 ` J Freyensee
-- strict thread matches above, loose matches on Subject: below --
2018-02-28 20:06 [RFC PATCH v18 0/7] mm: security: ro protection for dynamic data Igor Stoppa
2018-02-28 20:06 ` [PATCH 7/7] Documentation for Pmalloc Igor Stoppa
2018-03-06 13:30 ` Mike Rapoport
2018-03-06 17:33 ` J Freyensee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=98b2fecf-c1b3-aa5e-ba70-2770940bb965@gmail.com \
--to=why2jjj.linux@gmail.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).