From: Andi Kleen <ak@suse.de>
To: Christoph Lameter <christoph@lameter.com>
Cc: Andi Kleen <ak@suse.de>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Read only syscall tables for x86_64 and i386
Date: Wed, 29 Jun 2005 04:49:03 +0200 [thread overview]
Message-ID: <20050629024903.GA21575@bragg.suse.de> (raw)
In-Reply-To: <Pine.LNX.4.62.0506281238320.1734@graphe.net>
On Tue, Jun 28, 2005 at 12:41:59PM -0700, Christoph Lameter wrote:
> On Tue, 28 Jun 2005, Andi Kleen wrote:
>
> > It's unfortunately useless because all the kernel is mapped in the
> > same 2 or 4MB page has to be writable because it overlaps with real
> > direct mapped memory.
>
> The question is: Are syscall tables are supposed to be
> writable? If no then this patch should go in. If yes then forget about it.
I think it would make sense in theory to write protect them
together with the kernel code and the modules
(just to make root kit writing slightly harder)
It is just that it is not practical on i386/x86-64 right now
without undue performance impact for the main kernel. TLB pressure is
unfortunately quite performance critical and we cannot goof off on this.
Write protecting the modules would be possible right now because
they're vmalloced, but might be a problem later if we move them to the
direct mapping again (that was a beneficial 2.4 optimization), so I am not sure
it would be a good idea.
BTW the kernel actually needs to write to code once
to apply alternative(), but it would't be a problem to use
a temporary mapping for this.
> On IA64 they are readonly and so I thought they should also be readonly
> on i386 and x86_64.
>
> The ability to protect a readonly section may be another issue.
Well, it's the overriding issue here. Just pretending it's readonly
when it isn't doesn't seem useful.
-Andi
next prev parent reply other threads:[~2005-06-29 2:49 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <Pine.LNX.4.62.0506281141050.959@graphe.net.suse.lists.linux.kernel>
2005-06-28 19:33 ` [PATCH] Read only syscall tables for x86_64 and i386 Andi Kleen
2005-06-28 19:41 ` Christoph Lameter
2005-06-29 0:06 ` Arnd Bergmann
2005-06-29 2:49 ` Andi Kleen [this message]
2005-07-01 20:10 ` Christoph Lameter
2005-07-01 20:28 ` Andi Kleen
2005-07-01 20:47 ` Richard B. Johnson
2005-07-01 21:13 ` Alan Cox
2005-07-01 20:34 ` Richard B. Johnson
2005-06-28 18:47 Christoph Lameter
2005-06-28 18:56 ` Arjan van de Ven
2005-06-28 19:26 ` Christoph Lameter
2005-06-28 19:41 ` Christoph Hellwig
[not found] ` <87oe9q70no.fsf@jbms.ath.cx>
[not found] ` <Pine.LNX.4.62.0506281218030.1454@graphe.net>
2005-06-28 19:27 ` Jeremy Maitin-Shepard
2005-06-28 19:31 ` Christoph Lameter
2005-06-28 19:41 ` Jeremy Maitin-Shepard
2005-06-28 19:42 ` Christoph Hellwig
2005-06-28 19:52 ` Jeremy Maitin-Shepard
2005-06-28 20:11 ` Arjan van de Ven
2005-06-28 20:23 ` Jeremy Maitin-Shepard
2005-06-28 19:47 ` Arjan van de Ven
2005-06-28 20:00 ` Jeremy Maitin-Shepard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050629024903.GA21575@bragg.suse.de \
--to=ak@suse.de \
--cc=christoph@lameter.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox