From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751931AbbCJC23 (ORCPT <rfc822;w@1wt.eu>);
	Mon, 9 Mar 2015 22:28:29 -0400
Received: from mga03.intel.com ([134.134.136.65]:51344 "EHLO mga03.intel.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1750933AbbCJC20 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Mon, 9 Mar 2015 22:28:26 -0400
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.11,371,1422950400"; 
   d="scan'208";a="662836521"
Message-ID: <54FE56C6.7000902@intel.com>
Date: Mon, 09 Mar 2015 19:28:22 -0700
From: Dave Hansen <dave.hansen@intel.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: "Eric W. Biederman" <ebiederm@xmission.com>,
        Kees Cook <keescook@chromium.org>
CC: Andrew Morton <akpm@linux-foundation.org>, "Theodore Ts'o" <tytso@mit.edu>,
        Oleg Nesterov <oleg@redhat.com>, LKML <linux-kernel@vger.kernel.org>,
        Dave Hansen <dave.hansen@linux.intel.com>
Subject: Re: [RFC][PATCH 1/2] fs proc: make pagemap a privileged interface
References: <20150309204321.AAF412E0@viggo.jf.intel.com>	<878uf5vmxo.fsf@x220.int.ebiederm.org>	<CAGXu5jLMQcNty4xes8TjQd8ZvCk2to5NkObCX0ofJQr9vUknZA@mail.gmail.com> <87h9ttrcpr.fsf@x220.int.ebiederm.org>
In-Reply-To: <87h9ttrcpr.fsf@x220.int.ebiederm.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 03/09/2015 04:08 PM, Eric W. Biederman wrote:
> If the concern is to protect against root getting into the kernel the
> "trusted_kernel" snake-oil just compile out the pagemap file.  Nothing
> else is remotely interesting from a mainenance point of view.

The paper I linked to showed one example of how pagemap makes a
user->kernel exploint _easier_.  Note that the authors had another way
of actually doing the exploit when pagemap was not available, but it
required some more trouble than if pagemap was around.

I mentioned the "trusted_kernel" stuff as an aside.  It's really not the
main concern.