Re: [PATCH v6 1/7] mseal, system mappings: kernel config and header change

From: Liam R. Howlett
Date: Mon Feb 24 2025 - 14:06:13 EST

Next message: Mathieu Desnoyers: "Re: [PATCH v4 1/4] pkeys: add API to switch to permissive/zero pkey register"
Previous message: Kees Cook: "Re: [PATCH v6 7/7] mseal, system mappings: update mseal.rst"
In reply to: Jeff Xu: "Re: [PATCH v6 1/7] mseal, system mappings: kernel config and header change"
Next in thread: Jeff Xu: "Re: [PATCH v6 1/7] mseal, system mappings: kernel config and header change"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Jeff Xu <jeffxu@xxxxxxxxxxxx> [250224 13:44]:
> On Mon, Feb 24, 2025 at 10:21 AM Dave Hansen <dave.hansen@xxxxxxxxx> wrote:
> >
> > On 2/24/25 09:45, jeffxu@xxxxxxxxxxxx wrote:
> > > +/*
> > > + * mseal of userspace process's system mappings.
> > > + */
> > > +#ifdef CONFIG_MSEAL_SYSTEM_MAPPINGS
> > > +#define MSEAL_SYSTEM_MAPPINGS_VM_FLAG VM_SEALED
> > > +#else
> > > +#define MSEAL_SYSTEM_MAPPINGS_VM_FLAG VM_NONE
> > > +#endif
> >
> > This ends up looking pretty wonky in practice:
> >
> > > + vm_flags = VM_READ|VM_MAYREAD|VM_IO|VM_DONTDUMP|VM_PFNMAP;
> > > + vm_flags |= MSEAL_SYSTEM_MAPPINGS_VM_FLAG;
> >
> > because MSEAL_SYSTEM_MAPPINGS_VM_FLAG is so much different from the
> > other ones.
> >
> > Would it really hurt to have
> >
> > #ifdef CONFIG_64BIT
> > /* VM is sealed, in vm_flags */
> > #define VM_SEALED _BITUL(63)
> > +#else
> > +#define VM_SEALED VM_NONE
> > #endif
> >
> > ?
> >
> VM_SEALED isn't defined in 32-bit systems, and mseal.c isn't part of
> the build. This is intentional. Any 32-bit code trying to use the
> sealing function or the VM_SEALED flag will immediately fail
> compilation. This makes it easier to identify incorrect usage.
>

The reason that two #defines are needed is because you can have mseal
enabled while not sealing system mappings, so for this to be clean we
need two defines.

However MSEAL_SYSTEM_MAPPINGS_VM_FLAG, is _way_ too long, in my opinion.
Keeping with "VM_SEALED" I'd suggest "VM_SYSTEM_SEALED".

> For example:
> Consider the case below in src/third_party/kernel/v6.6/fs/proc/task_mmu.c,

third_party?

>
> #ifdef CONFIG_64BIT
> [ilog2(VM_SEALED)] = "sl",
> #endif
>
> Redefining VM_SEALED to VM_NONE for 32 bit won't detect the problem
> in case that "#ifdef CONFIG_64BIT" line is missing.

I don't think it is reasonable to insist on doing things differently in
the kernel because you have external tests that would need updating.
These things can change independently, so I don't think this is a valid
argument.

If these are upstream tests, and we need these tests to work then they
can be fixed.

>
> Please note, this has been like this since the first version of
> mseal() RFC patch, and I prefer to keep it this way.

Thanks,
Liam

Next message: Mathieu Desnoyers: "Re: [PATCH v4 1/4] pkeys: add API to switch to permissive/zero pkey register"
Previous message: Kees Cook: "Re: [PATCH v6 7/7] mseal, system mappings: update mseal.rst"
In reply to: Jeff Xu: "Re: [PATCH v6 1/7] mseal, system mappings: kernel config and header change"
Next in thread: Jeff Xu: "Re: [PATCH v6 1/7] mseal, system mappings: kernel config and header change"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]