On Mon, Jun 6, 2016 at 11:42 PM, Jessica Yu <j...@redhat.com> wrote: > +++ Rusty Russell [05/06/16 14:39 +0930]: >> >> Kees Cook <keesc...@google.com> writes: >>> >>> Hi Rusty, >>> >>> I'd love to get your thoughts on the best way to support >>> __ro_after_init markings for modules. Are the r/o markings done after >>> module __init runs? If so, this should make things easy, and then we >>> just need to move .data..ro_after_init into .rodata at link time. If >>> not, then we'd need to explicitly make this section read-only after >>> _init. >> >> >> As you might expect, the sections are made read-only before anything >> runs. We'll need to do the latter, which means it needs to be >> page-aligned. (Well we could put it in the same page as .rodata, and >> just not protect that fully until after init). > > > Hi Rusty, Kees, :-) > > Right, RO protection is enabled in load_module() before module __init gets > to > run. So I guess there are two ways to go about this: either (1) keep > __ro_after_init with the rest of rodata and toggle RO protection after > __init > runs, but I think we'd probably want to keep this protection before anything > executes. Or (2) modify layout_sections() in the module loader to place > .data..ro_after_init data in its own set of page(s) so that we can toggle RO > on/off independently of the other module sections, and set them to RO only > after module init runs. > So perhaps the modified module memory layout might look like.. > [text] [rodata] [ro after init] [writable data] > > I don't think (2) should be hard to implement in the module loader (well, > at first glance :-), maybe I'm missing something), but I could go ahead and > give a patch a shot.
I would agree that "2" sound best. I'm happy to help review and test any patches. And after having looked at this myself, I'm curious to see the solution since I couldn't figure out how the layout code worked. :) -Kees -- Kees Cook Chrome OS & Brillo Security
