On Wed, Aug 19, 2020 at 08:53:42PM +0200, Mickaël Salaün wrote:
> On 12/08/2020 12:06, Mark Rutland wrote:
> > Contemporary W^X means that a given virtual alias cannot be writeable
> > and executeable simultaneously, permitting (a) and (b). If you read the
> > references on the Wikipedia page for W
On 12/08/2020 12:06, Mark Rutland wrote:
> On Thu, Aug 06, 2020 at 12:26:02PM -0500, Madhavan T. Venkataraman wrote:
>> Thanks for the lively discussion. I have tried to answer some of the
>> comments below.
>>
>> On 8/4/20 9:30 AM, Mark Rutland wrote:
>>>
So, the context is - if security se
On 8/12/20 5:06 AM, Mark Rutland wrote:
> [..]
>>
>> The general principle of the mitigation is W^X. I would argue that
>> the above options are violations of the W^X principle. If they are
>> allowed today, they must be fixed. And they will be. So, we cannot
>> rely on them.
>
> Hold on.
>
>
On Thu, Aug 06, 2020 at 12:26:02PM -0500, Madhavan T. Venkataraman wrote:
> Thanks for the lively discussion. I have tried to answer some of the
> comments below.
>
> On 8/4/20 9:30 AM, Mark Rutland wrote:
> >
> >> So, the context is - if security settings in a system disallow a page to
> >> have
I am working on version 2 of trampfd. Will send it out soon.
Thanks for all the comments so far!
Madhavan
On 8/10/20 12:34 PM, Madhavan T. Venkataraman wrote:
> Resending because of mailer problems. Some of the recipients did not receive
> my email. I apologize. Sigh.
>
> Here is a redefinition
On 8/11/20 8:08 AM, Pavel Machek wrote:
> Hi!
>
Thanks for the lively discussion. I have tried to answer some of the
comments below.
>>>
> There are options today, e.g.
>
> a) If the restriction is only per-alias, you can have distinct aliases
>where one is writabl
Hi!
> >> Thanks for the lively discussion. I have tried to answer some of the
> >> comments below.
> >
> >>> There are options today, e.g.
> >>>
> >>> a) If the restriction is only per-alias, you can have distinct aliases
> >>>where one is writable and another is executable, and you can make
On 8/8/20 5:17 PM, Pavel Machek wrote:
> Hi!
>
>> Thanks for the lively discussion. I have tried to answer some of the
>> comments below.
>
>>> There are options today, e.g.
>>>
>>> a) If the restriction is only per-alias, you can have distinct aliases
>>>where one is writable and another
Resending because of mailer problems. Some of the recipients did not receive
my email. I apologize. Sigh.
Here is a redefinition of trampfd based on review comments.
I wanted to address dynamic code in 3 different ways:
Remove the need for dynamic code where possible
Hi!
> Thanks for the lively discussion. I have tried to answer some of the
> comments below.
> > There are options today, e.g.
> >
> > a) If the restriction is only per-alias, you can have distinct aliases
> >where one is writable and another is executable, and you can make it
> >hard to
Thanks for the lively discussion. I have tried to answer some of the
comments below.
On 8/4/20 9:30 AM, Mark Rutland wrote:
>
>> So, the context is - if security settings in a system disallow a page to have
>> both write and execute permissions, how do you allow the execution of
>> genuine trampol
Hey Mark,
I am working on putting together an improved definition of trampfd per
Andy's comment. I will try to address your comments in that improved
definition. Once I send that out, I will respond to your emails as well.
Thanks.
Madhavan
On 8/4/20 8:55 AM, Mark Rutland wrote:
> On Mon, Aug 03
On 8/4/20 9:33 AM, David Laight wrote:
>>> If you look at the libffi reference patch I have included, the architecture
>>> specific changes to use trampfd just involve a single C function call to
>>> a common code function.
> No idea what libffi is, but it must surely be simpler to
> rewrite it
> > > If you look at the libffi reference patch I have included, the
> > > architecture
> > > specific changes to use trampfd just involve a single C function call to
> > > a common code function.
>
> No idea what libffi is, but it must surely be simpler to
> rewrite it to avoid nested function d
> > If you look at the libffi reference patch I have included, the architecture
> > specific changes to use trampfd just involve a single C function call to
> > a common code function.
No idea what libffi is, but it must surely be simpler to
rewrite it to avoid nested function definitions.
Or fin
On Mon, Aug 03, 2020 at 11:57:57AM -0500, Madhavan T. Venkataraman wrote:
> Responses inline..
>
> On 7/31/20 1:09 PM, Mark Rutland wrote:
> > Hi,
> >
> > On Tue, Jul 28, 2020 at 08:10:46AM -0500, madve...@linux.microsoft.com
> > wrote:
> >> From: "Madhavan T. Venkataraman"
> >> Trampoline code
On Mon, Aug 03, 2020 at 12:58:04PM -0500, Madhavan T. Venkataraman wrote:
> On 7/31/20 1:31 PM, Mark Rutland wrote:
> > On Fri, Jul 31, 2020 at 12:13:49PM -0500, Madhavan T. Venkataraman wrote:
> >> On 7/30/20 3:54 PM, Andy Lutomirski wrote:
> >>> On Thu, Jul 30, 2020 at 7:24 AM Madhavan T. Venkata
On 8/2/20 3:00 PM, Andy Lutomirski wrote:
> I feel like trampfd is too poorly defined at this point to evaluate.
Point taken. It is because I wanted to start with something small
and specific and expand it in the future. So, I did not really describe the big
picture - the overall vision, future
On 7/31/20 1:31 PM, Mark Rutland wrote:
> On Fri, Jul 31, 2020 at 12:13:49PM -0500, Madhavan T. Venkataraman wrote:
>> On 7/30/20 3:54 PM, Andy Lutomirski wrote:
>>> On Thu, Jul 30, 2020 at 7:24 AM Madhavan T. Venkataraman
>>> wrote:
>> Dealing with multiple architectures
>> ---
On 8/3/20 11:57 AM, David Laight wrote:
> From: Madhavan T. Venkataraman
>> Sent: 03 August 2020 17:03
>>
>> On 8/3/20 3:27 AM, David Laight wrote:
>>> From: Mark Rutland
Sent: 31 July 2020 19:32
>>> ...
> It requires PC-relative data references. I have not worked on all
> architec
From: Madhavan T. Venkataraman
> Sent: 03 August 2020 17:03
>
> On 8/3/20 3:27 AM, David Laight wrote:
> > From: Mark Rutland
> >> Sent: 31 July 2020 19:32
> > ...
> >>> It requires PC-relative data references. I have not worked on all
> >>> architectures.
> >>> So, I need to study this. But do a
Responses inline..
On 7/31/20 1:09 PM, Mark Rutland wrote:
> Hi,
>
> On Tue, Jul 28, 2020 at 08:10:46AM -0500, madve...@linux.microsoft.com wrote:
>> From: "Madhavan T. Venkataraman"
>> Trampoline code is placed either in a data page or in a stack page. In
>> order to execute a trampoline, the pa
On 8/3/20 3:27 AM, David Laight wrote:
> From: Mark Rutland
>> Sent: 31 July 2020 19:32
> ...
>>> It requires PC-relative data references. I have not worked on all
>>> architectures.
>>> So, I need to study this. But do all ISAs support PC-relative data
>>> references?
>> Not all do, but prett
ity ;
>> LKML > ker...@vger.kernel.org>; LSM List ;
>> Oleg Nesterov
>> ; X86 ML
>> Subject: Re: [PATCH v1 0/4] [RFC] Implement Trampoline File Descriptor
>>
>> More responses inline..
>>
>> On 7/28/20 12:31 PM, Andy Lutomirski wrote:
On 8/3/20 3:08 AM, David Laight wrote:
> From: Pavel Machek
>> Sent: 02 August 2020 12:56
>> Hi!
>>
This is quite clever, but now I???m wondering just how much kernel help
is really needed. In your series, the trampoline is an non-executable
page. I can think of at least two alt
From: Mark Rutland
> Sent: 31 July 2020 19:32
...
> > It requires PC-relative data references. I have not worked on all
> > architectures.
> > So, I need to study this. But do all ISAs support PC-relative data
> > references?
>
> Not all do, but pretty much any recent ISA will as it's a practica
erov
> ; X86 ML
> Subject: Re: [PATCH v1 0/4] [RFC] Implement Trampoline File Descriptor
>
> More responses inline..
>
> On 7/28/20 12:31 PM, Andy Lutomirski wrote:
> >> On Jul 28, 2020, at 6:11 AM, madve...@linux.microsoft.com wrote:
> >>
> >> From: &q
From: Pavel Machek
> Sent: 02 August 2020 12:56
> Hi!
>
> > > This is quite clever, but now I???m wondering just how much kernel help
> > > is really needed. In your series, the trampoline is an non-executable
> > > page. I can think of at least two alternative approaches, and I'd
> > > like to
On 8/2/20 3:00 PM, Andy Lutomirski wrote:
> On Sun, Aug 2, 2020 at 11:54 AM Madhavan T. Venkataraman
> wrote:
>> More responses inline..
>>
>> On 7/28/20 12:31 PM, Andy Lutomirski wrote:
On Jul 28, 2020, at 6:11 AM, madve...@linux.microsoft.com wrote:
From: "Madhavan T. Venkatar
On Sun, Aug 2, 2020 at 11:54 AM Madhavan T. Venkataraman
wrote:
>
> More responses inline..
>
> On 7/28/20 12:31 PM, Andy Lutomirski wrote:
> >> On Jul 28, 2020, at 6:11 AM, madve...@linux.microsoft.com wrote:
> >>
> >> From: "Madhavan T. Venkataraman"
> >>
> >
> > 2. Use existing kernel functio
More responses inline..
On 7/28/20 12:31 PM, Andy Lutomirski wrote:
>> On Jul 28, 2020, at 6:11 AM, madve...@linux.microsoft.com wrote:
>>
>> From: "Madhavan T. Venkataraman"
>>
>
> 2. Use existing kernel functionality. Raise a signal, modify the
> state, and return from the signal. This is ve
* Madhavan T. Venkataraman:
> Standardization
> -
>
> Trampfd is a framework that can be used to implement multiple
> things. May be, a few of those things can also be implemented in
> user land itself. But I think having just one mechanism to execute
> dynamic code objects is
Hi!
> > This is quite clever, but now I???m wondering just how much kernel help
> > is really needed. In your series, the trampoline is an non-executable
> > page. I can think of at least two alternative approaches, and I'd
> > like to know the pros and cons.
> >
> > 1. Entirely userspace: a ret
Thanks for the comments. I will respond to these and your next
email on Monday.
Madhavan
On 7/31/20 1:09 PM, Mark Rutland wrote:
> Hi,
>
> On Tue, Jul 28, 2020 at 08:10:46AM -0500, madve...@linux.microsoft.com wrote:
>> From: "Madhavan T. Venkataraman"
>> Trampoline code is placed either in a da
On Fri, Jul 31, 2020 at 12:13:49PM -0500, Madhavan T. Venkataraman wrote:
> On 7/30/20 3:54 PM, Andy Lutomirski wrote:
> > On Thu, Jul 30, 2020 at 7:24 AM Madhavan T. Venkataraman
> > wrote:
> Dealing with multiple architectures
> ---
>
> One good reaso
Hi,
On Tue, Jul 28, 2020 at 08:10:46AM -0500, madve...@linux.microsoft.com wrote:
> From: "Madhavan T. Venkataraman"
> Trampoline code is placed either in a data page or in a stack page. In
> order to execute a trampoline, the page it resides in needs to be mapped
> with execute permissions. Writ
On 7/30/20 3:54 PM, Andy Lutomirski wrote:
> On Thu, Jul 30, 2020 at 7:24 AM Madhavan T. Venkataraman
> wrote:
>> ...
>> Creating a code page
>>
>>
>> We can do this in one of the following ways:
>>
>> - Allocate a writable page at run time, write the template code into
>>
On Thu, Jul 30, 2020 at 7:24 AM Madhavan T. Venkataraman
wrote:
>
> Sorry for the delay. I just wanted to think about this a little.
> In this email, I will respond to your first suggestion. I will
> respond to the rest in separate emails if that is alright with
> you.
>
> On 7/28/20 12:31 PM, And
For some reason my email program is not delivering to all the
recipients because of some formatting issues. I am resending.
I apologize. I will try to get this fixed.
Sorry for the delay. I just needed to think about it a little.
I will respond to your first suggestion in this email. I will
respon
> This is quite clever, but now I’m wondering just how much kernel help
> is really needed. In your series, the trampoline is an non-executable
> page. I can think of at least two alternative approaches, and I'd
> like to know the pros and cons.
>
> 1. Entirely userspace: a return trampoline woul
On 7/29/20 3:36 AM, David Laight wrote:
> From: Madhavan T. Venkataraman
>> Sent: 28 July 2020 19:52
> ...
>> trampfd faults are instruction faults that go through a different code path
>> than
>> the one that calls handle_mm_fault(). Perhaps, it is the handle_mm_fault()
>> that
>> is time con
* Andy Lutomirski:
> This is quite clever, but now I’m wondering just how much kernel help
> is really needed. In your series, the trampoline is an non-executable
> page. I can think of at least two alternative approaches, and I'd
> like to know the pros and cons.
>
> 1. Entirely userspace: a ret
From: Madhavan T. Venkataraman
> Sent: 28 July 2020 19:52
...
> trampfd faults are instruction faults that go through a different code path
> than
> the one that calls handle_mm_fault(). Perhaps, it is the handle_mm_fault()
> that
> is time consuming. Could you clarify?
Given that the expectatio
On Tue, Jul 28, 2020 at 10:40 AM Madhavan T. Venkataraman
wrote:
>
>
>
> On 7/28/20 12:16 PM, Andy Lutomirski wrote:
>
> On Tue, Jul 28, 2020 at 9:32 AM Madhavan T. Venkataraman
> wrote:
>
> Thanks. See inline..
>
> On 7/28/20 10:13 AM, David Laight wrote:
>
> From: madve...@linux.microsoft.com
I am working on a response to this. I will send it soon.
Thanks.
Madhavan
On 7/28/20 12:31 PM, Andy Lutomirski wrote:
>> On Jul 28, 2020, at 6:11 AM, madve...@linux.microsoft.com wrote:
>>
>> From: "Madhavan T. Venkataraman"
>>
>> The kernel creates the trampoline mapping without any permissio
On 7/28/20 12:16 PM, Andy Lutomirski wrote:
> On Tue, Jul 28, 2020 at 9:32 AM Madhavan T. Venkataraman
> wrote:
>> Thanks. See inline..
>>
>> On 7/28/20 10:13 AM, David Laight wrote:
>>> From: madve...@linux.microsoft.com
Sent: 28 July 2020 14:11
>>> ...
The kernel creates the trampo
> On Jul 28, 2020, at 6:11 AM, madve...@linux.microsoft.com wrote:
>
> From: "Madhavan T. Venkataraman"
>
> The kernel creates the trampoline mapping without any permissions. When
> the trampoline is executed by user code, a page fault happens and the
> kernel gets control. The kernel recognizes
On Tue, Jul 28, 2020 at 9:32 AM Madhavan T. Venkataraman
wrote:
>
> Thanks. See inline..
>
> On 7/28/20 10:13 AM, David Laight wrote:
> > From: madve...@linux.microsoft.com
> >> Sent: 28 July 2020 14:11
> > ...
> >> The kernel creates the trampoline mapping without any permissions. When
> >> the
On 7/28/20 12:05 PM, James Morris wrote:
> On Tue, 28 Jul 2020, Casey Schaufler wrote:
>
>> You could make a separate LSM to do these checks instead of limiting
>> it to SELinux. Your use case, your call, of course.
> It's not limited to SELinux. This is hooked via the LSM API and
> implementab
On Tue, 28 Jul 2020, Casey Schaufler wrote:
> You could make a separate LSM to do these checks instead of limiting
> it to SELinux. Your use case, your call, of course.
It's not limited to SELinux. This is hooked via the LSM API and
implementable by any LSM (similar to execmem, execstack etc.)
Thanks.
On 7/28/20 11:05 AM, Casey Schaufler wrote:
>> In this solution, the kernel recognizes certain sequences of instructions
>> as "well-known" trampolines. When such a trampoline is executed, a page
>> fault happens because the trampoline page does not have execute permission.
>> The kernel r
Thanks. See inline..
On 7/28/20 10:13 AM, David Laight wrote:
> From: madve...@linux.microsoft.com
>> Sent: 28 July 2020 14:11
> ...
>> The kernel creates the trampoline mapping without any permissions. When
>> the trampoline is executed by user code, a page fault happens and the
>> kernel gets c
On 7/28/2020 6:10 AM, madve...@linux.microsoft.com wrote:
> From: "Madhavan T. Venkataraman"
>
> Introduction
>
>
> Trampolines are used in many different user applications. Trampoline
> code is often generated at runtime. Trampoline code can also just be a
> pre-defined sequence of m
From: madve...@linux.microsoft.com
> Sent: 28 July 2020 14:11
...
> The kernel creates the trampoline mapping without any permissions. When
> the trampoline is executed by user code, a page fault happens and the
> kernel gets control. The kernel recognizes that this is a trampoline
> invocation. I
From: "Madhavan T. Venkataraman"
Introduction
Trampolines are used in many different user applications. Trampoline
code is often generated at runtime. Trampoline code can also just be a
pre-defined sequence of machine instructions in a data buffer.
Trampoline code is placed either
55 matches
Mail list logo
