Re: [RFC PATCH v2 7/8] mseal:Check seal flag for mmap(2)

From: Stephen Röttger
Date: Thu Oct 19 2023 - 03:27:24 EST

Next message: Calvince Otieno: "[PATCH] staging: bcm2835-audio: remove function snd_bcm2835_new_ctl()"
Previous message: Kalle Valo: "Re: [PATCH] ssb: relax SSB_EMBEDDED dependencies"
In reply to: Jeff Xu: "Re: [RFC PATCH v2 7/8] mseal:Check seal flag for mmap(2)"
Next in thread: David Laight: "RE: [RFC PATCH v2 0/8] Introduce mseal() syscall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Without that practical reason, I think the only two sane sealing operations are:
>
> - SEAL_MUNMAP: "don't allow this mapping address to go away"
>
> IOW no unmap, no shrinking, no moving mremap
>
> - SEAL_MPROTECT: "don't allow any mapping permission changes"
>
> Again, that permission case might end up being "don't allow
> _additional_ permissions" and "don't allow taking permissions away".
> Or it could be split by operation (ie "don't allow permission changes
> to writability / readability / executability respectively").
>
> I suspect there isn't a real-life example of splitting the
> SEAL_MPROTECT (the same way I doubt there's a real-life example for
> splitting the UNMAP into "unmap vs move"), so unless there is some
> real reason, I'd keep the sealing minimal and to just those two flags.

These two flags are exactly what we would use in Chrome. I can't think of a
use case for a more fine grained split either.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Next message: Calvince Otieno: "[PATCH] staging: bcm2835-audio: remove function snd_bcm2835_new_ctl()"
Previous message: Kalle Valo: "Re: [PATCH] ssb: relax SSB_EMBEDDED dependencies"
In reply to: Jeff Xu: "Re: [RFC PATCH v2 7/8] mseal:Check seal flag for mmap(2)"
Next in thread: David Laight: "RE: [RFC PATCH v2 0/8] Introduce mseal() syscall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]