Re: [PATCH v1 5/5] sbm: SandBox Mode documentation

[Greg Kroah-Hartman]

On Wed, Feb 14, 2024 at 05:30:53AM -0800, Andrew Morton wrote:
> On Wed, 14 Feb 2024 12:30:35 +0100 Petr Tesarik <petrtesarik@xxxxxxxxxxxxxxx> wrote:
> 
> > +Although data structures are not serialized and deserialized between kernel
> > +mode and sandbox mode, all directly and indirectly referenced data structures
> > +must be explicitly mapped into the sandbox, which requires some manual effort.
> 
> Maybe I'm missing something here, but...
> 
> The requirement that the sandboxed function only ever touch two linear
> blocks of memory (yes?) seems a tremendous limitation.  I mean, how can
> the sandboxed function call kmalloc()?  How can it call any useful
> kernel functions?  They'll all touch memory which lies outside the
> sandbox areas?
> 
> Perhaps a simple but real-world example would help clarify.

I agree, this looks like an "interesting" framework, but we don't add
code to the kernel without a real, in-kernel user for it.

Without such a thing, we can't even consider it for inclusion as we
don't know how it will actually work and how any subsystem would use it.

Petr, do you have an user for this today?

thanks,

greg k-h