Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 30 Mar 2017 12:49:10 -0700
From: Kees Cook <keescook@...omium.org>
To: Russell King - ARM Linux <linux@...linux.org.uk>
Cc: Hoeun Ryu <hoeun.ryu@...il.com>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Andy Lutomirski <luto@...nel.org>, 
	PaX Team <pageexec@...email.hu>, Emese Revfy <re.emese@...il.com>, 
	"x86@...nel.org" <x86@...nel.org>, Catalin Marinas <catalin.marinas@....com>, 
	Will Deacon <will.deacon@....com>, Ard Biesheuvel <ard.biesheuvel@...aro.org>, 
	Christoffer Dall <christoffer.dall@...aro.org>, Mark Rutland <mark.rutland@....com>, 
	Suzuki K Poulose <suzuki.poulose@....com>, Laura Abbott <labbott@...hat.com>, 
	Hugh Dickins <hughd@...gle.com>, Steve Capper <steve.capper@....com>, 
	Ganapatrao Kulkarni <gkulkarni@...iumnetworks.com>, James Morse <james.morse@....com>, 
	Kefeng Wang <wangkefeng.wang@...wei.com>, 
	"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>, LKML <linux-kernel@...r.kernel.org>
Subject: Re: [RFCv2] arm64: support HAVE_ARCH_RARE_WRITE and HAVE_ARCH_RARE_WRITE_MEMCPY

On Thu, Mar 30, 2017 at 12:45 PM, Russell King - ARM Linux
<linux@...linux.org.uk> wrote:
> On Thu, Mar 30, 2017 at 12:38:15PM -0700, Kees Cook wrote:
>> Great work! I think this will need some further changes, though, since
>> it doesn't look to me like this would pass LKDTM's tests if it was
>> built as a module. (This is missing from my ARM attempt too... I
>> haven't figured out how to set the domain on the kernel modules...)
>
> You're not going to be able to do it very easily.  The only way I can
> think of achieving it would be to split the module area into one
> chunk for text, one chunk for write-rare and one chunk for data.

Well, my intention was to just make the entire module area
DOMAIN_WR_RARE. It's overly permissive in the sense that non-data
changes could be made, but this is already an improvement over either
not having this feature at all or x86's version which makes all of RAM
writable.

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.