[RFC PATCH 2/7] x86/sci: add core implementation for system call isolation

Dave Hansen dave.hansen at intel.com
Fri Apr 26 14:46:18 UTC 2019


On 4/25/19 2:45 PM, Mike Rapoport wrote:
> After the isolated system call finishes, the mappings created during its
> execution are cleared.

Yikes.  I guess that stops someone from calling write() a bunch of times
on every filesystem using every block device driver and all the DM code
to get a lot of code/data faulted in.  But, it also means not even
long-running processes will ever have a chance of behaving anything
close to normally.

Is this something you think can be rectified or is there something
fundamental that would keep SCI page tables from being cached across
different invocations of the same syscall?



More information about the Linux-security-module-archive mailing list