[PATCH v1 0/4] [RFC] Implement Trampoline File Descriptor
Andy Lutomirski
luto at kernel.org
Sun Aug 2 20:00:53 UTC 2020
On Sun, Aug 2, 2020 at 11:54 AM Madhavan T. Venkataraman
<madvenka at linux.microsoft.com> wrote:
>
> More responses inline..
>
> On 7/28/20 12:31 PM, Andy Lutomirski wrote:
> >> On Jul 28, 2020, at 6:11 AM, madvenka at linux.microsoft.com wrote:
> >>
> >> From: "Madhavan T. Venkataraman" <madvenka at linux.microsoft.com>
> >>
> >
> > 2. Use existing kernel functionality. Raise a signal, modify the
> > state, and return from the signal. This is very flexible and may not
> > be all that much slower than trampfd.
>
> Let me understand this. You are saying that the trampoline code
> would raise a signal and, in the signal handler, set up the context
> so that when the signal handler returns, we end up in the target
> function with the context correctly set up. And, this trampoline code
> can be generated statically at build time so that there are no
> security issues using it.
>
> Have I understood your suggestion correctly?
yes.
>
> So, my argument would be that this would always incur the overhead
> of a trip to the kernel. I think twice the overhead if I am not mistaken.
> With trampfd, we can have the kernel generate the code so that there
> is no performance penalty at all.
I feel like trampfd is too poorly defined at this point to evaluate.
There are three general things it could do. It could generate actual
code that varies by instance. It could have static code that does not
vary. And it could actually involve a kernel entry.
If it involves a kernel entry, then it's slow. Maybe this is okay for
some use cases.
If it involves only static code, I see no good reason that it should
be in the kernel.
If it involves dynamic code, then I think it needs a clearly defined
use case that actually requires dynamic code.
> Also, signals are asynchronous. So, they are vulnerable to race conditions.
> To prevent other signals from coming in while handling the raised signal,
> we would need to block and unblock signals. This will cause more
> overhead.
If you're worried about raise() racing against signals from out of
thread, you have bigger problems to deal with.
More information about the Linux-security-module-archive
mailing list