[PATCH v1 0/4] [RFC] Implement Trampoline File Descriptor

Madhavan T. Venkataraman madvenka at linux.microsoft.com
Mon Aug 3 15:59:04 UTC 2020



On 8/3/20 3:23 AM, David Laight wrote:
> From: Madhavan T. Venkataraman
>> Sent: 02 August 2020 19:55
>> To: Andy Lutomirski <luto at kernel.org>
>> Cc: Kernel Hardening <kernel-hardening at lists.openwall.com>; Linux API <linux-api at vger.kernel.org>;
>> linux-arm-kernel <linux-arm-kernel at lists.infradead.org>; Linux FS Devel <linux-
>> fsdevel at vger.kernel.org>; linux-integrity <linux-integrity at vger.kernel.org>; LKML <linux-
>> kernel at vger.kernel.org>; LSM List <linux-security-module at vger.kernel.org>; Oleg Nesterov
>> <oleg at redhat.com>; X86 ML <x86 at kernel.org>
>> Subject: Re: [PATCH v1 0/4] [RFC] Implement Trampoline File Descriptor
>>
>> More responses inline..
>>
>> On 7/28/20 12:31 PM, Andy Lutomirski wrote:
>>>> On Jul 28, 2020, at 6:11 AM, madvenka at linux.microsoft.com wrote:
>>>>
>>>> From: "Madhavan T. Venkataraman" <madvenka at linux.microsoft.com>
>>>>
>>> 2. Use existing kernel functionality.  Raise a signal, modify the
>>> state, and return from the signal.  This is very flexible and may not
>>> be all that much slower than trampfd.
>> Let me understand this. You are saying that the trampoline code
>> would raise a signal and, in the signal handler, set up the context
>> so that when the signal handler returns, we end up in the target
>> function with the context correctly set up. And, this trampoline code
>> can be generated statically at build time so that there are no
>> security issues using it.
>>
>> Have I understood your suggestion correctly?
> I was thinking that you'd just let the 'not executable' page fault
> signal happen (SIGSEGV?) when the code jumps to on-stack trampoline
> is executed.
>
> The user signal handler can then decode the faulting instruction
> and, if it matches the expected on-stack trampoline, modify the
> saved registers before returning from the signal.
>
> No kernel changes and all you need to add to the program is
> an architecture-dependant signal handler.

Understood.

Madhavan



More information about the Linux-security-module-archive mailing list