On January 25, 2023 1:29:20 AM PST, David Hildenbrand <david@xxxxxxxxxx> wrote: >On 25.01.23 00:41, Edgecombe, Rick P wrote: >> On Tue, 2023-01-24 at 15:08 -0800, Kees Cook wrote: >>>> GDB support for shadow stack is queued up for whenever the kernel >>>> interface settles. I believe it just uses ptrace, and not this >>>> proc. >>>> But yea ptrace poke will still need to use FOLL_FORCE and be able >>>> to >>>> write through shadow stacks. >>> >>> I'd prefer to avoid adding more FOLL_FORCE if we can. If gdb can do >>> stack manipulations through a ptrace interface then let's leave off >>> FOLL_FORCE. >> >> Ptrace and /proc/self/mem both use FOLL_FORCE. I think ptrace will >> always need it or something like it for debugging. >> >> To jog your memory, this series doesn't change what uses FOLL_FORCE. It >> just sets the shadow stack rules to be the same as read-only memory. So >> even though shadow stack memory is sort of writable, it's a bit more >> locked down and FOLL_FORCE is required to write to it with GUP. >> >> If we just remove FOLL_FORCE from /proc/self/mem, something will >> probably break right? How do we do this? Some sort of opt-in? > >I don't think removing that is an option. It's another debug interface that has been allowing such access for ever ... > >Blocking /proc/self/mem access completely for selected processes might be the better alternative. > Yeah, this would be nice. Kind of like being undumpable or no_new_privs. -- Kees Cook
