On 2020/06/27 1:45, Eric W. Biederman wrote: >> After this cleanup, I expect adding some protections/isolation which kernel threads >> have (e.g. excluded from ptrace(), excluded from OOM victim selection, excluded from >> SysRq-i, won't be terminated by SIGKILL from usermode processes, won't be stopped by >> SIGSTOP from usermode processes, what else?). Doing it means giving up Alexei's >> >> It's nice to be able to compile that blob with -g and be able to 'gdb -p' into it. >> That works and very convenient when it comes to debugging. Compare that to debugging >> a kernel module! >> >> but I think doing it is essential for keeping usermode blob processes as secure/robust >> as kernel threads. > > Do you have an application for a user mode driver? No, I'm not a user of this interface. > > I think concerns like that are best addressed in the context of a > specific driver/usecase. Just to make certain we are solving the right > problems. > > My sense is that an advantage of user mode drivers can safely be buggier > than kernel drivers and the freedom to kill them when the drivers go > wrong (knowing the drivers will restart) is important. Right. Segmentation fault in user mode drivers does not cause a kernel oops is an advantage of user mode drivers. But the freedom to disturb/kill user mode drivers due to interference like ptrace()/signals from user mode processes, SIGKILL from OOM-killer/SysRq-i etc. is a big disadvantage of user mode drivers. I expect that user mode drivers should be killable only when the manager interface detected that user mode drivers need to be stopped (or restarted). One of advantages kernel mode drivers have is that their memory is not swapped out/in. I don't know whether mlockall(MCL_FUTURE) should be automatically applied to user mode drivers. > > Does this series by using the normal path through exec solve your > concerns with LSMs being able to identify these processes (both > individually and as class)?. I guess "yes" for pathname based LSMs. Though, TOMOYO wants to obtain both AT_SYMLINK_NOFOLLOW "struct path" and !AT_SYMLINK_NOFOLLOW "struct path" at do_open_execat() from do_execveat_common(). I guess "no" for inode based LSMs, for they want a chance to associate security labels at blob_to_mnt().