On Fri, Aug 16, 2024 at 07:08:09PM +0200, Jann Horn wrote: > Yeah, having a FOLL_FORCE write in clone3 would be a weakness for > userspace CFI and probably make it possible to violate mseal() > restrictions that are supposed to enforce that address space regions > are read-only. Note that this will only happen for shadow stack pages (with the new version) and only for a valid token at the specific address. mseal()ing a shadow stack to be read only is hopefully not going to go terribly well for userspace. > Though, did anyone in the thread yet suggest that you could do this > before the child process has fully materialized but after the child MM > has been set up? Somewhere in copy_process() between copy_mm() and the > "/* No more failure paths after this point. */" comment? Yes, I'e got a version that does that waiting to go pending some discussion on if we even do the check for the token in the child mm.
Attachment:
signature.asc
Description: PGP signature
