[SRU][PATCH 0/4] Backport mseal to ubuntu 24.04 LTS kernel 6.8.y
jeffxu at chromium.org
jeffxu at chromium.org
Wed Nov 27 20:28:58 UTC 2024
From: Jeff Xu <jeffxu at chromium.org>
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2089711
[ Impact ]
My name is Jeff Xu, I work with Stephen Röttger on hardening the chrome
browser. I'm reaching out to explore the possibility of backporting memory
sealing into the 22.04 LTS kernel.
For context, it is worth noting that the Kernel introduces mseal support in
version 6.10 [1]. The Chrome V8 engine will utilize the memory sealing
function to protect its JIT compiler from memory corruption vulnerabilities.
The change is merged in Chrome, and we believe that Ubuntu users would benefit
from using this safer version of Chrome. In addition, Chrome uses Ubuntu LTS
extensively for testing, which makes ubuntu one of the first systems to have
this enhenced security of Chrome.
glibc’s dynamic linker is adding mseal to seal RO mapping such
as .text, .rodata, .relco [2], the integration test is completed.
The backport work includes 4 commits, and is based on 6.8.12 kernel.
ChromeOS and Android GKI both have the mseal backported to
the 6.6 kernel [3] [4] [5] [6]
Thank you for your time and consideration.
Best regards,
Jeff
[1] https://docs.kernel.org/userspace-api/mseal.html
[2] https://sourceware.org/pipermail/libc-alpha/2024-September/160291.html
[3] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5595211/4
[4] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5595853/4
[5] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5742931
[6] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5802772
[ Test Plan ]
The test is performed by running selftest (mseal_test) on 6.8 kernel with the backport.
I didn't include selftest as part of backport because there are many revisions of the tests
I believe it is unnecessary to backport those.
[ Where problems could occur ]
This is not bug, backporting this will enable chrome browser's security enhencement.
[ Other Info ]
None.
Jeff Xu (3):
mseal: wire up mseal syscall
mseal: add mseal syscall
/proc/pid/smaps: add mseal info for vma
Pedro Falcato (1):
mseal: fix is_madv_discard()
Documentation/filesystems/proc.rst | 1 +
arch/alpha/kernel/syscalls/syscall.tbl | 1 +
arch/arm/tools/syscall.tbl | 1 +
arch/arm64/include/asm/unistd.h | 2 +-
arch/arm64/include/asm/unistd32.h | 2 +
arch/m68k/kernel/syscalls/syscall.tbl | 1 +
arch/microblaze/kernel/syscalls/syscall.tbl | 1 +
arch/mips/kernel/syscalls/syscall_n32.tbl | 1 +
arch/mips/kernel/syscalls/syscall_n64.tbl | 1 +
arch/mips/kernel/syscalls/syscall_o32.tbl | 1 +
arch/parisc/kernel/syscalls/syscall.tbl | 1 +
arch/powerpc/kernel/syscalls/syscall.tbl | 1 +
arch/s390/kernel/syscalls/syscall.tbl | 1 +
arch/sh/kernel/syscalls/syscall.tbl | 1 +
arch/sparc/kernel/syscalls/syscall.tbl | 1 +
arch/x86/entry/syscalls/syscall_32.tbl | 1 +
arch/x86/entry/syscalls/syscall_64.tbl | 1 +
arch/xtensa/kernel/syscalls/syscall.tbl | 1 +
fs/proc/task_mmu.c | 3 +
include/linux/mm.h | 5 +
include/linux/syscalls.h | 1 +
include/uapi/asm-generic/unistd.h | 5 +-
kernel/sys_ni.c | 1 +
mm/Makefile | 4 +
mm/internal.h | 32 ++
mm/madvise.c | 12 +
mm/mmap.c | 31 +-
mm/mprotect.c | 10 +
mm/mremap.c | 31 ++
mm/mseal.c | 315 ++++++++++++++++++++
30 files changed, 467 insertions(+), 3 deletions(-)
create mode 100644 mm/mseal.c
--
2.47.0.338.g60cca15819-goog
More information about the kernel-team
mailing list