NACK: [SRU][PATCH 0/4] Backport mseal to ubuntu 24.04 LTS kernel 6.8.y
Koichiro Den
koichiro.den at canonical.com
Fri Feb 21 14:29:38 UTC 2025
On Wed, Nov 27, 2024 at 08:28:58PM GMT, jeffxu at chromium.org wrote:
> From: Jeff Xu <jeffxu at chromium.org>
>
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2089711
>
> [ Impact ]
>
> My name is Jeff Xu, I work with Stephen Röttger on hardening the chrome
> browser. I'm reaching out to explore the possibility of backporting memory
> sealing into the 22.04 LTS kernel.
>
> For context, it is worth noting that the Kernel introduces mseal support in
> version 6.10 [1]. The Chrome V8 engine will utilize the memory sealing
> function to protect its JIT compiler from memory corruption vulnerabilities.
> The change is merged in Chrome, and we believe that Ubuntu users would benefit
> from using this safer version of Chrome. In addition, Chrome uses Ubuntu LTS
> extensively for testing, which makes ubuntu one of the first systems to have
> this enhenced security of Chrome.
>
> glibc’s dynamic linker is adding mseal to seal RO mapping such
> as .text, .rodata, .relco [2], the integration test is completed.
>
> The backport work includes 4 commits, and is based on 6.8.12 kernel.
>
> ChromeOS and Android GKI both have the mseal backported to
> the 6.6 kernel [3] [4] [5] [6]
>
> Thank you for your time and consideration.
> Best regards,
> Jeff
>
> [1] https://docs.kernel.org/userspace-api/mseal.html
> [2] https://sourceware.org/pipermail/libc-alpha/2024-September/160291.html
> [3] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5595211/4
> [4] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5595853/4
> [5] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5742931
> [6] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5802772
>
> [ Test Plan ]
> The test is performed by running selftest (mseal_test) on 6.8 kernel with the backport.
> I didn't include selftest as part of backport because there are many revisions of the tests
> I believe it is unnecessary to backport those.
>
> [ Where problems could occur ]
> This is not bug, backporting this will enable chrome browser's security enhencement.
>
> [ Other Info ]
> None.
>
>
> Jeff Xu (3):
> mseal: wire up mseal syscall
> mseal: add mseal syscall
> /proc/pid/smaps: add mseal info for vma
>
> Pedro Falcato (1):
> mseal: fix is_madv_discard()
>
> Documentation/filesystems/proc.rst | 1 +
> arch/alpha/kernel/syscalls/syscall.tbl | 1 +
> arch/arm/tools/syscall.tbl | 1 +
> arch/arm64/include/asm/unistd.h | 2 +-
> arch/arm64/include/asm/unistd32.h | 2 +
> arch/m68k/kernel/syscalls/syscall.tbl | 1 +
> arch/microblaze/kernel/syscalls/syscall.tbl | 1 +
> arch/mips/kernel/syscalls/syscall_n32.tbl | 1 +
> arch/mips/kernel/syscalls/syscall_n64.tbl | 1 +
> arch/mips/kernel/syscalls/syscall_o32.tbl | 1 +
> arch/parisc/kernel/syscalls/syscall.tbl | 1 +
> arch/powerpc/kernel/syscalls/syscall.tbl | 1 +
> arch/s390/kernel/syscalls/syscall.tbl | 1 +
> arch/sh/kernel/syscalls/syscall.tbl | 1 +
> arch/sparc/kernel/syscalls/syscall.tbl | 1 +
> arch/x86/entry/syscalls/syscall_32.tbl | 1 +
> arch/x86/entry/syscalls/syscall_64.tbl | 1 +
> arch/xtensa/kernel/syscalls/syscall.tbl | 1 +
> fs/proc/task_mmu.c | 3 +
> include/linux/mm.h | 5 +
> include/linux/syscalls.h | 1 +
> include/uapi/asm-generic/unistd.h | 5 +-
> kernel/sys_ni.c | 1 +
> mm/Makefile | 4 +
> mm/internal.h | 32 ++
> mm/madvise.c | 12 +
> mm/mmap.c | 31 +-
> mm/mprotect.c | 10 +
> mm/mremap.c | 31 ++
> mm/mseal.c | 315 ++++++++++++++++++++
> 30 files changed, 467 insertions(+), 3 deletions(-)
> create mode 100644 mm/mseal.c
>
Hello,
I apologize for our delay in following up.
Given that this has been left untouched for several months, that we
generally don't backport new features unless absolutely necessary, and that
users can use linux-hwe-6.11, I'd like to NACK this for now. Please let me
know if you have any comments.
Thank you for the submission.
More information about the kernel-team
mailing list