El 12/10/21 a les 20:32, Samuel Thibault ha escrit: > Sergey Bugaev, le mar. 12 oct. 2021 16:22:48 +0300, a ecrit: >> So in the case of vm_map-backed pager, it should matter whether you >> have a task port to the target task, not whether you *are* the target >> task. If someone has a task port to a task, it allows them to >> completely control the task anyway (including making it invoke any >> RPC); there's no additional security gains from checking who the >> caller is, but there will be additional breakage. > > Yes, making the caller pass the task port should be completely enough.
Thanks for your explanations, if that's the case then I basically have it already. I attached a patch with the changes. The new interface needs to know about proxies, and if one range has been mapped using a proxy, it must return the proxy and not the original object, which could be used to bypass the proxy protection, that's why I needed a way to lookup for used proxies from a task and an address. I implemented that using a hash, like I did in the my previous dev_pager patch, that seems ok and it works, but the only way I found to remove proxies from the hash once they are not needed is to lookup for a proxy every time vm_deallocate is called. I don't like that, since proxies are rarely used so rarely (if ever) a range being unmaped will be present in the hash. Ideas?
