A sandbox mode for the kernel

Posted Mar 7, 2024 14:21 UTC (Thu) by tesarik (subscriber, #52705)
In reply to: A sandbox mode for the kernel by draco
Parent article: A sandbox mode for the kernel

FWIW I had a quick glance at CPL 1 and 2:

This thing is x86-specific (whereas my SandBox Mode can be implemented for any platform with a MMU).
Memory protection in Linux is based on paging, which does not offer more than a U/S bit even on x86.

Despite what Linus wrote in the reply linked above, a “Supervisor page” does not mean CPL=0, but rather CPL≠3. So, there is a difference between ring 1 (can access Supervisor pages) and ring 3 (cannot access only User pages), and there is also a difference between ring 0 (can execute privileged instructions) and ring 1 (cannot execute privileged instructions). From this, it would seem that ring 1 matches SandBox Mode requirements quite nicely, but not really. Since kernel pages are accessible from ring 1, I would have to flush the whole TLB (including global pages) on every SandBox Mode entry. If sandbox code runs in ring 3, I can do lazy TLB invalidation, which is a huge performance win.