From: Dave Hansen <dave@sr71.net>
To: dave@sr71.net
Cc: borntraeger@de.ibm.com, x86@kernel.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
dave.hansen@linux.intel.com, linux-api@vger.kernel.org
Subject: [PATCH 21/25] mm: implement new mprotect_key() system call
Date: Mon, 28 Sep 2015 12:18:26 -0700 [thread overview]
Message-ID: <20150928191826.F1CD5256@viggo.jf.intel.com> (raw)
In-Reply-To: <20150928191817.035A64E2@viggo.jf.intel.com>
From: Dave Hansen <dave.hansen@linux.intel.com>
mprotect_key() is just like mprotect, except it also takes a
protection key as an argument. On systems that do not support
protection keys, it still works, but requires that key=0.
Otherwise it does exactly what mprotect does.
I expect it to get used like this, if you want to guarantee that
any mapping you create can *never* be accessed without the right
protection keys set up.
pkey_deny_access(11); // random pkey
int real_prot = PROT_READ|PROT_WRITE;
ptr = mmap(NULL, PAGE_SIZE, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
ret = mprotect_key(ptr, PAGE_SIZE, real_prot, 11);
This way, there is *no* window where the mapping is accessible
since it was always either PROT_NONE or had a protection key set.
We settled on 'unsigned long' for the type of the key here. We
only need 4 bits on x86 today, but I figured that other
architectures might need some more space.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: linux-api@vger.kernel.org
---
b/mm/Kconfig | 7 +++++++
b/mm/mprotect.c | 20 +++++++++++++++++---
2 files changed, 24 insertions(+), 3 deletions(-)
diff -puN mm/Kconfig~pkeys-85-mprotect_pkey mm/Kconfig
--- a/mm/Kconfig~pkeys-85-mprotect_pkey 2015-09-28 11:39:50.527391162 -0700
+++ b/mm/Kconfig 2015-09-28 11:39:50.532391390 -0700
@@ -683,3 +683,10 @@ config FRAME_VECTOR
config ARCH_USES_HIGH_VMA_FLAGS
bool
+
+config NR_PROTECTION_KEYS
+ int
+ # Everything supports a _single_ key, so allow folks to
+ # at least call APIs that take keys, but require that the
+ # key be 0.
+ default 1
diff -puN mm/mprotect.c~pkeys-85-mprotect_pkey mm/mprotect.c
--- a/mm/mprotect.c~pkeys-85-mprotect_pkey 2015-09-28 11:39:50.529391253 -0700
+++ b/mm/mprotect.c 2015-09-28 11:39:50.532391390 -0700
@@ -344,8 +344,8 @@ fail:
return error;
}
-SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
- unsigned long, prot)
+static int do_mprotect_key(unsigned long start, size_t len,
+ unsigned long prot, unsigned long key)
{
unsigned long vm_flags, nstart, end, tmp, reqprot;
struct vm_area_struct *vma, *prev;
@@ -365,6 +365,8 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
return -ENOMEM;
if (!arch_validate_prot(prot))
return -EINVAL;
+ if (key >= CONFIG_NR_PROTECTION_KEYS)
+ return -EINVAL;
reqprot = prot;
/*
@@ -373,7 +375,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
prot |= PROT_EXEC;
- vm_flags = calc_vm_prot_bits(prot, 0);
+ vm_flags = calc_vm_prot_bits(prot, key);
down_write(¤t->mm->mmap_sem);
@@ -443,3 +445,15 @@ out:
up_write(¤t->mm->mmap_sem);
return error;
}
+
+SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
+ unsigned long, prot)
+{
+ return do_mprotect_key(start, len, prot, 0);
+}
+
+SYSCALL_DEFINE4(mprotect_key, unsigned long, start, size_t, len,
+ unsigned long, prot, unsigned long, key)
+{
+ return do_mprotect_key(start, len, prot, key);
+}
_
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2015-09-28 19:25 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-28 19:18 [PATCH 00/25] x86: Memory Protection Keys Dave Hansen
2015-09-28 19:18 ` [PATCH 01/25] x86, fpu: add placeholder for Processor Trace XSAVE state Dave Hansen
2015-10-01 11:01 ` Thomas Gleixner
2015-09-28 19:18 ` [PATCH 02/25] x86, pkeys: Add Kconfig option Dave Hansen
2015-10-01 11:02 ` Thomas Gleixner
2015-09-28 19:18 ` [PATCH 03/25] x86, pkeys: cpuid bit definition Dave Hansen
2015-10-01 11:02 ` Thomas Gleixner
2015-09-28 19:18 ` [PATCH 05/25] x86, pkey: add PKRU xsave fields and data structure(s) Dave Hansen
2015-10-01 11:50 ` Thomas Gleixner
2015-10-01 17:17 ` Dave Hansen
2015-09-28 19:18 ` [PATCH 06/25] x86, pkeys: PTE bits for storing protection key Dave Hansen
2015-10-01 11:51 ` Thomas Gleixner
2015-09-28 19:18 ` [PATCH 04/25] x86, pku: define new CR4 bit Dave Hansen
2015-10-01 11:03 ` Thomas Gleixner
2015-09-28 19:18 ` [PATCH 08/25] x86, pkeys: store protection in high VMA flags Dave Hansen
2015-09-28 19:18 ` [PATCH 07/25] x86, pkeys: new page fault error code bit: PF_PK Dave Hansen
2015-10-01 11:54 ` Thomas Gleixner
2015-10-01 17:19 ` Dave Hansen
2015-09-28 19:18 ` [PATCH 10/25] x86, pkeys: pass VMA down in to fault signal generation code Dave Hansen
2015-09-28 19:18 ` [PATCH 09/25] x86, pkeys: arch-specific protection bits Dave Hansen
2015-09-28 19:18 ` [PATCH 13/25] mm: factor out VMA fault permission checking Dave Hansen
2015-09-28 19:18 ` [PATCH 11/25] x86, pkeys: notify userspace about protection key faults Dave Hansen
2015-09-28 19:18 ` [PATCH 12/25] x86, pkeys: add functions to fetch PKRU Dave Hansen
2015-09-28 19:18 ` [PATCH 16/25] x86, pkeys: optimize fault handling in access_error() Dave Hansen
2015-09-28 19:18 ` [PATCH 15/25] x86, pkeys: check VMAs and PTEs for protection keys Dave Hansen
2015-10-22 20:57 ` Jerome Glisse
2015-10-22 21:23 ` Dave Hansen
2015-10-22 22:25 ` Jerome Glisse
2015-10-23 0:49 ` Dave Hansen
2015-09-28 19:18 ` [PATCH 14/25] mm: simplify get_user_pages() PTE bit handling Dave Hansen
2015-09-28 19:18 ` [PATCH 18/25] x86, pkeys: dump PTE pkey in /proc/pid/smaps Dave Hansen
2015-09-28 19:18 ` [PATCH 19/25] x86, pkeys: add Kconfig prompt to existing config option Dave Hansen
2015-09-28 19:18 ` [PATCH 17/25] x86, pkeys: dump PKRU with other kernel registers Dave Hansen
2015-09-28 19:18 ` [PATCH 20/25] mm, multi-arch: pass a protection key in to calc_vm_flag_bits() Dave Hansen
2015-09-28 19:18 ` [PATCH 23/25] x86, pkeys: actually enable Memory Protection Keys in CPU Dave Hansen
2015-09-28 19:18 ` [PATCH 22/25] x86: wire up mprotect_key() system call Dave Hansen
2015-09-28 19:18 ` Dave Hansen [this message]
2015-09-29 6:39 ` [PATCH 21/25] mm: implement new " Michael Ellerman
2015-09-29 14:16 ` Dave Hansen
2015-09-28 19:18 ` [PATCH 25/25] x86, pkeys: Documentation Dave Hansen
2015-09-28 20:34 ` Andi Kleen
2015-09-28 20:41 ` Dave Hansen
2015-09-28 19:18 ` [PATCH 24/25] x86, pkeys: add self-tests Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150928191826.F1CD5256@viggo.jf.intel.com \
--to=dave@sr71.net \
--cc=borntraeger@de.ibm.com \
--cc=dave.hansen@linux.intel.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox