[RFC 3/5] sbm: x86: infrastructure to fix up sandbox faults

From: Petr Tesarik <petrtesarik@huaweicloud.com>
To: Dave Hansen <dave.hansen@intel.com>
Cc: "Petr Tesařík" <petr@tesarici.cz>,
	"Petr Tesarik" <petrtesarik@huaweicloud.com>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"Thomas Gleixner" <tglx@linutronix.de>,
	"Ingo Molnar" <mingo@redhat.com>,
	"Borislav Petkov" <bp@alien8.de>,
	"Dave Hansen" <dave.hansen@linux.intel.com>,
	"maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)"
	<x86@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>,
	"Andy Lutomirski" <luto@kernel.org>,
	"Oleg Nesterov" <oleg@redhat.com>,
	"Peter Zijlstra" <peterz@infradead.org>,
	"Xin Li" <xin3.li@intel.com>, "Arnd Bergmann" <arnd@arndb.de>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"Rick Edgecombe" <rick.p.edgecombe@intel.com>,
	"Kees Cook" <keescook@chromium.org>,
	"Masami Hiramatsu (Google)" <mhiramat@kernel.org>,
	"Pengfei Xu" <pengfei.xu@intel.com>,
	"Josh Poimboeuf" <jpoimboe@kernel.org>,
	"Ze Gao" <zegao2021@gmail.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	"Kai Huang" <kai.huang@intel.com>,
	"David Woodhouse" <dwmw@amazon.co.uk>,
	"Brian Gerst" <brgerst@gmail.com>,
	"Jason Gunthorpe" <jgg@ziepe.ca>,
	"Joerg Roedel" <jroedel@suse.de>,
	"Mike Rapoport (IBM)" <rppt@kernel.org>,
	"Tina Zhang" <tina.zhang@intel.com>,
	"Jacob Pan" <jacob.jun.pan@linux.intel.com>,
	"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
	"open list" <linux-kernel@vger.kernel.org>,
	"Roberto Sassu" <roberto.sassu@huaweicloud.com>,
	"John Johansen" <john.johansen@canonical.com>,
	"Paul Moore" <paul@paul-moore.com>,
	"James Morris" <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org,
	"Petr Tesarik" <petr.tesarik1@huawei-partners.com>
Subject: [RFC 3/5] sbm: x86: infrastructure to fix up sandbox faults
Date: Thu, 22 Feb 2024 14:12:28 +0100	[thread overview]
Message-ID: <20240222131230.635-4-petrtesarik@huaweicloud.com> (raw)
In-Reply-To: <20240222131230.635-1-petrtesarik@huaweicloud.com>

From: Petr Tesarik <petr.tesarik1@huawei-partners.com>

Since sandbox mode cannot modify kernel data, much of the core API cannot
be used directly. Provide a method to call a known subset of kernel
functions from the sandbox fault handler on behalf of the sandbox code.

Since SBM permissions have page granularity, the code of an intercepted
function must not be in the same page as another function running in
sandbox mode. Provide a __nosbm marker to move the intercepted functions
into a special ELF section, align it to page boundaries and map it so that
it is not executable in sandbox mode. To minimize alignment padding, merge
the __nosbm section with the kernel entry code.

Signed-off-by: Petr Tesarik <petr.tesarik1@huawei-partners.com>
---
 arch/x86/kernel/sbm/call_64.S | 20 +++++++++++
 arch/x86/kernel/sbm/core.c    | 65 +++++++++++++++++++++++++++++++++--
 arch/x86/kernel/vmlinux.lds.S |  9 +++++
 include/linux/sbm.h           |  6 ++++
 4 files changed, 98 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/sbm/call_64.S b/arch/x86/kernel/sbm/call_64.S
index 21edce5666bc..6d8ae30a0984 100644
--- a/arch/x86/kernel/sbm/call_64.S
+++ b/arch/x86/kernel/sbm/call_64.S
@@ -93,3 +93,23 @@ SYM_INNER_LABEL(x86_sbm_return, SYM_L_GLOBAL)
 	pop	%rbp
 	RET
 SYM_FUNC_END(x86_sbm_exec)
+
+.text
+
+/*
+ * arguments:
+ * rdi  .. state (ignored)
+ * rsi  .. target function
+ * rdx  .. struct pt_regs
+*/
+SYM_FUNC_START(x86_sbm_proxy_call)
+	mov	%rdx, %r10
+	mov	%rsi, %r11
+	mov	pt_regs_di(%r10), %rdi
+	mov	pt_regs_si(%r10), %rsi
+	mov	pt_regs_dx(%r10), %rdx
+	mov	pt_regs_cx(%r10), %rcx
+	mov	pt_regs_r8(%r10), %r8
+	mov	pt_regs_r9(%r10), %r9
+	JMP_NOSPEC r11
+SYM_FUNC_END(x86_sbm_proxy_call)
diff --git a/arch/x86/kernel/sbm/core.c b/arch/x86/kernel/sbm/core.c
index 296f1fde3c22..c8ac7ecb08cc 100644
--- a/arch/x86/kernel/sbm/core.c
+++ b/arch/x86/kernel/sbm/core.c
@@ -28,6 +28,60 @@ asmlinkage int x86_sbm_exec(struct x86_sbm_state *state, sbm_func func,
 			    unsigned long exc_tos);
 extern char x86_sbm_return[];
 
+extern char __nosbm_text_start[], __nosbm_text_end[];
+
+/*************************************************************
+ * HACK: PROOF-OF-CONCEPT FIXUP CODE STARTS HERE
+ */
+
+typedef unsigned long (*sbm_proxy_call_fn)(struct x86_sbm_state *,
+					   unsigned long func,
+					   struct pt_regs *);
+
+asmlinkage unsigned long x86_sbm_proxy_call(struct x86_sbm_state *state,
+					    unsigned long func,
+					    struct pt_regs *regs);
+
+/**
+ * struct sbm_fixup - Describe a sandbox fault fixup.
+ * @target:  Target function to be called.
+ * @proxy:   Proxy call function.
+ */
+struct sbm_fixup {
+	void *target;
+	sbm_proxy_call_fn proxy;
+};
+
+static const struct sbm_fixup fixups[] =
+{
+	{ }
+};
+
+/* Fix up a page fault if it is one of the known exceptions. */
+static bool fixup_sbm_call(struct x86_sbm_state *state,
+			   struct pt_regs *regs, unsigned long address)
+{
+	const struct sbm_fixup *fixup;
+
+	for (fixup = fixups; fixup->target; ++fixup) {
+		if (address == (unsigned long)fixup->target) {
+			regs->ax = fixup->proxy(state, address, regs);
+			return true;
+		}
+	}
+
+	return false;
+}
+
+/* Execution in sandbox mode continues here after fixup. */
+static void x86_sbm_continue(void)
+{
+}
+
+/*
+ * HACK: PROOF-OF-CONCEPT FIXUP CODE ENDS HERE
+ *************************************************************/
+
 union {
 	struct x86_sbm_state state;
 	char page[PAGE_SIZE];
@@ -140,8 +194,8 @@ static int map_kernel(struct x86_sbm_state *state)
 	if (err)
 		return err;
 
-	err = map_range(state, (unsigned long)__entry_text_start,
-			(unsigned long)__entry_text_end, PAGE_KERNEL_ROX);
+	err = map_range(state, (unsigned long)__nosbm_text_start,
+			(unsigned long)__nosbm_text_end, PAGE_KERNEL_ROX);
 	if (err)
 		return err;
 
@@ -482,6 +536,13 @@ void handle_sbm_fault(struct pt_regs *regs, unsigned long error_code,
 	if (spurious_sbm_fault(state, error_code, address))
 		return;
 
+	if ((error_code & ~X86_PF_PROT) == (X86_PF_USER | X86_PF_INSTR) &&
+	    fixup_sbm_call(state, regs, address)) {
+		/* Return back to sandbox... */
+		regs->ip = (unsigned long)x86_sbm_continue;
+		return;
+	}
+
 	/*
 	 * Force -EFAULT unless the fault was due to a user-mode instruction
 	 * fetch from the designated return address.
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index a349dbfc6d5a..c530a7faaa9a 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -139,8 +139,17 @@ SECTIONS
 		STATIC_CALL_TEXT
 
 		ALIGN_ENTRY_TEXT_BEGIN
+#ifdef CONFIG_SANDBOX_MODE
+		. = ALIGN(PAGE_SIZE);
+		__nosbm_text_start = .;
+#endif
 		*(.text..__x86.rethunk_untrain)
 		ENTRY_TEXT
+#ifdef CONFIG_SANDBOX_MODE
+		*(.text.nosbm)
+		. = ALIGN(PAGE_SIZE);
+		__nosbm_text_end = .;
+#endif
 
 #ifdef CONFIG_CPU_SRSO
 		/*
diff --git a/include/linux/sbm.h b/include/linux/sbm.h
index dbdc0781349f..9d7eb525e489 100644
--- a/include/linux/sbm.h
+++ b/include/linux/sbm.h
@@ -267,6 +267,8 @@ int arch_sbm_map_writable(struct sbm *sbm, const struct sbm_buf *buf);
  */
 int arch_sbm_exec(struct sbm *sbm, sbm_func func, void *data);
 
+#define __nosbm __section(".text.nosbm")
+
 #else /* !CONFIG_HAVE_ARCH_SBM */
 
 static inline int arch_sbm_init(struct sbm *sbm)
@@ -295,6 +297,8 @@ static inline int arch_sbm_exec(struct sbm *sbm, sbm_func func, void *data)
 	return func(data);
 }
 
+#define __nosbm
+
 #endif /* CONFIG_HAVE_ARCH_SBM */
 
 #else /* !CONFIG_SANDBOX_MODE */
@@ -340,6 +344,8 @@ static inline void *sbm_map_writable(struct sbm *sbm, const void *ptr,
 	return (void *)ptr;
 }
 
+#define __nosbm
+
 #endif /* CONFIG_SANDBOX_MODE */
 
 /**
-- 
2.34.1

