[RFC PATCH 1/4] Provide linux/set_memory.h

[RFC PATCH 1/4] Provide linux/set_memory.h

[Michael Ellerman]

Currently code that wants to use set_memory_ro() etc, needs to include
asm/set_memory.h, which doesn't exist on all arches. Some code knows
it only builds on arches which have the header, other code guards the
inclusion with an #ifdef, neither is ideal.

So create linux/set_memory.h. This always exists, so users don't need
an #ifdef just to include the header.

When CONFIG_ARCH_HAS_SET_MEMORY=y it includes asm/set_memory.h,
otherwise it provides empty non-failing implementations.

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
 include/linux/set_memory.h | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 include/linux/set_memory.h


Does this look OK to people? If so it would be great if someone, Kees?,
Andrew?, could pick up patch 1 (it's a nop by itself) and then we can send the
conversions separately later in the merge window?

cheers

diff --git a/include/linux/set_memory.h b/include/linux/set_memory.h
new file mode 100644
index 000000000000..e5140648f638
--- /dev/null
+++ b/include/linux/set_memory.h
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2017, Michael Ellerman, IBM Corporation.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License version
+ * 2 as published by the Free Software Foundation;
+ */
+#ifndef _LINUX_SET_MEMORY_H_
+#define _LINUX_SET_MEMORY_H_
+
+#ifdef CONFIG_ARCH_HAS_SET_MEMORY
+#include <asm/set_memory.h>
+#else
+static inline int set_memory_ro(unsigned long addr, int numpages) { return 0; }
+static inline int set_memory_rw(unsigned long addr, int numpages) { return 0; }
+static inline int set_memory_x(unsigned long addr,  int numpages) { return 0; }
+static inline int set_memory_nx(unsigned long addr, int numpages) { return 0; }
+#endif
+
+#endif /* _LINUX_SET_MEMORY_H_ */
-- 
2.7.4

[kernel-hardening] [RFC PATCH 1/4] Provide linux/set_memory.h

[Michael Ellerman]

Currently code that wants to use set_memory_ro() etc, needs to include
asm/set_memory.h, which doesn't exist on all arches. Some code knows
it only builds on arches which have the header, other code guards the
inclusion with an #ifdef, neither is ideal.

So create linux/set_memory.h. This always exists, so users don't need
an #ifdef just to include the header.

When CONFIG_ARCH_HAS_SET_MEMORY=y it includes asm/set_memory.h,
otherwise it provides empty non-failing implementations.

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
 include/linux/set_memory.h | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 include/linux/set_memory.h


Does this look OK to people? If so it would be great if someone, Kees?,
Andrew?, could pick up patch 1 (it's a nop by itself) and then we can send the
conversions separately later in the merge window?

cheers

diff --git a/include/linux/set_memory.h b/include/linux/set_memory.h
new file mode 100644
index 000000000000..e5140648f638
--- /dev/null
+++ b/include/linux/set_memory.h
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2017, Michael Ellerman, IBM Corporation.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License version
+ * 2 as published by the Free Software Foundation;
+ */
+#ifndef _LINUX_SET_MEMORY_H_
+#define _LINUX_SET_MEMORY_H_
+
+#ifdef CONFIG_ARCH_HAS_SET_MEMORY
+#include <asm/set_memory.h>
+#else
+static inline int set_memory_ro(unsigned long addr, int numpages) { return 0; }
+static inline int set_memory_rw(unsigned long addr, int numpages) { return 0; }
+static inline int set_memory_x(unsigned long addr,  int numpages) { return 0; }
+static inline int set_memory_nx(unsigned long addr, int numpages) { return 0; }
+#endif
+
+#endif /* _LINUX_SET_MEMORY_H_ */
-- 
2.7.4

[RFC PATCH 2/4] PM / hibernate: Use linux/set_memory.h

[Michael Ellerman]

This header always exists, so doesn't require an ifdef around its
inclusion. When CONFIG_ARCH_HAS_SET_MEMORY=y it includes the asm header,
otherwise it provides empty versions of the set_memory_xx() routines.

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
 kernel/power/snapshot.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
index b7708e319941..222317721c5a 100644
--- a/kernel/power/snapshot.c
+++ b/kernel/power/snapshot.c
@@ -30,15 +30,13 @@
 #include <linux/slab.h>
 #include <linux/compiler.h>
 #include <linux/ktime.h>
+#include <linux/set_memory.h>
 
 #include <linux/uaccess.h>
 #include <asm/mmu_context.h>
 #include <asm/pgtable.h>
 #include <asm/tlbflush.h>
 #include <asm/io.h>
-#ifdef CONFIG_ARCH_HAS_SET_MEMORY
-#include <asm/set_memory.h>
-#endif
 
 #include "power.h"
 
-- 
2.7.4

[kernel-hardening] [RFC PATCH 2/4] PM / hibernate: Use linux/set_memory.h

[Michael Ellerman]

This header always exists, so doesn't require an ifdef around its
inclusion. When CONFIG_ARCH_HAS_SET_MEMORY=y it includes the asm header,
otherwise it provides empty versions of the set_memory_xx() routines.

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
 kernel/power/snapshot.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
index b7708e319941..222317721c5a 100644
--- a/kernel/power/snapshot.c
+++ b/kernel/power/snapshot.c
@@ -30,15 +30,13 @@
 #include <linux/slab.h>
 #include <linux/compiler.h>
 #include <linux/ktime.h>
+#include <linux/set_memory.h>
 
 #include <linux/uaccess.h>
 #include <asm/mmu_context.h>
 #include <asm/pgtable.h>
 #include <asm/tlbflush.h>
 #include <asm/io.h>
-#ifdef CONFIG_ARCH_HAS_SET_MEMORY
-#include <asm/set_memory.h>
-#endif
 
 #include "power.h"
 
-- 
2.7.4

[RFC PATCH 3/4] module: Use linux/set_memory.h

[Michael Ellerman]

This header always exists, so doesn't require an ifdef around its
inclusion. When CONFIG_ARCH_HAS_SET_MEMORY=y it includes the asm header,
otherwise it provides empty versions of the set_memory_xx() routines.

The usages of set_memory_xx() are still guarded by CONFIG_STRICT_MODULE_RWX.

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
 kernel/module.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/kernel/module.c b/kernel/module.c
index d0a723ebe75c..e7696b25db30 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -49,9 +49,7 @@
 #include <linux/rculist.h>
 #include <linux/uaccess.h>
 #include <asm/cacheflush.h>
-#ifdef CONFIG_STRICT_MODULE_RWX
-#include <asm/set_memory.h>
-#endif
+#include <linux/set_memory.h>
 #include <asm/mmu_context.h>
 #include <linux/license.h>
 #include <asm/sections.h>
-- 
2.7.4

[kernel-hardening] [RFC PATCH 3/4] module: Use linux/set_memory.h

[Michael Ellerman]

This header always exists, so doesn't require an ifdef around its
inclusion. When CONFIG_ARCH_HAS_SET_MEMORY=y it includes the asm header,
otherwise it provides empty versions of the set_memory_xx() routines.

The usages of set_memory_xx() are still guarded by CONFIG_STRICT_MODULE_RWX.

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
 kernel/module.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/kernel/module.c b/kernel/module.c
index d0a723ebe75c..e7696b25db30 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -49,9 +49,7 @@
 #include <linux/rculist.h>
 #include <linux/uaccess.h>
 #include <asm/cacheflush.h>
-#ifdef CONFIG_STRICT_MODULE_RWX
-#include <asm/set_memory.h>
-#endif
+#include <linux/set_memory.h>
 #include <asm/mmu_context.h>
 #include <linux/license.h>
 #include <asm/sections.h>
-- 
2.7.4

[RFC PATCH 4/4] bpf: Use linux/set_memory.h

[Michael Ellerman]

This header always exists, so doesn't require an ifdef around its
inclusion. When CONFIG_ARCH_HAS_SET_MEMORY=y it includes the asm header,
otherwise it provides empty versions of the set_memory_xx() routines.

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
 include/linux/filter.h | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/include/linux/filter.h b/include/linux/filter.h
index 1fa26dc562ce..54f26e9c6472 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -16,13 +16,10 @@
 #include <linux/sched.h>
 #include <linux/capability.h>
 #include <linux/cryptohash.h>
+#include <linux/set_memory.h>
 
 #include <net/sch_generic.h>
 
-#ifdef CONFIG_ARCH_HAS_SET_MEMORY
-#include <asm/set_memory.h>
-#endif
-
 #include <uapi/linux/filter.h>
 #include <uapi/linux/bpf.h>
 
-- 
2.7.4

[kernel-hardening] [RFC PATCH 4/4] bpf: Use linux/set_memory.h

[Michael Ellerman]

This header always exists, so doesn't require an ifdef around its
inclusion. When CONFIG_ARCH_HAS_SET_MEMORY=y it includes the asm header,
otherwise it provides empty versions of the set_memory_xx() routines.

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
 include/linux/filter.h | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/include/linux/filter.h b/include/linux/filter.h
index 1fa26dc562ce..54f26e9c6472 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -16,13 +16,10 @@
 #include <linux/sched.h>
 #include <linux/capability.h>
 #include <linux/cryptohash.h>
+#include <linux/set_memory.h>
 
 #include <net/sch_generic.h>
 
-#ifdef CONFIG_ARCH_HAS_SET_MEMORY
-#include <asm/set_memory.h>
-#endif
-
 #include <uapi/linux/filter.h>
 #include <uapi/linux/bpf.h>
 
-- 
2.7.4

Re: [kernel-hardening] [RFC PATCH 4/4] bpf: Use linux/set_memory.h

[Daniel Borkmann]

On 06/29/2017 08:29 AM, Michael Ellerman wrote:
> This header always exists, so doesn't require an ifdef around its
> inclusion. When CONFIG_ARCH_HAS_SET_MEMORY=y it includes the asm header,
> otherwise it provides empty versions of the set_memory_xx() routines.
>
> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>

Acked-by: Daniel Borkmann <daniel@iogearbox.net>

Re: [kernel-hardening] [RFC PATCH 1/4] Provide linux/set_memory.h

[Daniel Borkmann]

On 06/29/2017 08:29 AM, Michael Ellerman wrote:
> Currently code that wants to use set_memory_ro() etc, needs to include
> asm/set_memory.h, which doesn't exist on all arches. Some code knows
> it only builds on arches which have the header, other code guards the
> inclusion with an #ifdef, neither is ideal.
>
> So create linux/set_memory.h. This always exists, so users don't need
> an #ifdef just to include the header.
>
> When CONFIG_ARCH_HAS_SET_MEMORY=y it includes asm/set_memory.h,
> otherwise it provides empty non-failing implementations.
>
> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>

Looks good to me, thanks!

Acked-by: Daniel Borkmann <daniel@iogearbox.net>

I'm fine if Andrew or Kees picks up the bpf patch as well, I think
there shouldn't be any conflict with net-next on this one (and even
if so, then looks trivial to resolve).

Re: [kernel-hardening] [RFC PATCH 1/4] Provide linux/set_memory.h

[Kees Cook]

On Thu, Jun 29, 2017 at 2:03 AM, Daniel Borkmann <daniel@iogearbox.net> wrote:
> On 06/29/2017 08:29 AM, Michael Ellerman wrote:
>>
>> Currently code that wants to use set_memory_ro() etc, needs to include
>> asm/set_memory.h, which doesn't exist on all arches. Some code knows
>> it only builds on arches which have the header, other code guards the
>> inclusion with an #ifdef, neither is ideal.
>>
>> So create linux/set_memory.h. This always exists, so users don't need
>> an #ifdef just to include the header.
>>
>> When CONFIG_ARCH_HAS_SET_MEMORY=y it includes asm/set_memory.h,
>> otherwise it provides empty non-failing implementations.
>>
>> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
>
>
> Looks good to me, thanks!
>
> Acked-by: Daniel Borkmann <daniel@iogearbox.net>
>
> I'm fine if Andrew or Kees picks up the bpf patch as well, I think
> there shouldn't be any conflict with net-next on this one (and even
> if so, then looks trivial to resolve).

I nominate Andrew. ;) This should go in early in the merge window and
the users can go late in the window. If Andrew has enough to do, I can
carry it too; just say the word.

This is a sane addition and allows for lines-of-code reduction in a
few places. Thanks!

Acked-by: Kees Cook <keescook@chromium.org>

-Kees

-- 
Kees Cook
Pixel Security

Re: [kernel-hardening] [RFC PATCH 1/4] Provide linux/set_memory.h

[Kees Cook]

On Thu, Jun 29, 2017 at 2:03 AM, Daniel Borkmann <daniel@iogearbox.net> wrote:
> On 06/29/2017 08:29 AM, Michael Ellerman wrote:
>>
>> Currently code that wants to use set_memory_ro() etc, needs to include
>> asm/set_memory.h, which doesn't exist on all arches. Some code knows
>> it only builds on arches which have the header, other code guards the
>> inclusion with an #ifdef, neither is ideal.
>>
>> So create linux/set_memory.h. This always exists, so users don't need
>> an #ifdef just to include the header.
>>
>> When CONFIG_ARCH_HAS_SET_MEMORY=y it includes asm/set_memory.h,
>> otherwise it provides empty non-failing implementations.
>>
>> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
>
>
> Looks good to me, thanks!
>
> Acked-by: Daniel Borkmann <daniel@iogearbox.net>
>
> I'm fine if Andrew or Kees picks up the bpf patch as well, I think
> there shouldn't be any conflict with net-next on this one (and even
> if so, then looks trivial to resolve).

I nominate Andrew. ;) This should go in early in the merge window and
the users can go late in the window. If Andrew has enough to do, I can
carry it too; just say the word.

This is a sane addition and allows for lines-of-code reduction in a
few places. Thanks!

Acked-by: Kees Cook <keescook@chromium.org>

-Kees

-- 
Kees Cook
Pixel Security

Re: [RFC PATCH 1/4] Provide linux/set_memory.h

[Laura Abbott]

On 06/28/2017 11:29 PM, Michael Ellerman wrote:
> Currently code that wants to use set_memory_ro() etc, needs to include
> asm/set_memory.h, which doesn't exist on all arches. Some code knows
> it only builds on arches which have the header, other code guards the
> inclusion with an #ifdef, neither is ideal.
> 
> So create linux/set_memory.h. This always exists, so users don't need
> an #ifdef just to include the header.
> 
> When CONFIG_ARCH_HAS_SET_MEMORY=y it includes asm/set_memory.h,
> otherwise it provides empty non-failing implementations.
> 
> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
> ---
>  include/linux/set_memory.h | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
>  create mode 100644 include/linux/set_memory.h
> 
> 
> Does this look OK to people? If so it would be great if someone, Kees?,
> Andrew?, could pick up patch 1 (it's a nop by itself) and then we can send the
> conversions separately later in the merge window?
> 

Acked-by: Laura Abbott <labbott@redhat.com>

> cheers
> 
> diff --git a/include/linux/set_memory.h b/include/linux/set_memory.h
> new file mode 100644
> index 000000000000..e5140648f638
> --- /dev/null
> +++ b/include/linux/set_memory.h
> @@ -0,0 +1,20 @@
> +/*
> + * Copyright 2017, Michael Ellerman, IBM Corporation.
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public License version
> + * 2 as published by the Free Software Foundation;
> + */
> +#ifndef _LINUX_SET_MEMORY_H_
> +#define _LINUX_SET_MEMORY_H_
> +
> +#ifdef CONFIG_ARCH_HAS_SET_MEMORY
> +#include <asm/set_memory.h>
> +#else
> +static inline int set_memory_ro(unsigned long addr, int numpages) { return 0; }
> +static inline int set_memory_rw(unsigned long addr, int numpages) { return 0; }
> +static inline int set_memory_x(unsigned long addr,  int numpages) { return 0; }
> +static inline int set_memory_nx(unsigned long addr, int numpages) { return 0; }
> +#endif
> +
> +#endif /* _LINUX_SET_MEMORY_H_ */
> 

[kernel-hardening] Re: [RFC PATCH 1/4] Provide linux/set_memory.h

[Laura Abbott]

On 06/28/2017 11:29 PM, Michael Ellerman wrote:
> Currently code that wants to use set_memory_ro() etc, needs to include
> asm/set_memory.h, which doesn't exist on all arches. Some code knows
> it only builds on arches which have the header, other code guards the
> inclusion with an #ifdef, neither is ideal.
> 
> So create linux/set_memory.h. This always exists, so users don't need
> an #ifdef just to include the header.
> 
> When CONFIG_ARCH_HAS_SET_MEMORY=y it includes asm/set_memory.h,
> otherwise it provides empty non-failing implementations.
> 
> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
> ---
>  include/linux/set_memory.h | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
>  create mode 100644 include/linux/set_memory.h
> 
> 
> Does this look OK to people? If so it would be great if someone, Kees?,
> Andrew?, could pick up patch 1 (it's a nop by itself) and then we can send the
> conversions separately later in the merge window?
> 

Acked-by: Laura Abbott <labbott@redhat.com>

> cheers
> 
> diff --git a/include/linux/set_memory.h b/include/linux/set_memory.h
> new file mode 100644
> index 000000000000..e5140648f638
> --- /dev/null
> +++ b/include/linux/set_memory.h
> @@ -0,0 +1,20 @@
> +/*
> + * Copyright 2017, Michael Ellerman, IBM Corporation.
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public License version
> + * 2 as published by the Free Software Foundation;
> + */
> +#ifndef _LINUX_SET_MEMORY_H_
> +#define _LINUX_SET_MEMORY_H_
> +
> +#ifdef CONFIG_ARCH_HAS_SET_MEMORY
> +#include <asm/set_memory.h>
> +#else
> +static inline int set_memory_ro(unsigned long addr, int numpages) { return 0; }
> +static inline int set_memory_rw(unsigned long addr, int numpages) { return 0; }
> +static inline int set_memory_x(unsigned long addr,  int numpages) { return 0; }
> +static inline int set_memory_nx(unsigned long addr, int numpages) { return 0; }
> +#endif
> +
> +#endif /* _LINUX_SET_MEMORY_H_ */
> 

Re: [kernel-hardening] [RFC PATCH 1/4] Provide linux/set_memory.h

[Michael Ellerman]

Kees Cook <keescook@chromium.org> writes:

> On Thu, Jun 29, 2017 at 2:03 AM, Daniel Borkmann <daniel@iogearbox.net> wrote:
>> On 06/29/2017 08:29 AM, Michael Ellerman wrote:
>>>
>>> Currently code that wants to use set_memory_ro() etc, needs to include
>>> asm/set_memory.h, which doesn't exist on all arches. Some code knows
>>> it only builds on arches which have the header, other code guards the
>>> inclusion with an #ifdef, neither is ideal.
>>>
>>> So create linux/set_memory.h. This always exists, so users don't need
>>> an #ifdef just to include the header.
>>>
>>> When CONFIG_ARCH_HAS_SET_MEMORY=y it includes asm/set_memory.h,
>>> otherwise it provides empty non-failing implementations.
>>>
>>> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
>>
>>
>> Looks good to me, thanks!
>>
>> Acked-by: Daniel Borkmann <daniel@iogearbox.net>
>>
>> I'm fine if Andrew or Kees picks up the bpf patch as well, I think
>> there shouldn't be any conflict with net-next on this one (and even
>> if so, then looks trivial to resolve).
>
> I nominate Andrew. ;) This should go in early in the merge window and
> the users can go late in the window. If Andrew has enough to do, I can
> carry it too; just say the word.
>
> This is a sane addition and allows for lines-of-code reduction in a
> few places. Thanks!

Andrew's picked them up in mmotm, thanks everyone.

cheers

Re: [kernel-hardening] [RFC PATCH 1/4] Provide linux/set_memory.h

[Michael Ellerman]

Kees Cook <keescook@chromium.org> writes:

> On Thu, Jun 29, 2017 at 2:03 AM, Daniel Borkmann <daniel@iogearbox.net> wrote:
>> On 06/29/2017 08:29 AM, Michael Ellerman wrote:
>>>
>>> Currently code that wants to use set_memory_ro() etc, needs to include
>>> asm/set_memory.h, which doesn't exist on all arches. Some code knows
>>> it only builds on arches which have the header, other code guards the
>>> inclusion with an #ifdef, neither is ideal.
>>>
>>> So create linux/set_memory.h. This always exists, so users don't need
>>> an #ifdef just to include the header.
>>>
>>> When CONFIG_ARCH_HAS_SET_MEMORY=y it includes asm/set_memory.h,
>>> otherwise it provides empty non-failing implementations.
>>>
>>> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
>>
>>
>> Looks good to me, thanks!
>>
>> Acked-by: Daniel Borkmann <daniel@iogearbox.net>
>>
>> I'm fine if Andrew or Kees picks up the bpf patch as well, I think
>> there shouldn't be any conflict with net-next on this one (and even
>> if so, then looks trivial to resolve).
>
> I nominate Andrew. ;) This should go in early in the merge window and
> the users can go late in the window. If Andrew has enough to do, I can
> carry it too; just say the word.
>
> This is a sane addition and allows for lines-of-code reduction in a
> few places. Thanks!

Andrew's picked them up in mmotm, thanks everyone.

cheers