* Re: [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-22 2:27 ` akpm
0 siblings, 0 replies; 62+ messages in thread
From: Andrew Morton @ 2018-11-22 2:27 UTC (permalink / raw)
To: Joel Fernandes
Cc: Andy Lutomirski, Stephen Rothwell, Andy Lutomirski, LKML,
Hugh Dickins, Jann Horn, Khalid Aziz, Linux API,
open list:KERNEL SELFTEST FRAMEWORK, Linux-MM, marcandre.lureau,
Matthew Wilcox, Mike Kravetz, Shuah Khan
On Tue, 20 Nov 2018 13:13:35 -0800 Joel Fernandes <joel@joelfernandes.org> wrote:
> > > I am Ok with whatever Andrew wants to do, if it is better to squash it with
> > > the original, then I can do that and send another patch.
> > >
> > >
> >
> > From experience, Andrew will food in fixups on request :)
>
> Andrew, could you squash this patch into the one titled ("mm: Add an
> F_SEAL_FUTURE_WRITE seal to memfd")?
Sure.
I could of course queue them separately but I rarely do so - I don't
think that the intermediate development states are useful in the
infinite-term, and I make them available via additional Link: tags in
the changelog footers anyway.
I think that the magnitude of these patches is such that John Stultz's
Reviewed-by is invalidated, so this series is now in the "unreviewed"
state.
So can we have a re-review please? For convenience, here's the
folded-together [1/1] patch, as it will go to Linus.
From: "Joel Fernandes (Google)" <joel@joelfernandes.org>
Subject: mm: Add an F_SEAL_FUTURE_WRITE seal to memfd
Android uses ashmem for sharing memory regions. We are looking forward to
migrating all usecases of ashmem to memfd so that we can possibly remove
the ashmem driver in the future from staging while also benefiting from
using memfd and contributing to it. Note staging drivers are also not ABI
and generally can be removed at anytime.
One of the main usecases Android has is the ability to create a region and
mmap it as writeable, then add protection against making any "future"
writes while keeping the existing already mmap'ed writeable-region active.
This allows us to implement a usecase where receivers of the shared
memory buffer can get a read-only view, while the sender continues to
write to the buffer. See CursorWindow documentation in Android for more
details:
https://developer.android.com/reference/android/database/CursorWindow
This usecase cannot be implemented with the existing F_SEAL_WRITE seal.
To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal
which prevents any future mmap and write syscalls from succeeding while
keeping the existing mmap active. The following program shows the seal
working in action:
#include <stdio.h>
#include <errno.h>
#include <sys/mman.h>
#include <linux/memfd.h>
#include <linux/fcntl.h>
#include <asm/unistd.h>
#include <unistd.h>
#define F_SEAL_FUTURE_WRITE 0x0010
#define REGION_SIZE (5 * 1024 * 1024)
int memfd_create_region(const char *name, size_t size)
{
int ret;
int fd = syscall(__NR_memfd_create, name, MFD_ALLOW_SEALING);
if (fd < 0) return fd;
ret = ftruncate(fd, size);
if (ret < 0) { close(fd); return ret; }
return fd;
}
int main() {
int ret, fd;
void *addr, *addr2, *addr3, *addr1;
ret = memfd_create_region("test_region", REGION_SIZE);
printf("ret=%d\n", ret);
fd = ret;
// Create map
addr = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (addr == MAP_FAILED)
printf("map 0 failed\n");
else
printf("map 0 passed\n");
if ((ret = write(fd, "test", 4)) != 4)
printf("write failed even though no future-write seal "
"(ret=%d errno =%d)\n", ret, errno);
else
printf("write passed\n");
addr1 = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (addr1 == MAP_FAILED)
perror("map 1 prot-write failed even though no seal\n");
else
printf("map 1 prot-write passed as expected\n");
ret = fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE |
F_SEAL_GROW |
F_SEAL_SHRINK);
if (ret == -1)
printf("fcntl failed, errno: %d\n", errno);
else
printf("future-write seal now active\n");
if ((ret = write(fd, "test", 4)) != 4)
printf("write failed as expected due to future-write seal\n");
else
printf("write passed (unexpected)\n");
addr2 = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (addr2 == MAP_FAILED)
perror("map 2 prot-write failed as expected due to seal\n");
else
printf("map 2 passed\n");
addr3 = mmap(0, REGION_SIZE, PROT_READ, MAP_SHARED, fd, 0);
if (addr3 == MAP_FAILED)
perror("map 3 failed\n");
else
printf("map 3 prot-read passed as expected\n");
}
The output of running this program is as follows:
ret=3
map 0 passed
write passed
map 1 prot-write passed as expected
future-write seal now active
write failed as expected due to future-write seal
map 2 prot-write failed as expected due to seal
: Permission denied
map 3 prot-read passed as expected
[joel@joelfernandes.org: make F_SEAL_FUTURE_WRITE seal more robust]
Link: http://lkml.kernel.org/r/20181120052137.74317-1-joel@joelfernandes.org
Link: http://lkml.kernel.org/r/20181108041537.39694-1-joel@joelfernandes.org
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Cc: John Stultz <john.stultz@linaro.org>
Cc: John Reck <jreck@google.com>
Cc: Todd Kjos <tkjos@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Daniel Colascione <dancol@google.com>
Cc: J. Bruce Fields <bfields@fieldses.org>
Cc: Jeff Layton <jlayton@kernel.org>
Cc: Khalid Aziz <khalid.aziz@oracle.com>
Cc: Lei Yang <Lei.Yang@windriver.com>
Cc: Marc-Andr Lureau <marcandre.lureau@redhat.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Valdis Kletnieks <valdis.kletnieks@vt.edu>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Jann Horn <jannh@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
--- a/include/uapi/linux/fcntl.h~mm-add-an-f_seal_future_write-seal-to-memfd
+++ a/include/uapi/linux/fcntl.h
@@ -41,6 +41,7 @@
#define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
#define F_SEAL_GROW 0x0004 /* prevent file from growing */
#define F_SEAL_WRITE 0x0008 /* prevent writes */
+#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
/* (1U << 31) is reserved for signed error codes */
/*
--- a/mm/memfd.c~mm-add-an-f_seal_future_write-seal-to-memfd
+++ a/mm/memfd.c
@@ -131,7 +131,8 @@ static unsigned int *memfd_file_seals_pt
#define F_ALL_SEALS (F_SEAL_SEAL | \
F_SEAL_SHRINK | \
F_SEAL_GROW | \
- F_SEAL_WRITE)
+ F_SEAL_WRITE | \
+ F_SEAL_FUTURE_WRITE)
static int memfd_add_seals(struct file *file, unsigned int seals)
{
--- a/fs/hugetlbfs/inode.c~mm-add-an-f_seal_future_write-seal-to-memfd
+++ a/fs/hugetlbfs/inode.c
@@ -530,7 +530,7 @@ static long hugetlbfs_punch_hole(struct
inode_lock(inode);
/* protected by i_mutex */
- if (info->seals & F_SEAL_WRITE) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
inode_unlock(inode);
return -EPERM;
}
--- a/mm/shmem.c~mm-add-an-f_seal_future_write-seal-to-memfd
+++ a/mm/shmem.c
@@ -2119,6 +2119,23 @@ out_nomem:
static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
{
+ struct shmem_inode_info *info = SHMEM_I(file_inode(file));
+
+ /*
+ * New PROT_READ and MAP_SHARED mmaps are not allowed when "future
+ * write" seal active.
+ */
+ if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE) &&
+ (info->seals & F_SEAL_FUTURE_WRITE))
+ return -EPERM;
+
+ /*
+ * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED read-only
+ * mapping, take care to not allow mprotect to revert protections.
+ */
+ if (info->seals & F_SEAL_FUTURE_WRITE)
+ vma->vm_flags &= ~(VM_MAYWRITE);
+
file_accessed(file);
vma->vm_ops = &shmem_vm_ops;
if (IS_ENABLED(CONFIG_TRANSPARENT_HUGE_PAGECACHE) &&
@@ -2344,8 +2361,9 @@ shmem_write_begin(struct file *file, str
pgoff_t index = pos >> PAGE_SHIFT;
/* i_mutex is held by caller */
- if (unlikely(info->seals & (F_SEAL_WRITE | F_SEAL_GROW))) {
- if (info->seals & F_SEAL_WRITE)
+ if (unlikely(info->seals & (F_SEAL_GROW |
+ F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))
return -EPERM;
if ((info->seals & F_SEAL_GROW) && pos + len > inode->i_size)
return -EPERM;
@@ -2608,7 +2626,7 @@ static long shmem_fallocate(struct file
DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq);
/* protected by i_mutex */
- if (info->seals & F_SEAL_WRITE) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
error = -EPERM;
goto out;
}
_
^ permalink raw reply [flat|nested] 62+ messages in thread
* [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-22 2:27 ` akpm
0 siblings, 0 replies; 62+ messages in thread
From: Andrew Morton @ 2018-11-22 2:27 UTC (permalink / raw)
On Tue, 20 Nov 2018 13:13:35 -0800 Joel Fernandes <joel@joelfernandes.org> wrote:
> > > I am Ok with whatever Andrew wants to do, if it is better to squash it with
> > > the original, then I can do that and send another patch.
> > >
> > >
> >
> > From experience, Andrew will food in fixups on request :)
>
> Andrew, could you squash this patch into the one titled ("mm: Add an
> F_SEAL_FUTURE_WRITE seal to memfd")?
Sure.
I could of course queue them separately but I rarely do so - I don't
think that the intermediate development states are useful in the
infinite-term, and I make them available via additional Link: tags in
the changelog footers anyway.
I think that the magnitude of these patches is such that John Stultz's
Reviewed-by is invalidated, so this series is now in the "unreviewed"
state.
So can we have a re-review please? For convenience, here's the
folded-together [1/1] patch, as it will go to Linus.
From: "Joel Fernandes (Google)" <joel@joelfernandes.org>
Subject: mm: Add an F_SEAL_FUTURE_WRITE seal to memfd
Android uses ashmem for sharing memory regions. We are looking forward to
migrating all usecases of ashmem to memfd so that we can possibly remove
the ashmem driver in the future from staging while also benefiting from
using memfd and contributing to it. Note staging drivers are also not ABI
and generally can be removed at anytime.
One of the main usecases Android has is the ability to create a region and
mmap it as writeable, then add protection against making any "future"
writes while keeping the existing already mmap'ed writeable-region active.
This allows us to implement a usecase where receivers of the shared
memory buffer can get a read-only view, while the sender continues to
write to the buffer. See CursorWindow documentation in Android for more
details:
https://developer.android.com/reference/android/database/CursorWindow
This usecase cannot be implemented with the existing F_SEAL_WRITE seal.
To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal
which prevents any future mmap and write syscalls from succeeding while
keeping the existing mmap active. The following program shows the seal
working in action:
#include <stdio.h>
#include <errno.h>
#include <sys/mman.h>
#include <linux/memfd.h>
#include <linux/fcntl.h>
#include <asm/unistd.h>
#include <unistd.h>
#define F_SEAL_FUTURE_WRITE 0x0010
#define REGION_SIZE (5 * 1024 * 1024)
int memfd_create_region(const char *name, size_t size)
{
int ret;
int fd = syscall(__NR_memfd_create, name, MFD_ALLOW_SEALING);
if (fd < 0) return fd;
ret = ftruncate(fd, size);
if (ret < 0) { close(fd); return ret; }
return fd;
}
int main() {
int ret, fd;
void *addr, *addr2, *addr3, *addr1;
ret = memfd_create_region("test_region", REGION_SIZE);
printf("ret=%d\n", ret);
fd = ret;
// Create map
addr = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (addr == MAP_FAILED)
printf("map 0 failed\n");
else
printf("map 0 passed\n");
if ((ret = write(fd, "test", 4)) != 4)
printf("write failed even though no future-write seal "
"(ret=%d errno =%d)\n", ret, errno);
else
printf("write passed\n");
addr1 = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (addr1 == MAP_FAILED)
perror("map 1 prot-write failed even though no seal\n");
else
printf("map 1 prot-write passed as expected\n");
ret = fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE |
F_SEAL_GROW |
F_SEAL_SHRINK);
if (ret == -1)
printf("fcntl failed, errno: %d\n", errno);
else
printf("future-write seal now active\n");
if ((ret = write(fd, "test", 4)) != 4)
printf("write failed as expected due to future-write seal\n");
else
printf("write passed (unexpected)\n");
addr2 = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (addr2 == MAP_FAILED)
perror("map 2 prot-write failed as expected due to seal\n");
else
printf("map 2 passed\n");
addr3 = mmap(0, REGION_SIZE, PROT_READ, MAP_SHARED, fd, 0);
if (addr3 == MAP_FAILED)
perror("map 3 failed\n");
else
printf("map 3 prot-read passed as expected\n");
}
The output of running this program is as follows:
ret=3
map 0 passed
write passed
map 1 prot-write passed as expected
future-write seal now active
write failed as expected due to future-write seal
map 2 prot-write failed as expected due to seal
: Permission denied
map 3 prot-read passed as expected
[joel at joelfernandes.org: make F_SEAL_FUTURE_WRITE seal more robust]
Link: http://lkml.kernel.org/r/20181120052137.74317-1-joel at joelfernandes.org
Link: http://lkml.kernel.org/r/20181108041537.39694-1-joel at joelfernandes.org
Signed-off-by: Joel Fernandes (Google) <joel at joelfernandes.org>
Cc: John Stultz <john.stultz at linaro.org>
Cc: John Reck <jreck at google.com>
Cc: Todd Kjos <tkjos at google.com>
Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
Cc: Christoph Hellwig <hch at infradead.org>
Cc: Al Viro <viro at zeniv.linux.org.uk>
Cc: Daniel Colascione <dancol at google.com>
Cc: J. Bruce Fields <bfields at fieldses.org>
Cc: Jeff Layton <jlayton at kernel.org>
Cc: Khalid Aziz <khalid.aziz at oracle.com>
Cc: Lei Yang <Lei.Yang at windriver.com>
Cc: Marc-Andr Lureau <marcandre.lureau at redhat.com>
Cc: Mike Kravetz <mike.kravetz at oracle.com>
Cc: Minchan Kim <minchan at kernel.org>
Cc: Shuah Khan <shuah at kernel.org>
Cc: Valdis Kletnieks <valdis.kletnieks at vt.edu>
Cc: Andy Lutomirski <luto at kernel.org>
Cc: Jann Horn <jannh at google.com>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
---
--- a/include/uapi/linux/fcntl.h~mm-add-an-f_seal_future_write-seal-to-memfd
+++ a/include/uapi/linux/fcntl.h
@@ -41,6 +41,7 @@
#define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
#define F_SEAL_GROW 0x0004 /* prevent file from growing */
#define F_SEAL_WRITE 0x0008 /* prevent writes */
+#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
/* (1U << 31) is reserved for signed error codes */
/*
--- a/mm/memfd.c~mm-add-an-f_seal_future_write-seal-to-memfd
+++ a/mm/memfd.c
@@ -131,7 +131,8 @@ static unsigned int *memfd_file_seals_pt
#define F_ALL_SEALS (F_SEAL_SEAL | \
F_SEAL_SHRINK | \
F_SEAL_GROW | \
- F_SEAL_WRITE)
+ F_SEAL_WRITE | \
+ F_SEAL_FUTURE_WRITE)
static int memfd_add_seals(struct file *file, unsigned int seals)
{
--- a/fs/hugetlbfs/inode.c~mm-add-an-f_seal_future_write-seal-to-memfd
+++ a/fs/hugetlbfs/inode.c
@@ -530,7 +530,7 @@ static long hugetlbfs_punch_hole(struct
inode_lock(inode);
/* protected by i_mutex */
- if (info->seals & F_SEAL_WRITE) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
inode_unlock(inode);
return -EPERM;
}
--- a/mm/shmem.c~mm-add-an-f_seal_future_write-seal-to-memfd
+++ a/mm/shmem.c
@@ -2119,6 +2119,23 @@ out_nomem:
static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
{
+ struct shmem_inode_info *info = SHMEM_I(file_inode(file));
+
+ /*
+ * New PROT_READ and MAP_SHARED mmaps are not allowed when "future
+ * write" seal active.
+ */
+ if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE) &&
+ (info->seals & F_SEAL_FUTURE_WRITE))
+ return -EPERM;
+
+ /*
+ * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED read-only
+ * mapping, take care to not allow mprotect to revert protections.
+ */
+ if (info->seals & F_SEAL_FUTURE_WRITE)
+ vma->vm_flags &= ~(VM_MAYWRITE);
+
file_accessed(file);
vma->vm_ops = &shmem_vm_ops;
if (IS_ENABLED(CONFIG_TRANSPARENT_HUGE_PAGECACHE) &&
@@ -2344,8 +2361,9 @@ shmem_write_begin(struct file *file, str
pgoff_t index = pos >> PAGE_SHIFT;
/* i_mutex is held by caller */
- if (unlikely(info->seals & (F_SEAL_WRITE | F_SEAL_GROW))) {
- if (info->seals & F_SEAL_WRITE)
+ if (unlikely(info->seals & (F_SEAL_GROW |
+ F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))
return -EPERM;
if ((info->seals & F_SEAL_GROW) && pos + len > inode->i_size)
return -EPERM;
@@ -2608,7 +2626,7 @@ static long shmem_fallocate(struct file
DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq);
/* protected by i_mutex */
- if (info->seals & F_SEAL_WRITE) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
error = -EPERM;
goto out;
}
_
^ permalink raw reply [flat|nested] 62+ messages in thread
* [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-22 2:27 ` akpm
0 siblings, 0 replies; 62+ messages in thread
From: akpm @ 2018-11-22 2:27 UTC (permalink / raw)
On Tue, 20 Nov 2018 13:13:35 -0800 Joel Fernandes <joel at joelfernandes.org> wrote:
> > > I am Ok with whatever Andrew wants to do, if it is better to squash it with
> > > the original, then I can do that and send another patch.
> > >
> > >
> >
> > From experience, Andrew will food in fixups on request :)
>
> Andrew, could you squash this patch into the one titled ("mm: Add an
> F_SEAL_FUTURE_WRITE seal to memfd")?
Sure.
I could of course queue them separately but I rarely do so - I don't
think that the intermediate development states are useful in the
infinite-term, and I make them available via additional Link: tags in
the changelog footers anyway.
I think that the magnitude of these patches is such that John Stultz's
Reviewed-by is invalidated, so this series is now in the "unreviewed"
state.
So can we have a re-review please? For convenience, here's the
folded-together [1/1] patch, as it will go to Linus.
From: "Joel Fernandes (Google)" <joel at joelfernandes.org>
Subject: mm: Add an F_SEAL_FUTURE_WRITE seal to memfd
Android uses ashmem for sharing memory regions. We are looking forward to
migrating all usecases of ashmem to memfd so that we can possibly remove
the ashmem driver in the future from staging while also benefiting from
using memfd and contributing to it. Note staging drivers are also not ABI
and generally can be removed at anytime.
One of the main usecases Android has is the ability to create a region and
mmap it as writeable, then add protection against making any "future"
writes while keeping the existing already mmap'ed writeable-region active.
This allows us to implement a usecase where receivers of the shared
memory buffer can get a read-only view, while the sender continues to
write to the buffer. See CursorWindow documentation in Android for more
details:
https://developer.android.com/reference/android/database/CursorWindow
This usecase cannot be implemented with the existing F_SEAL_WRITE seal.
To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal
which prevents any future mmap and write syscalls from succeeding while
keeping the existing mmap active. The following program shows the seal
working in action:
#include <stdio.h>
#include <errno.h>
#include <sys/mman.h>
#include <linux/memfd.h>
#include <linux/fcntl.h>
#include <asm/unistd.h>
#include <unistd.h>
#define F_SEAL_FUTURE_WRITE 0x0010
#define REGION_SIZE (5 * 1024 * 1024)
int memfd_create_region(const char *name, size_t size)
{
int ret;
int fd = syscall(__NR_memfd_create, name, MFD_ALLOW_SEALING);
if (fd < 0) return fd;
ret = ftruncate(fd, size);
if (ret < 0) { close(fd); return ret; }
return fd;
}
int main() {
int ret, fd;
void *addr, *addr2, *addr3, *addr1;
ret = memfd_create_region("test_region", REGION_SIZE);
printf("ret=%d\n", ret);
fd = ret;
// Create map
addr = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (addr == MAP_FAILED)
printf("map 0 failed\n");
else
printf("map 0 passed\n");
if ((ret = write(fd, "test", 4)) != 4)
printf("write failed even though no future-write seal "
"(ret=%d errno =%d)\n", ret, errno);
else
printf("write passed\n");
addr1 = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (addr1 == MAP_FAILED)
perror("map 1 prot-write failed even though no seal\n");
else
printf("map 1 prot-write passed as expected\n");
ret = fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE |
F_SEAL_GROW |
F_SEAL_SHRINK);
if (ret == -1)
printf("fcntl failed, errno: %d\n", errno);
else
printf("future-write seal now active\n");
if ((ret = write(fd, "test", 4)) != 4)
printf("write failed as expected due to future-write seal\n");
else
printf("write passed (unexpected)\n");
addr2 = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (addr2 == MAP_FAILED)
perror("map 2 prot-write failed as expected due to seal\n");
else
printf("map 2 passed\n");
addr3 = mmap(0, REGION_SIZE, PROT_READ, MAP_SHARED, fd, 0);
if (addr3 == MAP_FAILED)
perror("map 3 failed\n");
else
printf("map 3 prot-read passed as expected\n");
}
The output of running this program is as follows:
ret=3
map 0 passed
write passed
map 1 prot-write passed as expected
future-write seal now active
write failed as expected due to future-write seal
map 2 prot-write failed as expected due to seal
: Permission denied
map 3 prot-read passed as expected
[joel at joelfernandes.org: make F_SEAL_FUTURE_WRITE seal more robust]
Link: http://lkml.kernel.org/r/20181120052137.74317-1-joel at joelfernandes.org
Link: http://lkml.kernel.org/r/20181108041537.39694-1-joel at joelfernandes.org
Signed-off-by: Joel Fernandes (Google) <joel at joelfernandes.org>
Cc: John Stultz <john.stultz at linaro.org>
Cc: John Reck <jreck at google.com>
Cc: Todd Kjos <tkjos at google.com>
Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
Cc: Christoph Hellwig <hch at infradead.org>
Cc: Al Viro <viro at zeniv.linux.org.uk>
Cc: Daniel Colascione <dancol at google.com>
Cc: J. Bruce Fields <bfields at fieldses.org>
Cc: Jeff Layton <jlayton at kernel.org>
Cc: Khalid Aziz <khalid.aziz at oracle.com>
Cc: Lei Yang <Lei.Yang at windriver.com>
Cc: Marc-Andr Lureau <marcandre.lureau at redhat.com>
Cc: Mike Kravetz <mike.kravetz at oracle.com>
Cc: Minchan Kim <minchan at kernel.org>
Cc: Shuah Khan <shuah at kernel.org>
Cc: Valdis Kletnieks <valdis.kletnieks at vt.edu>
Cc: Andy Lutomirski <luto at kernel.org>
Cc: Jann Horn <jannh at google.com>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
---
--- a/include/uapi/linux/fcntl.h~mm-add-an-f_seal_future_write-seal-to-memfd
+++ a/include/uapi/linux/fcntl.h
@@ -41,6 +41,7 @@
#define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
#define F_SEAL_GROW 0x0004 /* prevent file from growing */
#define F_SEAL_WRITE 0x0008 /* prevent writes */
+#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
/* (1U << 31) is reserved for signed error codes */
/*
--- a/mm/memfd.c~mm-add-an-f_seal_future_write-seal-to-memfd
+++ a/mm/memfd.c
@@ -131,7 +131,8 @@ static unsigned int *memfd_file_seals_pt
#define F_ALL_SEALS (F_SEAL_SEAL | \
F_SEAL_SHRINK | \
F_SEAL_GROW | \
- F_SEAL_WRITE)
+ F_SEAL_WRITE | \
+ F_SEAL_FUTURE_WRITE)
static int memfd_add_seals(struct file *file, unsigned int seals)
{
--- a/fs/hugetlbfs/inode.c~mm-add-an-f_seal_future_write-seal-to-memfd
+++ a/fs/hugetlbfs/inode.c
@@ -530,7 +530,7 @@ static long hugetlbfs_punch_hole(struct
inode_lock(inode);
/* protected by i_mutex */
- if (info->seals & F_SEAL_WRITE) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
inode_unlock(inode);
return -EPERM;
}
--- a/mm/shmem.c~mm-add-an-f_seal_future_write-seal-to-memfd
+++ a/mm/shmem.c
@@ -2119,6 +2119,23 @@ out_nomem:
static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
{
+ struct shmem_inode_info *info = SHMEM_I(file_inode(file));
+
+ /*
+ * New PROT_READ and MAP_SHARED mmaps are not allowed when "future
+ * write" seal active.
+ */
+ if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE) &&
+ (info->seals & F_SEAL_FUTURE_WRITE))
+ return -EPERM;
+
+ /*
+ * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED read-only
+ * mapping, take care to not allow mprotect to revert protections.
+ */
+ if (info->seals & F_SEAL_FUTURE_WRITE)
+ vma->vm_flags &= ~(VM_MAYWRITE);
+
file_accessed(file);
vma->vm_ops = &shmem_vm_ops;
if (IS_ENABLED(CONFIG_TRANSPARENT_HUGE_PAGECACHE) &&
@@ -2344,8 +2361,9 @@ shmem_write_begin(struct file *file, str
pgoff_t index = pos >> PAGE_SHIFT;
/* i_mutex is held by caller */
- if (unlikely(info->seals & (F_SEAL_WRITE | F_SEAL_GROW))) {
- if (info->seals & F_SEAL_WRITE)
+ if (unlikely(info->seals & (F_SEAL_GROW |
+ F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))
return -EPERM;
if ((info->seals & F_SEAL_GROW) && pos + len > inode->i_size)
return -EPERM;
@@ -2608,7 +2626,7 @@ static long shmem_fallocate(struct file
DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq);
/* protected by i_mutex */
- if (info->seals & F_SEAL_WRITE) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
error = -EPERM;
goto out;
}
_
^ permalink raw reply [flat|nested] 62+ messages in thread
* Re: [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
2018-11-22 2:27 ` akpm
(?)
(?)
@ 2018-11-22 3:25 ` luto
-1 siblings, 0 replies; 62+ messages in thread
From: Andy Lutomirski @ 2018-11-22 3:25 UTC (permalink / raw)
To: Andrew Morton
Cc: Joel Fernandes, Stephen Rothwell, Andrew Lutomirski, LKML,
Hugh Dickins, Jann Horn, Khalid Aziz, Linux API,
open list:KERNEL SELFTEST FRAMEWORK, Linux-MM, marcandre.lureau,
Matthew Wilcox, Mike Kravetz, Shuah Khan
On Wed, Nov 21, 2018 at 6:27 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>
> On Tue, 20 Nov 2018 13:13:35 -0800 Joel Fernandes <joel@joelfernandes.org> wrote:
>
> > > > I am Ok with whatever Andrew wants to do, if it is better to squash it with
> > > > the original, then I can do that and send another patch.
> > > >
> > > >
> > >
> > > From experience, Andrew will food in fixups on request :)
> >
> > Andrew, could you squash this patch into the one titled ("mm: Add an
> > F_SEAL_FUTURE_WRITE seal to memfd")?
>
> Sure.
>
> I could of course queue them separately but I rarely do so - I don't
> think that the intermediate development states are useful in the
> infinite-term, and I make them available via additional Link: tags in
> the changelog footers anyway.
>
> I think that the magnitude of these patches is such that John Stultz's
> Reviewed-by is invalidated, so this series is now in the "unreviewed"
> state.
>
> So can we have a re-review please? For convenience, here's the
> folded-together [1/1] patch, as it will go to Linus.
>
>
> From: "Joel Fernandes (Google)" <joel@joelfernandes.org>
> Subject: mm: Add an F_SEAL_FUTURE_WRITE seal to memfd
>
> Android uses ashmem for sharing memory regions. We are looking forward to
> migrating all usecases of ashmem to memfd so that we can possibly remove
> the ashmem driver in the future from staging while also benefiting from
> using memfd and contributing to it. Note staging drivers are also not ABI
> and generally can be removed at anytime.
>
> One of the main usecases Android has is the ability to create a region and
> mmap it as writeable, then add protection against making any "future"
> writes while keeping the existing already mmap'ed writeable-region active.
> This allows us to implement a usecase where receivers of the shared
> memory buffer can get a read-only view, while the sender continues to
> write to the buffer. See CursorWindow documentation in Android for more
> details:
> https://developer.android.com/reference/android/database/CursorWindow
>
> This usecase cannot be implemented with the existing F_SEAL_WRITE seal.
> To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal
> which prevents any future mmap and write syscalls from succeeding while
> keeping the existing mmap active. The following program shows the seal
> working in action:
>
> #include <stdio.h>
> #include <errno.h>
> #include <sys/mman.h>
> #include <linux/memfd.h>
> #include <linux/fcntl.h>
> #include <asm/unistd.h>
> #include <unistd.h>
> #define F_SEAL_FUTURE_WRITE 0x0010
> #define REGION_SIZE (5 * 1024 * 1024)
>
> int memfd_create_region(const char *name, size_t size)
> {
> int ret;
> int fd = syscall(__NR_memfd_create, name, MFD_ALLOW_SEALING);
> if (fd < 0) return fd;
> ret = ftruncate(fd, size);
> if (ret < 0) { close(fd); return ret; }
> return fd;
> }
>
> int main() {
> int ret, fd;
> void *addr, *addr2, *addr3, *addr1;
> ret = memfd_create_region("test_region", REGION_SIZE);
> printf("ret=%d\n", ret);
> fd = ret;
>
> // Create map
> addr = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
> if (addr == MAP_FAILED)
> printf("map 0 failed\n");
> else
> printf("map 0 passed\n");
>
> if ((ret = write(fd, "test", 4)) != 4)
> printf("write failed even though no future-write seal "
> "(ret=%d errno =%d)\n", ret, errno);
> else
> printf("write passed\n");
>
> addr1 = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
> if (addr1 == MAP_FAILED)
> perror("map 1 prot-write failed even though no seal\n");
> else
> printf("map 1 prot-write passed as expected\n");
>
> ret = fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE |
> F_SEAL_GROW |
> F_SEAL_SHRINK);
> if (ret == -1)
> printf("fcntl failed, errno: %d\n", errno);
> else
> printf("future-write seal now active\n");
>
> if ((ret = write(fd, "test", 4)) != 4)
> printf("write failed as expected due to future-write seal\n");
> else
> printf("write passed (unexpected)\n");
>
> addr2 = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
> if (addr2 == MAP_FAILED)
> perror("map 2 prot-write failed as expected due to seal\n");
> else
> printf("map 2 passed\n");
>
> addr3 = mmap(0, REGION_SIZE, PROT_READ, MAP_SHARED, fd, 0);
> if (addr3 == MAP_FAILED)
> perror("map 3 failed\n");
> else
> printf("map 3 prot-read passed as expected\n");
> }
>
> The output of running this program is as follows:
> ret=3
> map 0 passed
> write passed
> map 1 prot-write passed as expected
> future-write seal now active
> write failed as expected due to future-write seal
> map 2 prot-write failed as expected due to seal
> : Permission denied
> map 3 prot-read passed as expected
>
> [joel@joelfernandes.org: make F_SEAL_FUTURE_WRITE seal more robust]
> Link: http://lkml.kernel.org/r/20181120052137.74317-1-joel@joelfernandes.org
> Link: http://lkml.kernel.org/r/20181108041537.39694-1-joel@joelfernandes.org
> Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
> Cc: John Stultz <john.stultz@linaro.org>
> Cc: John Reck <jreck@google.com>
> Cc: Todd Kjos <tkjos@google.com>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: Christoph Hellwig <hch@infradead.org>
> Cc: Al Viro <viro@zeniv.linux.org.uk>
> Cc: Daniel Colascione <dancol@google.com>
> Cc: J. Bruce Fields <bfields@fieldses.org>
> Cc: Jeff Layton <jlayton@kernel.org>
> Cc: Khalid Aziz <khalid.aziz@oracle.com>
> Cc: Lei Yang <Lei.Yang@windriver.com>
> Cc: Marc-Andr Lureau <marcandre.lureau@redhat.com>
> Cc: Mike Kravetz <mike.kravetz@oracle.com>
> Cc: Minchan Kim <minchan@kernel.org>
> Cc: Shuah Khan <shuah@kernel.org>
> Cc: Valdis Kletnieks <valdis.kletnieks@vt.edu>
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Jann Horn <jannh@google.com>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> ---
>
>
> --- a/include/uapi/linux/fcntl.h~mm-add-an-f_seal_future_write-seal-to-memfd
> +++ a/include/uapi/linux/fcntl.h
> @@ -41,6 +41,7 @@
> #define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
> #define F_SEAL_GROW 0x0004 /* prevent file from growing */
> #define F_SEAL_WRITE 0x0008 /* prevent writes */
> +#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
> /* (1U << 31) is reserved for signed error codes */
>
> /*
> --- a/mm/memfd.c~mm-add-an-f_seal_future_write-seal-to-memfd
> +++ a/mm/memfd.c
> @@ -131,7 +131,8 @@ static unsigned int *memfd_file_seals_pt
> #define F_ALL_SEALS (F_SEAL_SEAL | \
> F_SEAL_SHRINK | \
> F_SEAL_GROW | \
> - F_SEAL_WRITE)
> + F_SEAL_WRITE | \
> + F_SEAL_FUTURE_WRITE)
>
> static int memfd_add_seals(struct file *file, unsigned int seals)
> {
> --- a/fs/hugetlbfs/inode.c~mm-add-an-f_seal_future_write-seal-to-memfd
> +++ a/fs/hugetlbfs/inode.c
> @@ -530,7 +530,7 @@ static long hugetlbfs_punch_hole(struct
> inode_lock(inode);
>
> /* protected by i_mutex */
> - if (info->seals & F_SEAL_WRITE) {
> + if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
> inode_unlock(inode);
> return -EPERM;
> }
> --- a/mm/shmem.c~mm-add-an-f_seal_future_write-seal-to-memfd
> +++ a/mm/shmem.c
> @@ -2119,6 +2119,23 @@ out_nomem:
>
> static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
> {
> + struct shmem_inode_info *info = SHMEM_I(file_inode(file));
> +
> + /*
> + * New PROT_READ and MAP_SHARED mmaps are not allowed when "future
PROT_WRITE, perhaps?
> + * write" seal active.
> + */
> + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE) &&
> + (info->seals & F_SEAL_FUTURE_WRITE))
> + return -EPERM;
> +
> + /*
> + * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED read-only
> + * mapping, take care to not allow mprotect to revert protections.
> + */
> + if (info->seals & F_SEAL_FUTURE_WRITE)
> + vma->vm_flags &= ~(VM_MAYWRITE);
> +
This might all be clearer as:
if (info->seals & F_SEAL_FUTURE_WRITE) {
if (vma->vm_flags ...)
return -EPERM;
vma->vm_flags &= ~VM_MAYWRITE;
}
with appropriate comments inserted.
^ permalink raw reply [flat|nested] 62+ messages in thread
* Re: [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-22 3:25 ` luto
0 siblings, 0 replies; 62+ messages in thread
From: Andy Lutomirski @ 2018-11-22 3:25 UTC (permalink / raw)
To: Andrew Morton
Cc: Joel Fernandes, Stephen Rothwell, Andrew Lutomirski, LKML,
Hugh Dickins, Jann Horn, Khalid Aziz, Linux API,
open list:KERNEL SELFTEST FRAMEWORK, Linux-MM, marcandre.lureau,
Matthew Wilcox, Mike Kravetz, Shuah Khan
On Wed, Nov 21, 2018 at 6:27 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>
> On Tue, 20 Nov 2018 13:13:35 -0800 Joel Fernandes <joel@joelfernandes.org> wrote:
>
> > > > I am Ok with whatever Andrew wants to do, if it is better to squash it with
> > > > the original, then I can do that and send another patch.
> > > >
> > > >
> > >
> > > From experience, Andrew will food in fixups on request :)
> >
> > Andrew, could you squash this patch into the one titled ("mm: Add an
> > F_SEAL_FUTURE_WRITE seal to memfd")?
>
> Sure.
>
> I could of course queue them separately but I rarely do so - I don't
> think that the intermediate development states are useful in the
> infinite-term, and I make them available via additional Link: tags in
> the changelog footers anyway.
>
> I think that the magnitude of these patches is such that John Stultz's
> Reviewed-by is invalidated, so this series is now in the "unreviewed"
> state.
>
> So can we have a re-review please? For convenience, here's the
> folded-together [1/1] patch, as it will go to Linus.
>
>
> From: "Joel Fernandes (Google)" <joel@joelfernandes.org>
> Subject: mm: Add an F_SEAL_FUTURE_WRITE seal to memfd
>
> Android uses ashmem for sharing memory regions. We are looking forward to
> migrating all usecases of ashmem to memfd so that we can possibly remove
> the ashmem driver in the future from staging while also benefiting from
> using memfd and contributing to it. Note staging drivers are also not ABI
> and generally can be removed at anytime.
>
> One of the main usecases Android has is the ability to create a region and
> mmap it as writeable, then add protection against making any "future"
> writes while keeping the existing already mmap'ed writeable-region active.
> This allows us to implement a usecase where receivers of the shared
> memory buffer can get a read-only view, while the sender continues to
> write to the buffer. See CursorWindow documentation in Android for more
> details:
> https://developer.android.com/reference/android/database/CursorWindow
>
> This usecase cannot be implemented with the existing F_SEAL_WRITE seal.
> To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal
> which prevents any future mmap and write syscalls from succeeding while
> keeping the existing mmap active. The following program shows the seal
> working in action:
>
> #include <stdio.h>
> #include <errno.h>
> #include <sys/mman.h>
> #include <linux/memfd.h>
> #include <linux/fcntl.h>
> #include <asm/unistd.h>
> #include <unistd.h>
> #define F_SEAL_FUTURE_WRITE 0x0010
> #define REGION_SIZE (5 * 1024 * 1024)
>
> int memfd_create_region(const char *name, size_t size)
> {
> int ret;
> int fd = syscall(__NR_memfd_create, name, MFD_ALLOW_SEALING);
> if (fd < 0) return fd;
> ret = ftruncate(fd, size);
> if (ret < 0) { close(fd); return ret; }
> return fd;
> }
>
> int main() {
> int ret, fd;
> void *addr, *addr2, *addr3, *addr1;
> ret = memfd_create_region("test_region", REGION_SIZE);
> printf("ret=%d\n", ret);
> fd = ret;
>
> // Create map
> addr = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
> if (addr == MAP_FAILED)
> printf("map 0 failed\n");
> else
> printf("map 0 passed\n");
>
> if ((ret = write(fd, "test", 4)) != 4)
> printf("write failed even though no future-write seal "
> "(ret=%d errno =%d)\n", ret, errno);
> else
> printf("write passed\n");
>
> addr1 = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
> if (addr1 == MAP_FAILED)
> perror("map 1 prot-write failed even though no seal\n");
> else
> printf("map 1 prot-write passed as expected\n");
>
> ret = fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE |
> F_SEAL_GROW |
> F_SEAL_SHRINK);
> if (ret == -1)
> printf("fcntl failed, errno: %d\n", errno);
> else
> printf("future-write seal now active\n");
>
> if ((ret = write(fd, "test", 4)) != 4)
> printf("write failed as expected due to future-write seal\n");
> else
> printf("write passed (unexpected)\n");
>
> addr2 = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
> if (addr2 == MAP_FAILED)
> perror("map 2 prot-write failed as expected due to seal\n");
> else
> printf("map 2 passed\n");
>
> addr3 = mmap(0, REGION_SIZE, PROT_READ, MAP_SHARED, fd, 0);
> if (addr3 == MAP_FAILED)
> perror("map 3 failed\n");
> else
> printf("map 3 prot-read passed as expected\n");
> }
>
> The output of running this program is as follows:
> ret=3
> map 0 passed
> write passed
> map 1 prot-write passed as expected
> future-write seal now active
> write failed as expected due to future-write seal
> map 2 prot-write failed as expected due to seal
> : Permission denied
> map 3 prot-read passed as expected
>
> [joel@joelfernandes.org: make F_SEAL_FUTURE_WRITE seal more robust]
> Link: http://lkml.kernel.org/r/20181120052137.74317-1-joel@joelfernandes.org
> Link: http://lkml.kernel.org/r/20181108041537.39694-1-joel@joelfernandes.org
> Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
> Cc: John Stultz <john.stultz@linaro.org>
> Cc: John Reck <jreck@google.com>
> Cc: Todd Kjos <tkjos@google.com>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: Christoph Hellwig <hch@infradead.org>
> Cc: Al Viro <viro@zeniv.linux.org.uk>
> Cc: Daniel Colascione <dancol@google.com>
> Cc: J. Bruce Fields <bfields@fieldses.org>
> Cc: Jeff Layton <jlayton@kernel.org>
> Cc: Khalid Aziz <khalid.aziz@oracle.com>
> Cc: Lei Yang <Lei.Yang@windriver.com>
> Cc: Marc-Andr Lureau <marcandre.lureau@redhat.com>
> Cc: Mike Kravetz <mike.kravetz@oracle.com>
> Cc: Minchan Kim <minchan@kernel.org>
> Cc: Shuah Khan <shuah@kernel.org>
> Cc: Valdis Kletnieks <valdis.kletnieks@vt.edu>
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Jann Horn <jannh@google.com>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> ---
>
>
> --- a/include/uapi/linux/fcntl.h~mm-add-an-f_seal_future_write-seal-to-memfd
> +++ a/include/uapi/linux/fcntl.h
> @@ -41,6 +41,7 @@
> #define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
> #define F_SEAL_GROW 0x0004 /* prevent file from growing */
> #define F_SEAL_WRITE 0x0008 /* prevent writes */
> +#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
> /* (1U << 31) is reserved for signed error codes */
>
> /*
> --- a/mm/memfd.c~mm-add-an-f_seal_future_write-seal-to-memfd
> +++ a/mm/memfd.c
> @@ -131,7 +131,8 @@ static unsigned int *memfd_file_seals_pt
> #define F_ALL_SEALS (F_SEAL_SEAL | \
> F_SEAL_SHRINK | \
> F_SEAL_GROW | \
> - F_SEAL_WRITE)
> + F_SEAL_WRITE | \
> + F_SEAL_FUTURE_WRITE)
>
> static int memfd_add_seals(struct file *file, unsigned int seals)
> {
> --- a/fs/hugetlbfs/inode.c~mm-add-an-f_seal_future_write-seal-to-memfd
> +++ a/fs/hugetlbfs/inode.c
> @@ -530,7 +530,7 @@ static long hugetlbfs_punch_hole(struct
> inode_lock(inode);
>
> /* protected by i_mutex */
> - if (info->seals & F_SEAL_WRITE) {
> + if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
> inode_unlock(inode);
> return -EPERM;
> }
> --- a/mm/shmem.c~mm-add-an-f_seal_future_write-seal-to-memfd
> +++ a/mm/shmem.c
> @@ -2119,6 +2119,23 @@ out_nomem:
>
> static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
> {
> + struct shmem_inode_info *info = SHMEM_I(file_inode(file));
> +
> + /*
> + * New PROT_READ and MAP_SHARED mmaps are not allowed when "future
PROT_WRITE, perhaps?
> + * write" seal active.
> + */
> + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE) &&
> + (info->seals & F_SEAL_FUTURE_WRITE))
> + return -EPERM;
> +
> + /*
> + * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED read-only
> + * mapping, take care to not allow mprotect to revert protections.
> + */
> + if (info->seals & F_SEAL_FUTURE_WRITE)
> + vma->vm_flags &= ~(VM_MAYWRITE);
> +
This might all be clearer as:
if (info->seals & F_SEAL_FUTURE_WRITE) {
if (vma->vm_flags ...)
return -EPERM;
vma->vm_flags &= ~VM_MAYWRITE;
}
with appropriate comments inserted.
^ permalink raw reply [flat|nested] 62+ messages in thread
* [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-22 3:25 ` luto
0 siblings, 0 replies; 62+ messages in thread
From: Andy Lutomirski @ 2018-11-22 3:25 UTC (permalink / raw)
On Wed, Nov 21, 2018@6:27 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>
> On Tue, 20 Nov 2018 13:13:35 -0800 Joel Fernandes <joel@joelfernandes.org> wrote:
>
> > > > I am Ok with whatever Andrew wants to do, if it is better to squash it with
> > > > the original, then I can do that and send another patch.
> > > >
> > > >
> > >
> > > From experience, Andrew will food in fixups on request :)
> >
> > Andrew, could you squash this patch into the one titled ("mm: Add an
> > F_SEAL_FUTURE_WRITE seal to memfd")?
>
> Sure.
>
> I could of course queue them separately but I rarely do so - I don't
> think that the intermediate development states are useful in the
> infinite-term, and I make them available via additional Link: tags in
> the changelog footers anyway.
>
> I think that the magnitude of these patches is such that John Stultz's
> Reviewed-by is invalidated, so this series is now in the "unreviewed"
> state.
>
> So can we have a re-review please? For convenience, here's the
> folded-together [1/1] patch, as it will go to Linus.
>
>
> From: "Joel Fernandes (Google)" <joel at joelfernandes.org>
> Subject: mm: Add an F_SEAL_FUTURE_WRITE seal to memfd
>
> Android uses ashmem for sharing memory regions. We are looking forward to
> migrating all usecases of ashmem to memfd so that we can possibly remove
> the ashmem driver in the future from staging while also benefiting from
> using memfd and contributing to it. Note staging drivers are also not ABI
> and generally can be removed at anytime.
>
> One of the main usecases Android has is the ability to create a region and
> mmap it as writeable, then add protection against making any "future"
> writes while keeping the existing already mmap'ed writeable-region active.
> This allows us to implement a usecase where receivers of the shared
> memory buffer can get a read-only view, while the sender continues to
> write to the buffer. See CursorWindow documentation in Android for more
> details:
> https://developer.android.com/reference/android/database/CursorWindow
>
> This usecase cannot be implemented with the existing F_SEAL_WRITE seal.
> To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal
> which prevents any future mmap and write syscalls from succeeding while
> keeping the existing mmap active. The following program shows the seal
> working in action:
>
> #include <stdio.h>
> #include <errno.h>
> #include <sys/mman.h>
> #include <linux/memfd.h>
> #include <linux/fcntl.h>
> #include <asm/unistd.h>
> #include <unistd.h>
> #define F_SEAL_FUTURE_WRITE 0x0010
> #define REGION_SIZE (5 * 1024 * 1024)
>
> int memfd_create_region(const char *name, size_t size)
> {
> int ret;
> int fd = syscall(__NR_memfd_create, name, MFD_ALLOW_SEALING);
> if (fd < 0) return fd;
> ret = ftruncate(fd, size);
> if (ret < 0) { close(fd); return ret; }
> return fd;
> }
>
> int main() {
> int ret, fd;
> void *addr, *addr2, *addr3, *addr1;
> ret = memfd_create_region("test_region", REGION_SIZE);
> printf("ret=%d\n", ret);
> fd = ret;
>
> // Create map
> addr = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
> if (addr == MAP_FAILED)
> printf("map 0 failed\n");
> else
> printf("map 0 passed\n");
>
> if ((ret = write(fd, "test", 4)) != 4)
> printf("write failed even though no future-write seal "
> "(ret=%d errno =%d)\n", ret, errno);
> else
> printf("write passed\n");
>
> addr1 = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
> if (addr1 == MAP_FAILED)
> perror("map 1 prot-write failed even though no seal\n");
> else
> printf("map 1 prot-write passed as expected\n");
>
> ret = fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE |
> F_SEAL_GROW |
> F_SEAL_SHRINK);
> if (ret == -1)
> printf("fcntl failed, errno: %d\n", errno);
> else
> printf("future-write seal now active\n");
>
> if ((ret = write(fd, "test", 4)) != 4)
> printf("write failed as expected due to future-write seal\n");
> else
> printf("write passed (unexpected)\n");
>
> addr2 = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
> if (addr2 == MAP_FAILED)
> perror("map 2 prot-write failed as expected due to seal\n");
> else
> printf("map 2 passed\n");
>
> addr3 = mmap(0, REGION_SIZE, PROT_READ, MAP_SHARED, fd, 0);
> if (addr3 == MAP_FAILED)
> perror("map 3 failed\n");
> else
> printf("map 3 prot-read passed as expected\n");
> }
>
> The output of running this program is as follows:
> ret=3
> map 0 passed
> write passed
> map 1 prot-write passed as expected
> future-write seal now active
> write failed as expected due to future-write seal
> map 2 prot-write failed as expected due to seal
> : Permission denied
> map 3 prot-read passed as expected
>
> [joel at joelfernandes.org: make F_SEAL_FUTURE_WRITE seal more robust]
> Link: http://lkml.kernel.org/r/20181120052137.74317-1-joel at joelfernandes.org
> Link: http://lkml.kernel.org/r/20181108041537.39694-1-joel at joelfernandes.org
> Signed-off-by: Joel Fernandes (Google) <joel at joelfernandes.org>
> Cc: John Stultz <john.stultz at linaro.org>
> Cc: John Reck <jreck at google.com>
> Cc: Todd Kjos <tkjos at google.com>
> Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> Cc: Christoph Hellwig <hch at infradead.org>
> Cc: Al Viro <viro at zeniv.linux.org.uk>
> Cc: Daniel Colascione <dancol at google.com>
> Cc: J. Bruce Fields <bfields at fieldses.org>
> Cc: Jeff Layton <jlayton at kernel.org>
> Cc: Khalid Aziz <khalid.aziz at oracle.com>
> Cc: Lei Yang <Lei.Yang at windriver.com>
> Cc: Marc-Andr Lureau <marcandre.lureau at redhat.com>
> Cc: Mike Kravetz <mike.kravetz at oracle.com>
> Cc: Minchan Kim <minchan at kernel.org>
> Cc: Shuah Khan <shuah at kernel.org>
> Cc: Valdis Kletnieks <valdis.kletnieks at vt.edu>
> Cc: Andy Lutomirski <luto at kernel.org>
> Cc: Jann Horn <jannh at google.com>
> Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
> ---
>
>
> --- a/include/uapi/linux/fcntl.h~mm-add-an-f_seal_future_write-seal-to-memfd
> +++ a/include/uapi/linux/fcntl.h
> @@ -41,6 +41,7 @@
> #define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
> #define F_SEAL_GROW 0x0004 /* prevent file from growing */
> #define F_SEAL_WRITE 0x0008 /* prevent writes */
> +#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
> /* (1U << 31) is reserved for signed error codes */
>
> /*
> --- a/mm/memfd.c~mm-add-an-f_seal_future_write-seal-to-memfd
> +++ a/mm/memfd.c
> @@ -131,7 +131,8 @@ static unsigned int *memfd_file_seals_pt
> #define F_ALL_SEALS (F_SEAL_SEAL | \
> F_SEAL_SHRINK | \
> F_SEAL_GROW | \
> - F_SEAL_WRITE)
> + F_SEAL_WRITE | \
> + F_SEAL_FUTURE_WRITE)
>
> static int memfd_add_seals(struct file *file, unsigned int seals)
> {
> --- a/fs/hugetlbfs/inode.c~mm-add-an-f_seal_future_write-seal-to-memfd
> +++ a/fs/hugetlbfs/inode.c
> @@ -530,7 +530,7 @@ static long hugetlbfs_punch_hole(struct
> inode_lock(inode);
>
> /* protected by i_mutex */
> - if (info->seals & F_SEAL_WRITE) {
> + if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
> inode_unlock(inode);
> return -EPERM;
> }
> --- a/mm/shmem.c~mm-add-an-f_seal_future_write-seal-to-memfd
> +++ a/mm/shmem.c
> @@ -2119,6 +2119,23 @@ out_nomem:
>
> static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
> {
> + struct shmem_inode_info *info = SHMEM_I(file_inode(file));
> +
> + /*
> + * New PROT_READ and MAP_SHARED mmaps are not allowed when "future
PROT_WRITE, perhaps?
> + * write" seal active.
> + */
> + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE) &&
> + (info->seals & F_SEAL_FUTURE_WRITE))
> + return -EPERM;
> +
> + /*
> + * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED read-only
> + * mapping, take care to not allow mprotect to revert protections.
> + */
> + if (info->seals & F_SEAL_FUTURE_WRITE)
> + vma->vm_flags &= ~(VM_MAYWRITE);
> +
This might all be clearer as:
if (info->seals & F_SEAL_FUTURE_WRITE) {
if (vma->vm_flags ...)
return -EPERM;
vma->vm_flags &= ~VM_MAYWRITE;
}
with appropriate comments inserted.
^ permalink raw reply [flat|nested] 62+ messages in thread
* [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-22 3:25 ` luto
0 siblings, 0 replies; 62+ messages in thread
From: luto @ 2018-11-22 3:25 UTC (permalink / raw)
On Wed, Nov 21, 2018 at 6:27 PM Andrew Morton <akpm at linux-foundation.org> wrote:
>
> On Tue, 20 Nov 2018 13:13:35 -0800 Joel Fernandes <joel at joelfernandes.org> wrote:
>
> > > > I am Ok with whatever Andrew wants to do, if it is better to squash it with
> > > > the original, then I can do that and send another patch.
> > > >
> > > >
> > >
> > > From experience, Andrew will food in fixups on request :)
> >
> > Andrew, could you squash this patch into the one titled ("mm: Add an
> > F_SEAL_FUTURE_WRITE seal to memfd")?
>
> Sure.
>
> I could of course queue them separately but I rarely do so - I don't
> think that the intermediate development states are useful in the
> infinite-term, and I make them available via additional Link: tags in
> the changelog footers anyway.
>
> I think that the magnitude of these patches is such that John Stultz's
> Reviewed-by is invalidated, so this series is now in the "unreviewed"
> state.
>
> So can we have a re-review please? For convenience, here's the
> folded-together [1/1] patch, as it will go to Linus.
>
>
> From: "Joel Fernandes (Google)" <joel at joelfernandes.org>
> Subject: mm: Add an F_SEAL_FUTURE_WRITE seal to memfd
>
> Android uses ashmem for sharing memory regions. We are looking forward to
> migrating all usecases of ashmem to memfd so that we can possibly remove
> the ashmem driver in the future from staging while also benefiting from
> using memfd and contributing to it. Note staging drivers are also not ABI
> and generally can be removed at anytime.
>
> One of the main usecases Android has is the ability to create a region and
> mmap it as writeable, then add protection against making any "future"
> writes while keeping the existing already mmap'ed writeable-region active.
> This allows us to implement a usecase where receivers of the shared
> memory buffer can get a read-only view, while the sender continues to
> write to the buffer. See CursorWindow documentation in Android for more
> details:
> https://developer.android.com/reference/android/database/CursorWindow
>
> This usecase cannot be implemented with the existing F_SEAL_WRITE seal.
> To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal
> which prevents any future mmap and write syscalls from succeeding while
> keeping the existing mmap active. The following program shows the seal
> working in action:
>
> #include <stdio.h>
> #include <errno.h>
> #include <sys/mman.h>
> #include <linux/memfd.h>
> #include <linux/fcntl.h>
> #include <asm/unistd.h>
> #include <unistd.h>
> #define F_SEAL_FUTURE_WRITE 0x0010
> #define REGION_SIZE (5 * 1024 * 1024)
>
> int memfd_create_region(const char *name, size_t size)
> {
> int ret;
> int fd = syscall(__NR_memfd_create, name, MFD_ALLOW_SEALING);
> if (fd < 0) return fd;
> ret = ftruncate(fd, size);
> if (ret < 0) { close(fd); return ret; }
> return fd;
> }
>
> int main() {
> int ret, fd;
> void *addr, *addr2, *addr3, *addr1;
> ret = memfd_create_region("test_region", REGION_SIZE);
> printf("ret=%d\n", ret);
> fd = ret;
>
> // Create map
> addr = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
> if (addr == MAP_FAILED)
> printf("map 0 failed\n");
> else
> printf("map 0 passed\n");
>
> if ((ret = write(fd, "test", 4)) != 4)
> printf("write failed even though no future-write seal "
> "(ret=%d errno =%d)\n", ret, errno);
> else
> printf("write passed\n");
>
> addr1 = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
> if (addr1 == MAP_FAILED)
> perror("map 1 prot-write failed even though no seal\n");
> else
> printf("map 1 prot-write passed as expected\n");
>
> ret = fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE |
> F_SEAL_GROW |
> F_SEAL_SHRINK);
> if (ret == -1)
> printf("fcntl failed, errno: %d\n", errno);
> else
> printf("future-write seal now active\n");
>
> if ((ret = write(fd, "test", 4)) != 4)
> printf("write failed as expected due to future-write seal\n");
> else
> printf("write passed (unexpected)\n");
>
> addr2 = mmap(0, REGION_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
> if (addr2 == MAP_FAILED)
> perror("map 2 prot-write failed as expected due to seal\n");
> else
> printf("map 2 passed\n");
>
> addr3 = mmap(0, REGION_SIZE, PROT_READ, MAP_SHARED, fd, 0);
> if (addr3 == MAP_FAILED)
> perror("map 3 failed\n");
> else
> printf("map 3 prot-read passed as expected\n");
> }
>
> The output of running this program is as follows:
> ret=3
> map 0 passed
> write passed
> map 1 prot-write passed as expected
> future-write seal now active
> write failed as expected due to future-write seal
> map 2 prot-write failed as expected due to seal
> : Permission denied
> map 3 prot-read passed as expected
>
> [joel at joelfernandes.org: make F_SEAL_FUTURE_WRITE seal more robust]
> Link: http://lkml.kernel.org/r/20181120052137.74317-1-joel at joelfernandes.org
> Link: http://lkml.kernel.org/r/20181108041537.39694-1-joel at joelfernandes.org
> Signed-off-by: Joel Fernandes (Google) <joel at joelfernandes.org>
> Cc: John Stultz <john.stultz at linaro.org>
> Cc: John Reck <jreck at google.com>
> Cc: Todd Kjos <tkjos at google.com>
> Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> Cc: Christoph Hellwig <hch at infradead.org>
> Cc: Al Viro <viro at zeniv.linux.org.uk>
> Cc: Daniel Colascione <dancol at google.com>
> Cc: J. Bruce Fields <bfields at fieldses.org>
> Cc: Jeff Layton <jlayton at kernel.org>
> Cc: Khalid Aziz <khalid.aziz at oracle.com>
> Cc: Lei Yang <Lei.Yang at windriver.com>
> Cc: Marc-Andr Lureau <marcandre.lureau at redhat.com>
> Cc: Mike Kravetz <mike.kravetz at oracle.com>
> Cc: Minchan Kim <minchan at kernel.org>
> Cc: Shuah Khan <shuah at kernel.org>
> Cc: Valdis Kletnieks <valdis.kletnieks at vt.edu>
> Cc: Andy Lutomirski <luto at kernel.org>
> Cc: Jann Horn <jannh at google.com>
> Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
> ---
>
>
> --- a/include/uapi/linux/fcntl.h~mm-add-an-f_seal_future_write-seal-to-memfd
> +++ a/include/uapi/linux/fcntl.h
> @@ -41,6 +41,7 @@
> #define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
> #define F_SEAL_GROW 0x0004 /* prevent file from growing */
> #define F_SEAL_WRITE 0x0008 /* prevent writes */
> +#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
> /* (1U << 31) is reserved for signed error codes */
>
> /*
> --- a/mm/memfd.c~mm-add-an-f_seal_future_write-seal-to-memfd
> +++ a/mm/memfd.c
> @@ -131,7 +131,8 @@ static unsigned int *memfd_file_seals_pt
> #define F_ALL_SEALS (F_SEAL_SEAL | \
> F_SEAL_SHRINK | \
> F_SEAL_GROW | \
> - F_SEAL_WRITE)
> + F_SEAL_WRITE | \
> + F_SEAL_FUTURE_WRITE)
>
> static int memfd_add_seals(struct file *file, unsigned int seals)
> {
> --- a/fs/hugetlbfs/inode.c~mm-add-an-f_seal_future_write-seal-to-memfd
> +++ a/fs/hugetlbfs/inode.c
> @@ -530,7 +530,7 @@ static long hugetlbfs_punch_hole(struct
> inode_lock(inode);
>
> /* protected by i_mutex */
> - if (info->seals & F_SEAL_WRITE) {
> + if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
> inode_unlock(inode);
> return -EPERM;
> }
> --- a/mm/shmem.c~mm-add-an-f_seal_future_write-seal-to-memfd
> +++ a/mm/shmem.c
> @@ -2119,6 +2119,23 @@ out_nomem:
>
> static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
> {
> + struct shmem_inode_info *info = SHMEM_I(file_inode(file));
> +
> + /*
> + * New PROT_READ and MAP_SHARED mmaps are not allowed when "future
PROT_WRITE, perhaps?
> + * write" seal active.
> + */
> + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE) &&
> + (info->seals & F_SEAL_FUTURE_WRITE))
> + return -EPERM;
> +
> + /*
> + * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED read-only
> + * mapping, take care to not allow mprotect to revert protections.
> + */
> + if (info->seals & F_SEAL_FUTURE_WRITE)
> + vma->vm_flags &= ~(VM_MAYWRITE);
> +
This might all be clearer as:
if (info->seals & F_SEAL_FUTURE_WRITE) {
if (vma->vm_flags ...)
return -EPERM;
vma->vm_flags &= ~VM_MAYWRITE;
}
with appropriate comments inserted.
^ permalink raw reply [flat|nested] 62+ messages in thread
* Re: [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
2018-11-22 3:25 ` luto
(?)
(?)
@ 2018-11-22 23:09 ` joel
-1 siblings, 0 replies; 62+ messages in thread
From: Joel Fernandes @ 2018-11-22 23:09 UTC (permalink / raw)
To: Andy Lutomirski
Cc: Andrew Morton, Stephen Rothwell, LKML, Hugh Dickins, Jann Horn,
Khalid Aziz, Linux API, open list:KERNEL SELFTEST FRAMEWORK,
Linux-MM, marcandre.lureau, Matthew Wilcox, Mike Kravetz,
Shuah Khan
On Wed, Nov 21, 2018 at 07:25:26PM -0800, Andy Lutomirski wrote:
> On Wed, Nov 21, 2018 at 6:27 PM Andrew Morton <akpm@linux-foundation.org> wrote:
> >
> > On Tue, 20 Nov 2018 13:13:35 -0800 Joel Fernandes <joel@joelfernandes.org> wrote:
> >
> > > > > I am Ok with whatever Andrew wants to do, if it is better to squash it with
> > > > > the original, then I can do that and send another patch.
> > > > >
> > > > >
> > > >
> > > > From experience, Andrew will food in fixups on request :)
> > >
> > > Andrew, could you squash this patch into the one titled ("mm: Add an
> > > F_SEAL_FUTURE_WRITE seal to memfd")?
> >
> > Sure.
> >
> > I could of course queue them separately but I rarely do so - I don't
> > think that the intermediate development states are useful in the
> > infinite-term, and I make them available via additional Link: tags in
> > the changelog footers anyway.
> >
> > I think that the magnitude of these patches is such that John Stultz's
> > Reviewed-by is invalidated, so this series is now in the "unreviewed"
> > state.
> >
> > So can we have a re-review please? For convenience, here's the
> > folded-together [1/1] patch, as it will go to Linus.
Sure, I removed the old tags and also provide an updated patch below inline.
> > From: "Joel Fernandes (Google)" <joel@joelfernandes.org>
> > Subject: mm: Add an F_SEAL_FUTURE_WRITE seal to memfd
> >
> > Android uses ashmem for sharing memory regions. We are looking forward to
> > migrating all usecases of ashmem to memfd so that we can possibly remove
> > the ashmem driver in the future from staging while also benefiting from
> > using memfd and contributing to it. Note staging drivers are also not ABI
> > and generally can be removed at anytime.
[...]
> > --- a/include/uapi/linux/fcntl.h~mm-add-an-f_seal_future_write-seal-to-memfd
> > +++ a/include/uapi/linux/fcntl.h
> > @@ -41,6 +41,7 @@
> > #define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
> > #define F_SEAL_GROW 0x0004 /* prevent file from growing */
> > #define F_SEAL_WRITE 0x0008 /* prevent writes */
> > +#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
> > /* (1U << 31) is reserved for signed error codes */
> >
> > /*
> > --- a/mm/memfd.c~mm-add-an-f_seal_future_write-seal-to-memfd
> > +++ a/mm/memfd.c
> > @@ -131,7 +131,8 @@ static unsigned int *memfd_file_seals_pt
> > #define F_ALL_SEALS (F_SEAL_SEAL | \
> > F_SEAL_SHRINK | \
> > F_SEAL_GROW | \
> > - F_SEAL_WRITE)
> > + F_SEAL_WRITE | \
> > + F_SEAL_FUTURE_WRITE)
> >
> > static int memfd_add_seals(struct file *file, unsigned int seals)
> > {
> > --- a/fs/hugetlbfs/inode.c~mm-add-an-f_seal_future_write-seal-to-memfd
> > +++ a/fs/hugetlbfs/inode.c
> > @@ -530,7 +530,7 @@ static long hugetlbfs_punch_hole(struct
> > inode_lock(inode);
> >
> > /* protected by i_mutex */
> > - if (info->seals & F_SEAL_WRITE) {
> > + if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
> > inode_unlock(inode);
> > return -EPERM;
> > }
> > --- a/mm/shmem.c~mm-add-an-f_seal_future_write-seal-to-memfd
> > +++ a/mm/shmem.c
> > @@ -2119,6 +2119,23 @@ out_nomem:
> >
> > static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
> > {
> > + struct shmem_inode_info *info = SHMEM_I(file_inode(file));
> > +
> > + /*
> > + * New PROT_READ and MAP_SHARED mmaps are not allowed when "future
>
> PROT_WRITE, perhaps?
Yes, fixed.
> > + * write" seal active.
> > + */
> > + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE) &&
> > + (info->seals & F_SEAL_FUTURE_WRITE))
> > + return -EPERM;
> > +
> > + /*
> > + * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED read-only
> > + * mapping, take care to not allow mprotect to revert protections.
> > + */
> > + if (info->seals & F_SEAL_FUTURE_WRITE)
> > + vma->vm_flags &= ~(VM_MAYWRITE);
> > +
>
> This might all be clearer as:
>
> if (info->seals & F_SEAL_FUTURE_WRITE) {
> if (vma->vm_flags ...)
> return -EPERM;
> vma->vm_flags &= ~VM_MAYWRITE;
> }
>
> with appropriate comments inserted.
Agreed, its simpler. Updated patch is below. I squashed it with all the
earlier ones. Andy, could you provide Acks and/or Reviewed-by tag as well?
---8<-----------------------
From b5a4960e755af67e9f6f9e65db5113e712cf338e Mon Sep 17 00:00:00 2001
From: "Joel Fernandes (Google)" <joel@joelfernandes.org>
Date: Sat, 10 Nov 2018 22:21:31 -0800
Subject: [PATCH v4] mm/memfd: Add an F_SEAL_FUTURE_WRITE seal to memfd
Android uses ashmem for sharing memory regions. We are looking forward to
migrating all usecases of ashmem to memfd so that we can possibly remove
the ashmem driver in the future from staging while also benefiting from
using memfd and contributing to it. Note staging drivers are also not ABI
and generally can be removed at anytime.
One of the main usecases Android has is the ability to create a region and
mmap it as writeable, then add protection against making any "future"
writes while keeping the existing already mmap'ed writeable-region active.
This allows us to implement a usecase where receivers of the shared
memory buffer can get a read-only view, while the sender continues to
write to the buffer. See CursorWindow documentation in Android for more
details:
https://developer.android.com/reference/android/database/CursorWindow
This usecase cannot be implemented with the existing F_SEAL_WRITE seal.
To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal
which prevents any future mmap and write syscalls from succeeding while
keeping the existing mmap active.
A better way to do F_SEAL_FUTURE_WRITE seal was discussed [1] last week
where we don't need to modify core VFS structures to get the same
behavior of the seal. This solves several side-effects pointed by Andy.
self-tests are provided in later patch to verify the expected semantics.
[1] https://lore.kernel.org/lkml/20181111173650.GA256781@google.com/
Suggested-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
---
fs/hugetlbfs/inode.c | 2 +-
include/uapi/linux/fcntl.h | 1 +
mm/memfd.c | 3 ++-
mm/shmem.c | 26 +++++++++++++++++++++++---
4 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index 762028994f47..5b54bf893a67 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -558,7 +558,7 @@ static long hugetlbfs_punch_hole(struct inode *inode, loff_t offset, loff_t len)
inode_lock(inode);
/* protected by i_mutex */
- if (info->seals & F_SEAL_WRITE) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
inode_unlock(inode);
return -EPERM;
}
diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h
index 594b85f7cb86..1d338357df8a 100644
--- a/include/uapi/linux/fcntl.h
+++ b/include/uapi/linux/fcntl.h
@@ -41,6 +41,7 @@
#define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
#define F_SEAL_GROW 0x0004 /* prevent file from growing */
#define F_SEAL_WRITE 0x0008 /* prevent writes */
+#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
/* (1U << 31) is reserved for signed error codes */
/*
diff --git a/mm/memfd.c b/mm/memfd.c
index 97264c79d2cd..650e65a46b9c 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -131,7 +131,8 @@ static unsigned int *memfd_file_seals_ptr(struct file *file)
#define F_ALL_SEALS (F_SEAL_SEAL | \
F_SEAL_SHRINK | \
F_SEAL_GROW | \
- F_SEAL_WRITE)
+ F_SEAL_WRITE | \
+ F_SEAL_FUTURE_WRITE)
static int memfd_add_seals(struct file *file, unsigned int seals)
{
diff --git a/mm/shmem.c b/mm/shmem.c
index 32eb29bd72c6..f5069e8225cc 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2121,6 +2121,25 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user)
static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
{
+ struct shmem_inode_info *info = SHMEM_I(file_inode(file));
+
+
+ if (info->seals & F_SEAL_FUTURE_WRITE) {
+ /*
+ * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
+ * "future write" seal active.
+ */
+ if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
+ return -EPERM;
+
+ /*
+ * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED
+ * read-only mapping, take care to not allow mprotect to revert
+ * protections.
+ */
+ vma->vm_flags &= ~(VM_MAYWRITE);
+ }
+
file_accessed(file);
vma->vm_ops = &shmem_vm_ops;
if (IS_ENABLED(CONFIG_TRANSPARENT_HUGE_PAGECACHE) &&
@@ -2346,8 +2365,9 @@ shmem_write_begin(struct file *file, struct address_space *mapping,
pgoff_t index = pos >> PAGE_SHIFT;
/* i_mutex is held by caller */
- if (unlikely(info->seals & (F_SEAL_WRITE | F_SEAL_GROW))) {
- if (info->seals & F_SEAL_WRITE)
+ if (unlikely(info->seals & (F_SEAL_GROW |
+ F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))
return -EPERM;
if ((info->seals & F_SEAL_GROW) && pos + len > inode->i_size)
return -EPERM;
@@ -2610,7 +2630,7 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq);
/* protected by i_mutex */
- if (info->seals & F_SEAL_WRITE) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
error = -EPERM;
goto out;
}
--
2.19.1.1215.g8438c0b245-goog
^ permalink raw reply related [flat|nested] 62+ messages in thread
* Re: [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-22 23:09 ` joel
0 siblings, 0 replies; 62+ messages in thread
From: Joel Fernandes @ 2018-11-22 23:09 UTC (permalink / raw)
To: Andy Lutomirski
Cc: Andrew Morton, Stephen Rothwell, LKML, Hugh Dickins, Jann Horn,
Khalid Aziz, Linux API, open list:KERNEL SELFTEST FRAMEWORK,
Linux-MM, marcandre.lureau, Matthew Wilcox, Mike Kravetz,
Shuah Khan
On Wed, Nov 21, 2018 at 07:25:26PM -0800, Andy Lutomirski wrote:
> On Wed, Nov 21, 2018 at 6:27 PM Andrew Morton <akpm@linux-foundation.org> wrote:
> >
> > On Tue, 20 Nov 2018 13:13:35 -0800 Joel Fernandes <joel@joelfernandes.org> wrote:
> >
> > > > > I am Ok with whatever Andrew wants to do, if it is better to squash it with
> > > > > the original, then I can do that and send another patch.
> > > > >
> > > > >
> > > >
> > > > From experience, Andrew will food in fixups on request :)
> > >
> > > Andrew, could you squash this patch into the one titled ("mm: Add an
> > > F_SEAL_FUTURE_WRITE seal to memfd")?
> >
> > Sure.
> >
> > I could of course queue them separately but I rarely do so - I don't
> > think that the intermediate development states are useful in the
> > infinite-term, and I make them available via additional Link: tags in
> > the changelog footers anyway.
> >
> > I think that the magnitude of these patches is such that John Stultz's
> > Reviewed-by is invalidated, so this series is now in the "unreviewed"
> > state.
> >
> > So can we have a re-review please? For convenience, here's the
> > folded-together [1/1] patch, as it will go to Linus.
Sure, I removed the old tags and also provide an updated patch below inline.
> > From: "Joel Fernandes (Google)" <joel@joelfernandes.org>
> > Subject: mm: Add an F_SEAL_FUTURE_WRITE seal to memfd
> >
> > Android uses ashmem for sharing memory regions. We are looking forward to
> > migrating all usecases of ashmem to memfd so that we can possibly remove
> > the ashmem driver in the future from staging while also benefiting from
> > using memfd and contributing to it. Note staging drivers are also not ABI
> > and generally can be removed at anytime.
[...]
> > --- a/include/uapi/linux/fcntl.h~mm-add-an-f_seal_future_write-seal-to-memfd
> > +++ a/include/uapi/linux/fcntl.h
> > @@ -41,6 +41,7 @@
> > #define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
> > #define F_SEAL_GROW 0x0004 /* prevent file from growing */
> > #define F_SEAL_WRITE 0x0008 /* prevent writes */
> > +#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
> > /* (1U << 31) is reserved for signed error codes */
> >
> > /*
> > --- a/mm/memfd.c~mm-add-an-f_seal_future_write-seal-to-memfd
> > +++ a/mm/memfd.c
> > @@ -131,7 +131,8 @@ static unsigned int *memfd_file_seals_pt
> > #define F_ALL_SEALS (F_SEAL_SEAL | \
> > F_SEAL_SHRINK | \
> > F_SEAL_GROW | \
> > - F_SEAL_WRITE)
> > + F_SEAL_WRITE | \
> > + F_SEAL_FUTURE_WRITE)
> >
> > static int memfd_add_seals(struct file *file, unsigned int seals)
> > {
> > --- a/fs/hugetlbfs/inode.c~mm-add-an-f_seal_future_write-seal-to-memfd
> > +++ a/fs/hugetlbfs/inode.c
> > @@ -530,7 +530,7 @@ static long hugetlbfs_punch_hole(struct
> > inode_lock(inode);
> >
> > /* protected by i_mutex */
> > - if (info->seals & F_SEAL_WRITE) {
> > + if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
> > inode_unlock(inode);
> > return -EPERM;
> > }
> > --- a/mm/shmem.c~mm-add-an-f_seal_future_write-seal-to-memfd
> > +++ a/mm/shmem.c
> > @@ -2119,6 +2119,23 @@ out_nomem:
> >
> > static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
> > {
> > + struct shmem_inode_info *info = SHMEM_I(file_inode(file));
> > +
> > + /*
> > + * New PROT_READ and MAP_SHARED mmaps are not allowed when "future
>
> PROT_WRITE, perhaps?
Yes, fixed.
> > + * write" seal active.
> > + */
> > + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE) &&
> > + (info->seals & F_SEAL_FUTURE_WRITE))
> > + return -EPERM;
> > +
> > + /*
> > + * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED read-only
> > + * mapping, take care to not allow mprotect to revert protections.
> > + */
> > + if (info->seals & F_SEAL_FUTURE_WRITE)
> > + vma->vm_flags &= ~(VM_MAYWRITE);
> > +
>
> This might all be clearer as:
>
> if (info->seals & F_SEAL_FUTURE_WRITE) {
> if (vma->vm_flags ...)
> return -EPERM;
> vma->vm_flags &= ~VM_MAYWRITE;
> }
>
> with appropriate comments inserted.
Agreed, its simpler. Updated patch is below. I squashed it with all the
earlier ones. Andy, could you provide Acks and/or Reviewed-by tag as well?
---8<-----------------------
>From b5a4960e755af67e9f6f9e65db5113e712cf338e Mon Sep 17 00:00:00 2001
From: "Joel Fernandes (Google)" <joel@joelfernandes.org>
Date: Sat, 10 Nov 2018 22:21:31 -0800
Subject: [PATCH v4] mm/memfd: Add an F_SEAL_FUTURE_WRITE seal to memfd
Android uses ashmem for sharing memory regions. We are looking forward to
migrating all usecases of ashmem to memfd so that we can possibly remove
the ashmem driver in the future from staging while also benefiting from
using memfd and contributing to it. Note staging drivers are also not ABI
and generally can be removed at anytime.
One of the main usecases Android has is the ability to create a region and
mmap it as writeable, then add protection against making any "future"
writes while keeping the existing already mmap'ed writeable-region active.
This allows us to implement a usecase where receivers of the shared
memory buffer can get a read-only view, while the sender continues to
write to the buffer. See CursorWindow documentation in Android for more
details:
https://developer.android.com/reference/android/database/CursorWindow
This usecase cannot be implemented with the existing F_SEAL_WRITE seal.
To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal
which prevents any future mmap and write syscalls from succeeding while
keeping the existing mmap active.
A better way to do F_SEAL_FUTURE_WRITE seal was discussed [1] last week
where we don't need to modify core VFS structures to get the same
behavior of the seal. This solves several side-effects pointed by Andy.
self-tests are provided in later patch to verify the expected semantics.
[1] https://lore.kernel.org/lkml/20181111173650.GA256781@google.com/
Suggested-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
---
fs/hugetlbfs/inode.c | 2 +-
include/uapi/linux/fcntl.h | 1 +
mm/memfd.c | 3 ++-
mm/shmem.c | 26 +++++++++++++++++++++++---
4 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index 762028994f47..5b54bf893a67 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -558,7 +558,7 @@ static long hugetlbfs_punch_hole(struct inode *inode, loff_t offset, loff_t len)
inode_lock(inode);
/* protected by i_mutex */
- if (info->seals & F_SEAL_WRITE) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
inode_unlock(inode);
return -EPERM;
}
diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h
index 594b85f7cb86..1d338357df8a 100644
--- a/include/uapi/linux/fcntl.h
+++ b/include/uapi/linux/fcntl.h
@@ -41,6 +41,7 @@
#define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
#define F_SEAL_GROW 0x0004 /* prevent file from growing */
#define F_SEAL_WRITE 0x0008 /* prevent writes */
+#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
/* (1U << 31) is reserved for signed error codes */
/*
diff --git a/mm/memfd.c b/mm/memfd.c
index 97264c79d2cd..650e65a46b9c 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -131,7 +131,8 @@ static unsigned int *memfd_file_seals_ptr(struct file *file)
#define F_ALL_SEALS (F_SEAL_SEAL | \
F_SEAL_SHRINK | \
F_SEAL_GROW | \
- F_SEAL_WRITE)
+ F_SEAL_WRITE | \
+ F_SEAL_FUTURE_WRITE)
static int memfd_add_seals(struct file *file, unsigned int seals)
{
diff --git a/mm/shmem.c b/mm/shmem.c
index 32eb29bd72c6..f5069e8225cc 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2121,6 +2121,25 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user)
static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
{
+ struct shmem_inode_info *info = SHMEM_I(file_inode(file));
+
+
+ if (info->seals & F_SEAL_FUTURE_WRITE) {
+ /*
+ * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
+ * "future write" seal active.
+ */
+ if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
+ return -EPERM;
+
+ /*
+ * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED
+ * read-only mapping, take care to not allow mprotect to revert
+ * protections.
+ */
+ vma->vm_flags &= ~(VM_MAYWRITE);
+ }
+
file_accessed(file);
vma->vm_ops = &shmem_vm_ops;
if (IS_ENABLED(CONFIG_TRANSPARENT_HUGE_PAGECACHE) &&
@@ -2346,8 +2365,9 @@ shmem_write_begin(struct file *file, struct address_space *mapping,
pgoff_t index = pos >> PAGE_SHIFT;
/* i_mutex is held by caller */
- if (unlikely(info->seals & (F_SEAL_WRITE | F_SEAL_GROW))) {
- if (info->seals & F_SEAL_WRITE)
+ if (unlikely(info->seals & (F_SEAL_GROW |
+ F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))
return -EPERM;
if ((info->seals & F_SEAL_GROW) && pos + len > inode->i_size)
return -EPERM;
@@ -2610,7 +2630,7 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq);
/* protected by i_mutex */
- if (info->seals & F_SEAL_WRITE) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
error = -EPERM;
goto out;
}
--
2.19.1.1215.g8438c0b245-goog
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-22 23:09 ` joel
0 siblings, 0 replies; 62+ messages in thread
From: Joel Fernandes @ 2018-11-22 23:09 UTC (permalink / raw)
On Wed, Nov 21, 2018@07:25:26PM -0800, Andy Lutomirski wrote:
> On Wed, Nov 21, 2018@6:27 PM Andrew Morton <akpm@linux-foundation.org> wrote:
> >
> > On Tue, 20 Nov 2018 13:13:35 -0800 Joel Fernandes <joel@joelfernandes.org> wrote:
> >
> > > > > I am Ok with whatever Andrew wants to do, if it is better to squash it with
> > > > > the original, then I can do that and send another patch.
> > > > >
> > > > >
> > > >
> > > > From experience, Andrew will food in fixups on request :)
> > >
> > > Andrew, could you squash this patch into the one titled ("mm: Add an
> > > F_SEAL_FUTURE_WRITE seal to memfd")?
> >
> > Sure.
> >
> > I could of course queue them separately but I rarely do so - I don't
> > think that the intermediate development states are useful in the
> > infinite-term, and I make them available via additional Link: tags in
> > the changelog footers anyway.
> >
> > I think that the magnitude of these patches is such that John Stultz's
> > Reviewed-by is invalidated, so this series is now in the "unreviewed"
> > state.
> >
> > So can we have a re-review please? For convenience, here's the
> > folded-together [1/1] patch, as it will go to Linus.
Sure, I removed the old tags and also provide an updated patch below inline.
> > From: "Joel Fernandes (Google)" <joel at joelfernandes.org>
> > Subject: mm: Add an F_SEAL_FUTURE_WRITE seal to memfd
> >
> > Android uses ashmem for sharing memory regions. We are looking forward to
> > migrating all usecases of ashmem to memfd so that we can possibly remove
> > the ashmem driver in the future from staging while also benefiting from
> > using memfd and contributing to it. Note staging drivers are also not ABI
> > and generally can be removed at anytime.
[...]
> > --- a/include/uapi/linux/fcntl.h~mm-add-an-f_seal_future_write-seal-to-memfd
> > +++ a/include/uapi/linux/fcntl.h
> > @@ -41,6 +41,7 @@
> > #define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
> > #define F_SEAL_GROW 0x0004 /* prevent file from growing */
> > #define F_SEAL_WRITE 0x0008 /* prevent writes */
> > +#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
> > /* (1U << 31) is reserved for signed error codes */
> >
> > /*
> > --- a/mm/memfd.c~mm-add-an-f_seal_future_write-seal-to-memfd
> > +++ a/mm/memfd.c
> > @@ -131,7 +131,8 @@ static unsigned int *memfd_file_seals_pt
> > #define F_ALL_SEALS (F_SEAL_SEAL | \
> > F_SEAL_SHRINK | \
> > F_SEAL_GROW | \
> > - F_SEAL_WRITE)
> > + F_SEAL_WRITE | \
> > + F_SEAL_FUTURE_WRITE)
> >
> > static int memfd_add_seals(struct file *file, unsigned int seals)
> > {
> > --- a/fs/hugetlbfs/inode.c~mm-add-an-f_seal_future_write-seal-to-memfd
> > +++ a/fs/hugetlbfs/inode.c
> > @@ -530,7 +530,7 @@ static long hugetlbfs_punch_hole(struct
> > inode_lock(inode);
> >
> > /* protected by i_mutex */
> > - if (info->seals & F_SEAL_WRITE) {
> > + if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
> > inode_unlock(inode);
> > return -EPERM;
> > }
> > --- a/mm/shmem.c~mm-add-an-f_seal_future_write-seal-to-memfd
> > +++ a/mm/shmem.c
> > @@ -2119,6 +2119,23 @@ out_nomem:
> >
> > static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
> > {
> > + struct shmem_inode_info *info = SHMEM_I(file_inode(file));
> > +
> > + /*
> > + * New PROT_READ and MAP_SHARED mmaps are not allowed when "future
>
> PROT_WRITE, perhaps?
Yes, fixed.
> > + * write" seal active.
> > + */
> > + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE) &&
> > + (info->seals & F_SEAL_FUTURE_WRITE))
> > + return -EPERM;
> > +
> > + /*
> > + * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED read-only
> > + * mapping, take care to not allow mprotect to revert protections.
> > + */
> > + if (info->seals & F_SEAL_FUTURE_WRITE)
> > + vma->vm_flags &= ~(VM_MAYWRITE);
> > +
>
> This might all be clearer as:
>
> if (info->seals & F_SEAL_FUTURE_WRITE) {
> if (vma->vm_flags ...)
> return -EPERM;
> vma->vm_flags &= ~VM_MAYWRITE;
> }
>
> with appropriate comments inserted.
Agreed, its simpler. Updated patch is below. I squashed it with all the
earlier ones. Andy, could you provide Acks and/or Reviewed-by tag as well?
---8<-----------------------
>From b5a4960e755af67e9f6f9e65db5113e712cf338e Mon Sep 17 00:00:00 2001
From: "Joel Fernandes (Google)" <joel@joelfernandes.org>
Date: Sat, 10 Nov 2018 22:21:31 -0800
Subject: [PATCH v4] mm/memfd: Add an F_SEAL_FUTURE_WRITE seal to memfd
Android uses ashmem for sharing memory regions. We are looking forward to
migrating all usecases of ashmem to memfd so that we can possibly remove
the ashmem driver in the future from staging while also benefiting from
using memfd and contributing to it. Note staging drivers are also not ABI
and generally can be removed at anytime.
One of the main usecases Android has is the ability to create a region and
mmap it as writeable, then add protection against making any "future"
writes while keeping the existing already mmap'ed writeable-region active.
This allows us to implement a usecase where receivers of the shared
memory buffer can get a read-only view, while the sender continues to
write to the buffer. See CursorWindow documentation in Android for more
details:
https://developer.android.com/reference/android/database/CursorWindow
This usecase cannot be implemented with the existing F_SEAL_WRITE seal.
To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal
which prevents any future mmap and write syscalls from succeeding while
keeping the existing mmap active.
A better way to do F_SEAL_FUTURE_WRITE seal was discussed [1] last week
where we don't need to modify core VFS structures to get the same
behavior of the seal. This solves several side-effects pointed by Andy.
self-tests are provided in later patch to verify the expected semantics.
[1] https://lore.kernel.org/lkml/20181111173650.GA256781 at google.com/
Suggested-by: Andy Lutomirski <luto at kernel.org>
Signed-off-by: Joel Fernandes (Google) <joel at joelfernandes.org>
---
fs/hugetlbfs/inode.c | 2 +-
include/uapi/linux/fcntl.h | 1 +
mm/memfd.c | 3 ++-
mm/shmem.c | 26 +++++++++++++++++++++++---
4 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index 762028994f47..5b54bf893a67 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -558,7 +558,7 @@ static long hugetlbfs_punch_hole(struct inode *inode, loff_t offset, loff_t len)
inode_lock(inode);
/* protected by i_mutex */
- if (info->seals & F_SEAL_WRITE) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
inode_unlock(inode);
return -EPERM;
}
diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h
index 594b85f7cb86..1d338357df8a 100644
--- a/include/uapi/linux/fcntl.h
+++ b/include/uapi/linux/fcntl.h
@@ -41,6 +41,7 @@
#define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
#define F_SEAL_GROW 0x0004 /* prevent file from growing */
#define F_SEAL_WRITE 0x0008 /* prevent writes */
+#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
/* (1U << 31) is reserved for signed error codes */
/*
diff --git a/mm/memfd.c b/mm/memfd.c
index 97264c79d2cd..650e65a46b9c 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -131,7 +131,8 @@ static unsigned int *memfd_file_seals_ptr(struct file *file)
#define F_ALL_SEALS (F_SEAL_SEAL | \
F_SEAL_SHRINK | \
F_SEAL_GROW | \
- F_SEAL_WRITE)
+ F_SEAL_WRITE | \
+ F_SEAL_FUTURE_WRITE)
static int memfd_add_seals(struct file *file, unsigned int seals)
{
diff --git a/mm/shmem.c b/mm/shmem.c
index 32eb29bd72c6..f5069e8225cc 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2121,6 +2121,25 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user)
static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
{
+ struct shmem_inode_info *info = SHMEM_I(file_inode(file));
+
+
+ if (info->seals & F_SEAL_FUTURE_WRITE) {
+ /*
+ * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
+ * "future write" seal active.
+ */
+ if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
+ return -EPERM;
+
+ /*
+ * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED
+ * read-only mapping, take care to not allow mprotect to revert
+ * protections.
+ */
+ vma->vm_flags &= ~(VM_MAYWRITE);
+ }
+
file_accessed(file);
vma->vm_ops = &shmem_vm_ops;
if (IS_ENABLED(CONFIG_TRANSPARENT_HUGE_PAGECACHE) &&
@@ -2346,8 +2365,9 @@ shmem_write_begin(struct file *file, struct address_space *mapping,
pgoff_t index = pos >> PAGE_SHIFT;
/* i_mutex is held by caller */
- if (unlikely(info->seals & (F_SEAL_WRITE | F_SEAL_GROW))) {
- if (info->seals & F_SEAL_WRITE)
+ if (unlikely(info->seals & (F_SEAL_GROW |
+ F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))
return -EPERM;
if ((info->seals & F_SEAL_GROW) && pos + len > inode->i_size)
return -EPERM;
@@ -2610,7 +2630,7 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq);
/* protected by i_mutex */
- if (info->seals & F_SEAL_WRITE) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
error = -EPERM;
goto out;
}
--
2.19.1.1215.g8438c0b245-goog
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-22 23:09 ` joel
0 siblings, 0 replies; 62+ messages in thread
From: joel @ 2018-11-22 23:09 UTC (permalink / raw)
On Wed, Nov 21, 2018 at 07:25:26PM -0800, Andy Lutomirski wrote:
> On Wed, Nov 21, 2018 at 6:27 PM Andrew Morton <akpm at linux-foundation.org> wrote:
> >
> > On Tue, 20 Nov 2018 13:13:35 -0800 Joel Fernandes <joel at joelfernandes.org> wrote:
> >
> > > > > I am Ok with whatever Andrew wants to do, if it is better to squash it with
> > > > > the original, then I can do that and send another patch.
> > > > >
> > > > >
> > > >
> > > > From experience, Andrew will food in fixups on request :)
> > >
> > > Andrew, could you squash this patch into the one titled ("mm: Add an
> > > F_SEAL_FUTURE_WRITE seal to memfd")?
> >
> > Sure.
> >
> > I could of course queue them separately but I rarely do so - I don't
> > think that the intermediate development states are useful in the
> > infinite-term, and I make them available via additional Link: tags in
> > the changelog footers anyway.
> >
> > I think that the magnitude of these patches is such that John Stultz's
> > Reviewed-by is invalidated, so this series is now in the "unreviewed"
> > state.
> >
> > So can we have a re-review please? For convenience, here's the
> > folded-together [1/1] patch, as it will go to Linus.
Sure, I removed the old tags and also provide an updated patch below inline.
> > From: "Joel Fernandes (Google)" <joel at joelfernandes.org>
> > Subject: mm: Add an F_SEAL_FUTURE_WRITE seal to memfd
> >
> > Android uses ashmem for sharing memory regions. We are looking forward to
> > migrating all usecases of ashmem to memfd so that we can possibly remove
> > the ashmem driver in the future from staging while also benefiting from
> > using memfd and contributing to it. Note staging drivers are also not ABI
> > and generally can be removed at anytime.
[...]
> > --- a/include/uapi/linux/fcntl.h~mm-add-an-f_seal_future_write-seal-to-memfd
> > +++ a/include/uapi/linux/fcntl.h
> > @@ -41,6 +41,7 @@
> > #define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
> > #define F_SEAL_GROW 0x0004 /* prevent file from growing */
> > #define F_SEAL_WRITE 0x0008 /* prevent writes */
> > +#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
> > /* (1U << 31) is reserved for signed error codes */
> >
> > /*
> > --- a/mm/memfd.c~mm-add-an-f_seal_future_write-seal-to-memfd
> > +++ a/mm/memfd.c
> > @@ -131,7 +131,8 @@ static unsigned int *memfd_file_seals_pt
> > #define F_ALL_SEALS (F_SEAL_SEAL | \
> > F_SEAL_SHRINK | \
> > F_SEAL_GROW | \
> > - F_SEAL_WRITE)
> > + F_SEAL_WRITE | \
> > + F_SEAL_FUTURE_WRITE)
> >
> > static int memfd_add_seals(struct file *file, unsigned int seals)
> > {
> > --- a/fs/hugetlbfs/inode.c~mm-add-an-f_seal_future_write-seal-to-memfd
> > +++ a/fs/hugetlbfs/inode.c
> > @@ -530,7 +530,7 @@ static long hugetlbfs_punch_hole(struct
> > inode_lock(inode);
> >
> > /* protected by i_mutex */
> > - if (info->seals & F_SEAL_WRITE) {
> > + if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
> > inode_unlock(inode);
> > return -EPERM;
> > }
> > --- a/mm/shmem.c~mm-add-an-f_seal_future_write-seal-to-memfd
> > +++ a/mm/shmem.c
> > @@ -2119,6 +2119,23 @@ out_nomem:
> >
> > static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
> > {
> > + struct shmem_inode_info *info = SHMEM_I(file_inode(file));
> > +
> > + /*
> > + * New PROT_READ and MAP_SHARED mmaps are not allowed when "future
>
> PROT_WRITE, perhaps?
Yes, fixed.
> > + * write" seal active.
> > + */
> > + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE) &&
> > + (info->seals & F_SEAL_FUTURE_WRITE))
> > + return -EPERM;
> > +
> > + /*
> > + * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED read-only
> > + * mapping, take care to not allow mprotect to revert protections.
> > + */
> > + if (info->seals & F_SEAL_FUTURE_WRITE)
> > + vma->vm_flags &= ~(VM_MAYWRITE);
> > +
>
> This might all be clearer as:
>
> if (info->seals & F_SEAL_FUTURE_WRITE) {
> if (vma->vm_flags ...)
> return -EPERM;
> vma->vm_flags &= ~VM_MAYWRITE;
> }
>
> with appropriate comments inserted.
Agreed, its simpler. Updated patch is below. I squashed it with all the
earlier ones. Andy, could you provide Acks and/or Reviewed-by tag as well?
---8<-----------------------
>From b5a4960e755af67e9f6f9e65db5113e712cf338e Mon Sep 17 00:00:00 2001
From: "Joel Fernandes (Google)" <joel at joelfernandes.org>
Date: Sat, 10 Nov 2018 22:21:31 -0800
Subject: [PATCH v4] mm/memfd: Add an F_SEAL_FUTURE_WRITE seal to memfd
Android uses ashmem for sharing memory regions. We are looking forward to
migrating all usecases of ashmem to memfd so that we can possibly remove
the ashmem driver in the future from staging while also benefiting from
using memfd and contributing to it. Note staging drivers are also not ABI
and generally can be removed at anytime.
One of the main usecases Android has is the ability to create a region and
mmap it as writeable, then add protection against making any "future"
writes while keeping the existing already mmap'ed writeable-region active.
This allows us to implement a usecase where receivers of the shared
memory buffer can get a read-only view, while the sender continues to
write to the buffer. See CursorWindow documentation in Android for more
details:
https://developer.android.com/reference/android/database/CursorWindow
This usecase cannot be implemented with the existing F_SEAL_WRITE seal.
To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal
which prevents any future mmap and write syscalls from succeeding while
keeping the existing mmap active.
A better way to do F_SEAL_FUTURE_WRITE seal was discussed [1] last week
where we don't need to modify core VFS structures to get the same
behavior of the seal. This solves several side-effects pointed by Andy.
self-tests are provided in later patch to verify the expected semantics.
[1] https://lore.kernel.org/lkml/20181111173650.GA256781 at google.com/
Suggested-by: Andy Lutomirski <luto at kernel.org>
Signed-off-by: Joel Fernandes (Google) <joel at joelfernandes.org>
---
fs/hugetlbfs/inode.c | 2 +-
include/uapi/linux/fcntl.h | 1 +
mm/memfd.c | 3 ++-
mm/shmem.c | 26 +++++++++++++++++++++++---
4 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index 762028994f47..5b54bf893a67 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -558,7 +558,7 @@ static long hugetlbfs_punch_hole(struct inode *inode, loff_t offset, loff_t len)
inode_lock(inode);
/* protected by i_mutex */
- if (info->seals & F_SEAL_WRITE) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
inode_unlock(inode);
return -EPERM;
}
diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h
index 594b85f7cb86..1d338357df8a 100644
--- a/include/uapi/linux/fcntl.h
+++ b/include/uapi/linux/fcntl.h
@@ -41,6 +41,7 @@
#define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
#define F_SEAL_GROW 0x0004 /* prevent file from growing */
#define F_SEAL_WRITE 0x0008 /* prevent writes */
+#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
/* (1U << 31) is reserved for signed error codes */
/*
diff --git a/mm/memfd.c b/mm/memfd.c
index 97264c79d2cd..650e65a46b9c 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -131,7 +131,8 @@ static unsigned int *memfd_file_seals_ptr(struct file *file)
#define F_ALL_SEALS (F_SEAL_SEAL | \
F_SEAL_SHRINK | \
F_SEAL_GROW | \
- F_SEAL_WRITE)
+ F_SEAL_WRITE | \
+ F_SEAL_FUTURE_WRITE)
static int memfd_add_seals(struct file *file, unsigned int seals)
{
diff --git a/mm/shmem.c b/mm/shmem.c
index 32eb29bd72c6..f5069e8225cc 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2121,6 +2121,25 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user)
static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
{
+ struct shmem_inode_info *info = SHMEM_I(file_inode(file));
+
+
+ if (info->seals & F_SEAL_FUTURE_WRITE) {
+ /*
+ * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
+ * "future write" seal active.
+ */
+ if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
+ return -EPERM;
+
+ /*
+ * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED
+ * read-only mapping, take care to not allow mprotect to revert
+ * protections.
+ */
+ vma->vm_flags &= ~(VM_MAYWRITE);
+ }
+
file_accessed(file);
vma->vm_ops = &shmem_vm_ops;
if (IS_ENABLED(CONFIG_TRANSPARENT_HUGE_PAGECACHE) &&
@@ -2346,8 +2365,9 @@ shmem_write_begin(struct file *file, struct address_space *mapping,
pgoff_t index = pos >> PAGE_SHIFT;
/* i_mutex is held by caller */
- if (unlikely(info->seals & (F_SEAL_WRITE | F_SEAL_GROW))) {
- if (info->seals & F_SEAL_WRITE)
+ if (unlikely(info->seals & (F_SEAL_GROW |
+ F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))
return -EPERM;
if ((info->seals & F_SEAL_GROW) && pos + len > inode->i_size)
return -EPERM;
@@ -2610,7 +2630,7 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq);
/* protected by i_mutex */
- if (info->seals & F_SEAL_WRITE) {
+ if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
error = -EPERM;
goto out;
}
--
2.19.1.1215.g8438c0b245-goog
^ permalink raw reply related [flat|nested] 62+ messages in thread
* Re: [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
2018-11-22 23:09 ` joel
(?)
(?)
@ 2018-11-25 0:42 ` akpm
-1 siblings, 0 replies; 62+ messages in thread
From: Andrew Morton @ 2018-11-25 0:42 UTC (permalink / raw)
To: Joel Fernandes
Cc: Andy Lutomirski, Stephen Rothwell, LKML, Hugh Dickins, Jann Horn,
Khalid Aziz, Linux API, open list:KERNEL SELFTEST FRAMEWORK,
Linux-MM, marcandre.lureau, Matthew Wilcox, Mike Kravetz,
Shuah Khan
On Thu, 22 Nov 2018 15:09:06 -0800 Joel Fernandes <joel@joelfernandes.org> wrote:
> Android uses ashmem for sharing memory regions. We are looking forward to
> migrating all usecases of ashmem to memfd so that we can possibly remove
> the ashmem driver in the future from staging while also benefiting from
> using memfd and contributing to it. Note staging drivers are also not ABI
> and generally can be removed at anytime.
>
> One of the main usecases Android has is the ability to create a region and
> mmap it as writeable, then add protection against making any "future"
> writes while keeping the existing already mmap'ed writeable-region active.
> This allows us to implement a usecase where receivers of the shared
> memory buffer can get a read-only view, while the sender continues to
> write to the buffer. See CursorWindow documentation in Android for more
> details:
> https://developer.android.com/reference/android/database/CursorWindow
>
> This usecase cannot be implemented with the existing F_SEAL_WRITE seal.
> To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal
> which prevents any future mmap and write syscalls from succeeding while
> keeping the existing mmap active.
>
> A better way to do F_SEAL_FUTURE_WRITE seal was discussed [1] last week
> where we don't need to modify core VFS structures to get the same
> behavior of the seal. This solves several side-effects pointed by Andy.
> self-tests are provided in later patch to verify the expected semantics.
>
> [1] https://lore.kernel.org/lkml/20181111173650.GA256781@google.com/
This changelog doesn't have the nifty test case code which was in
earlier versions?
^ permalink raw reply [flat|nested] 62+ messages in thread
* Re: [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-25 0:42 ` akpm
0 siblings, 0 replies; 62+ messages in thread
From: Andrew Morton @ 2018-11-25 0:42 UTC (permalink / raw)
To: Joel Fernandes
Cc: Andy Lutomirski, Stephen Rothwell, LKML, Hugh Dickins, Jann Horn,
Khalid Aziz, Linux API, open list:KERNEL SELFTEST FRAMEWORK,
Linux-MM, marcandre.lureau, Matthew Wilcox, Mike Kravetz,
Shuah Khan
On Thu, 22 Nov 2018 15:09:06 -0800 Joel Fernandes <joel@joelfernandes.org> wrote:
> Android uses ashmem for sharing memory regions. We are looking forward to
> migrating all usecases of ashmem to memfd so that we can possibly remove
> the ashmem driver in the future from staging while also benefiting from
> using memfd and contributing to it. Note staging drivers are also not ABI
> and generally can be removed at anytime.
>
> One of the main usecases Android has is the ability to create a region and
> mmap it as writeable, then add protection against making any "future"
> writes while keeping the existing already mmap'ed writeable-region active.
> This allows us to implement a usecase where receivers of the shared
> memory buffer can get a read-only view, while the sender continues to
> write to the buffer. See CursorWindow documentation in Android for more
> details:
> https://developer.android.com/reference/android/database/CursorWindow
>
> This usecase cannot be implemented with the existing F_SEAL_WRITE seal.
> To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal
> which prevents any future mmap and write syscalls from succeeding while
> keeping the existing mmap active.
>
> A better way to do F_SEAL_FUTURE_WRITE seal was discussed [1] last week
> where we don't need to modify core VFS structures to get the same
> behavior of the seal. This solves several side-effects pointed by Andy.
> self-tests are provided in later patch to verify the expected semantics.
>
> [1] https://lore.kernel.org/lkml/20181111173650.GA256781@google.com/
This changelog doesn't have the nifty test case code which was in
earlier versions?
^ permalink raw reply [flat|nested] 62+ messages in thread
* [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-25 0:42 ` akpm
0 siblings, 0 replies; 62+ messages in thread
From: Andrew Morton @ 2018-11-25 0:42 UTC (permalink / raw)
On Thu, 22 Nov 2018 15:09:06 -0800 Joel Fernandes <joel@joelfernandes.org> wrote:
> Android uses ashmem for sharing memory regions. We are looking forward to
> migrating all usecases of ashmem to memfd so that we can possibly remove
> the ashmem driver in the future from staging while also benefiting from
> using memfd and contributing to it. Note staging drivers are also not ABI
> and generally can be removed at anytime.
>
> One of the main usecases Android has is the ability to create a region and
> mmap it as writeable, then add protection against making any "future"
> writes while keeping the existing already mmap'ed writeable-region active.
> This allows us to implement a usecase where receivers of the shared
> memory buffer can get a read-only view, while the sender continues to
> write to the buffer. See CursorWindow documentation in Android for more
> details:
> https://developer.android.com/reference/android/database/CursorWindow
>
> This usecase cannot be implemented with the existing F_SEAL_WRITE seal.
> To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal
> which prevents any future mmap and write syscalls from succeeding while
> keeping the existing mmap active.
>
> A better way to do F_SEAL_FUTURE_WRITE seal was discussed [1] last week
> where we don't need to modify core VFS structures to get the same
> behavior of the seal. This solves several side-effects pointed by Andy.
> self-tests are provided in later patch to verify the expected semantics.
>
> [1] https://lore.kernel.org/lkml/20181111173650.GA256781 at google.com/
This changelog doesn't have the nifty test case code which was in
earlier versions?
^ permalink raw reply [flat|nested] 62+ messages in thread
* [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-25 0:42 ` akpm
0 siblings, 0 replies; 62+ messages in thread
From: akpm @ 2018-11-25 0:42 UTC (permalink / raw)
On Thu, 22 Nov 2018 15:09:06 -0800 Joel Fernandes <joel at joelfernandes.org> wrote:
> Android uses ashmem for sharing memory regions. We are looking forward to
> migrating all usecases of ashmem to memfd so that we can possibly remove
> the ashmem driver in the future from staging while also benefiting from
> using memfd and contributing to it. Note staging drivers are also not ABI
> and generally can be removed at anytime.
>
> One of the main usecases Android has is the ability to create a region and
> mmap it as writeable, then add protection against making any "future"
> writes while keeping the existing already mmap'ed writeable-region active.
> This allows us to implement a usecase where receivers of the shared
> memory buffer can get a read-only view, while the sender continues to
> write to the buffer. See CursorWindow documentation in Android for more
> details:
> https://developer.android.com/reference/android/database/CursorWindow
>
> This usecase cannot be implemented with the existing F_SEAL_WRITE seal.
> To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal
> which prevents any future mmap and write syscalls from succeeding while
> keeping the existing mmap active.
>
> A better way to do F_SEAL_FUTURE_WRITE seal was discussed [1] last week
> where we don't need to modify core VFS structures to get the same
> behavior of the seal. This solves several side-effects pointed by Andy.
> self-tests are provided in later patch to verify the expected semantics.
>
> [1] https://lore.kernel.org/lkml/20181111173650.GA256781 at google.com/
This changelog doesn't have the nifty test case code which was in
earlier versions?
^ permalink raw reply [flat|nested] 62+ messages in thread
* Re: [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
2018-11-25 0:42 ` akpm
(?)
(?)
@ 2018-11-25 0:47 ` willy
-1 siblings, 0 replies; 62+ messages in thread
From: Matthew Wilcox @ 2018-11-25 0:47 UTC (permalink / raw)
To: Andrew Morton
Cc: Joel Fernandes, Andy Lutomirski, Stephen Rothwell, LKML,
Hugh Dickins, Jann Horn, Khalid Aziz, Linux API,
open list:KERNEL SELFTEST FRAMEWORK, Linux-MM, marcandre.lureau,
Mike Kravetz, Shuah Khan
On Sat, Nov 24, 2018 at 04:42:29PM -0800, Andrew Morton wrote:
> This changelog doesn't have the nifty test case code which was in
> earlier versions?
Why do we put regression tests in the changelogs anyway? We have
tools/testing/selftests/vm/ already, perhaps they should go there?
^ permalink raw reply [flat|nested] 62+ messages in thread
* Re: [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-25 0:47 ` willy
0 siblings, 0 replies; 62+ messages in thread
From: Matthew Wilcox @ 2018-11-25 0:47 UTC (permalink / raw)
To: Andrew Morton
Cc: Joel Fernandes, Andy Lutomirski, Stephen Rothwell, LKML,
Hugh Dickins, Jann Horn, Khalid Aziz, Linux API,
open list:KERNEL SELFTEST FRAMEWORK, Linux-MM, marcandre.lureau,
Mike Kravetz, Shuah Khan
On Sat, Nov 24, 2018 at 04:42:29PM -0800, Andrew Morton wrote:
> This changelog doesn't have the nifty test case code which was in
> earlier versions?
Why do we put regression tests in the changelogs anyway? We have
tools/testing/selftests/vm/ already, perhaps they should go there?
^ permalink raw reply [flat|nested] 62+ messages in thread
* [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-25 0:47 ` willy
0 siblings, 0 replies; 62+ messages in thread
From: Matthew Wilcox @ 2018-11-25 0:47 UTC (permalink / raw)
On Sat, Nov 24, 2018@04:42:29PM -0800, Andrew Morton wrote:
> This changelog doesn't have the nifty test case code which was in
> earlier versions?
Why do we put regression tests in the changelogs anyway? We have
tools/testing/selftests/vm/ already, perhaps they should go there?
^ permalink raw reply [flat|nested] 62+ messages in thread
* [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-25 0:47 ` willy
0 siblings, 0 replies; 62+ messages in thread
From: willy @ 2018-11-25 0:47 UTC (permalink / raw)
On Sat, Nov 24, 2018 at 04:42:29PM -0800, Andrew Morton wrote:
> This changelog doesn't have the nifty test case code which was in
> earlier versions?
Why do we put regression tests in the changelogs anyway? We have
tools/testing/selftests/vm/ already, perhaps they should go there?
^ permalink raw reply [flat|nested] 62+ messages in thread
* Re: [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
2018-11-25 0:47 ` willy
(?)
(?)
@ 2018-11-26 13:35 ` joel
-1 siblings, 0 replies; 62+ messages in thread
From: Joel Fernandes @ 2018-11-26 13:35 UTC (permalink / raw)
To: Matthew Wilcox
Cc: Andrew Morton, Andy Lutomirski, Stephen Rothwell, LKML,
Hugh Dickins, Jann Horn, Khalid Aziz, Linux API,
open list:KERNEL SELFTEST FRAMEWORK, Linux-MM, marcandre.lureau,
Mike Kravetz, Shuah Khan
On Sat, Nov 24, 2018 at 04:47:36PM -0800, Matthew Wilcox wrote:
> On Sat, Nov 24, 2018 at 04:42:29PM -0800, Andrew Morton wrote:
> > This changelog doesn't have the nifty test case code which was in
> > earlier versions?
>
> Why do we put regression tests in the changelogs anyway? We have
> tools/testing/selftests/vm/ already, perhaps they should go there?
The reason is I didn't add it was that test case went out of date and the
updated version of the test case went into the selftests in patch 2/2. I
thought that would suffice which covers all the cases. That's why I dropped
it. Would that be Ok?
The changelog of the previous series had it because the selftest was added
only later.
Let me know, thanks,
- Joel
^ permalink raw reply [flat|nested] 62+ messages in thread
* Re: [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-26 13:35 ` joel
0 siblings, 0 replies; 62+ messages in thread
From: Joel Fernandes @ 2018-11-26 13:35 UTC (permalink / raw)
To: Matthew Wilcox
Cc: Andrew Morton, Andy Lutomirski, Stephen Rothwell, LKML,
Hugh Dickins, Jann Horn, Khalid Aziz, Linux API,
open list:KERNEL SELFTEST FRAMEWORK, Linux-MM, marcandre.lureau,
Mike Kravetz, Shuah Khan
On Sat, Nov 24, 2018 at 04:47:36PM -0800, Matthew Wilcox wrote:
> On Sat, Nov 24, 2018 at 04:42:29PM -0800, Andrew Morton wrote:
> > This changelog doesn't have the nifty test case code which was in
> > earlier versions?
>
> Why do we put regression tests in the changelogs anyway? We have
> tools/testing/selftests/vm/ already, perhaps they should go there?
The reason is I didn't add it was that test case went out of date and the
updated version of the test case went into the selftests in patch 2/2. I
thought that would suffice which covers all the cases. That's why I dropped
it. Would that be Ok?
The changelog of the previous series had it because the selftest was added
only later.
Let me know, thanks,
- Joel
^ permalink raw reply [flat|nested] 62+ messages in thread
* [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-26 13:35 ` joel
0 siblings, 0 replies; 62+ messages in thread
From: Joel Fernandes @ 2018-11-26 13:35 UTC (permalink / raw)
On Sat, Nov 24, 2018@04:47:36PM -0800, Matthew Wilcox wrote:
> On Sat, Nov 24, 2018@04:42:29PM -0800, Andrew Morton wrote:
> > This changelog doesn't have the nifty test case code which was in
> > earlier versions?
>
> Why do we put regression tests in the changelogs anyway? We have
> tools/testing/selftests/vm/ already, perhaps they should go there?
The reason is I didn't add it was that test case went out of date and the
updated version of the test case went into the selftests in patch 2/2. I
thought that would suffice which covers all the cases. That's why I dropped
it. Would that be Ok?
The changelog of the previous series had it because the selftest was added
only later.
Let me know, thanks,
- Joel
^ permalink raw reply [flat|nested] 62+ messages in thread
* [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust
@ 2018-11-26 13:35 ` joel
0 siblings, 0 replies; 62+ messages in thread
From: joel @ 2018-11-26 13:35 UTC (permalink / raw)
On Sat, Nov 24, 2018 at 04:47:36PM -0800, Matthew Wilcox wrote:
> On Sat, Nov 24, 2018 at 04:42:29PM -0800, Andrew Morton wrote:
> > This changelog doesn't have the nifty test case code which was in
> > earlier versions?
>
> Why do we put regression tests in the changelogs anyway? We have
> tools/testing/selftests/vm/ already, perhaps they should go there?
The reason is I didn't add it was that test case went out of date and the
updated version of the test case went into the selftests in patch 2/2. I
thought that would suffice which covers all the cases. That's why I dropped
it. Would that be Ok?
The changelog of the previous series had it because the selftest was added
only later.
Let me know, thanks,
- Joel
^ permalink raw reply [flat|nested] 62+ messages in thread