On 12/14/2017 01:17 AM, Ram Pai wrote:
> On Wed, Dec 13, 2017 at 04:40:11PM +0100, Florian Weimer wrote:
>> On 12/13/2017 04:22 PM, Dave Hansen wrote:
>>> On 12/13/2017 07:08 AM, Florian Weimer wrote:
>>>> Okay, this model is really quite different from x86.  Is there a
>>>> good reason for the difference?
>>>
>>> Yes, both implementations are simple and take the "natural" behavior.
>>> x86 changes XSAVE-controlled register values on entering a signal, so we
>>> let them be changed (including PKRU).  POWER hardware does not do this
>>> to its PKRU-equivalent, so we do not force it to.
>>
>> Whuy?  Is there a technical reason not have fully-aligned behavior?
>> Can POWER at least implement the original PKEY_ALLOC_SETSIGNAL
>> semantics (reset the access rights for certain keys before switching
>> to the signal handler) in a reasonably efficient manner?
> 
> This can be done on POWER. I can also change the behavior on POWER
> to exactly match x86; i.e reset the value to init value before
> calling the signal handler.

Maybe we can implement a compromise?

Assuming I got the attached patch right, it implements PKRU inheritance 
in signal handlers, similar to what you intend to implement for POWER. 
It still restores the PKRU register value upon regular exit from the 
signal handler, which I think is something we should keep.

I think we still should add a flag, so that applications can easily 
determine if a kernel has this patch.  Setting up a signal handler, 
sending the signal, and thus checking for inheritance is a bit involved, 
and we'd have to do this in the dynamic linker before we can use pkeys 
to harden lazy binding.  The flag could just be a no-op, apart from the 
lack of an EINVAL failure if it is specified.

> But I think, we should clearly define the default behavior, the behavior
> when no flag is specified. Applications tend to rely on default behavior
> and expect the most intuitive behavior to be the default behavior.

Because this feature already shipped on x86, we already have the 
unspecified signal handler behavior in the wild, and if applications 
need the new, clearly defined semantics, there has to be a way to detect 
that the kernel makes this guarantee.

> I tend to think; keeping my biases aside, that the most intuitive
> behavior is to preserve access/write permissions of any key, i.e not
> reset to the init value.  If the application has set the permissions of
> a key to some value, it would'nt expect anyone to change them,
> irrespective of which context it is in.

Sure, it also fixes the siglongjmp issue:

   https://sourceware.org/bugzilla/show_bug.cgi?id=22396

If we do not reset the PKRU register on x86 anymore, a non-pkeys-aware 
signal handler will not clobber it.

Thanks,
Florian