From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
To: Dave Hansen <dave@sr71.net>, linux-kernel@vger.kernel.org
Cc: mtk.manpages@gmail.com, linux-mm@kvack.org, x86@kernel.org,
dave.hansen@linux.intel.com, linux-api@vger.kernel.org
Subject: Re: [PATCH 26/34] mm: implement new mprotect_key() system call
Date: Sat, 05 Dec 2015 07:50:51 +0100 [thread overview]
Message-ID: <5662894B.7090903@gmail.com> (raw)
In-Reply-To: <20151204011500.69487A6C@viggo.jf.intel.com>
Dave,
On 12/04/2015 02:15 AM, Dave Hansen wrote:
> From: Dave Hansen <dave.hansen@linux.intel.com>
>
> mprotect_key() is just like mprotect, except it also takes a
> protection key as an argument. On systems that do not support
> protection keys, it still works, but requires that key=0.
> Otherwise it does exactly what mprotect does.
Is there a man page for this API?
Thanks,
Michael
> I expect it to get used like this, if you want to guarantee that
> any mapping you create can *never* be accessed without the right
> protection keys set up.
>
> pkey_deny_access(11); // random pkey
> int real_prot = PROT_READ|PROT_WRITE;
> ptr = mmap(NULL, PAGE_SIZE, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
> ret = mprotect_key(ptr, PAGE_SIZE, real_prot, 11);
>
> This way, there is *no* window where the mapping is accessible
> since it was always either PROT_NONE or had a protection key set.
>
> We settled on 'unsigned long' for the type of the key here. We
> only need 4 bits on x86 today, but I figured that other
> architectures might need some more space.
>
> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: linux-api@vger.kernel.org
> ---
>
> b/arch/x86/include/asm/mmu_context.h | 10 +++++++--
> b/include/linux/pkeys.h | 7 +++++-
> b/mm/Kconfig | 7 ++++++
> b/mm/mprotect.c | 36 +++++++++++++++++++++++++++++------
> 4 files changed, 51 insertions(+), 9 deletions(-)
>
> diff -puN arch/x86/include/asm/mmu_context.h~pkeys-85-mprotect_pkey arch/x86/include/asm/mmu_context.h
> --- a/arch/x86/include/asm/mmu_context.h~pkeys-85-mprotect_pkey 2015-12-03 16:21:30.181877894 -0800
> +++ b/arch/x86/include/asm/mmu_context.h 2015-12-03 16:21:30.190878302 -0800
> @@ -4,6 +4,7 @@
> #include <asm/desc.h>
> #include <linux/atomic.h>
> #include <linux/mm_types.h>
> +#include <linux/pkeys.h>
>
> #include <trace/events/tlb.h>
>
> @@ -243,10 +244,14 @@ static inline void arch_unmap(struct mm_
> mpx_notify_unmap(mm, vma, start, end);
> }
>
> +#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
> +/*
> + * If the config option is off, we get the generic version from
> + * include/linux/pkeys.h.
> + */
> static inline int vma_pkey(struct vm_area_struct *vma)
> {
> u16 pkey = 0;
> -#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
> unsigned long vma_pkey_mask = VM_PKEY_BIT0 | VM_PKEY_BIT1 |
> VM_PKEY_BIT2 | VM_PKEY_BIT3;
> /*
> @@ -259,9 +264,10 @@ static inline int vma_pkey(struct vm_are
> */
> pkey = (vma->vm_flags >> vm_pkey_shift) &
> (vma_pkey_mask >> vm_pkey_shift);
> -#endif
> +
> return pkey;
> }
> +#endif
>
> static inline bool __pkru_allows_pkey(u16 pkey, bool write)
> {
> diff -puN include/linux/pkeys.h~pkeys-85-mprotect_pkey include/linux/pkeys.h
> --- a/include/linux/pkeys.h~pkeys-85-mprotect_pkey 2015-12-03 16:21:30.183877985 -0800
> +++ b/include/linux/pkeys.h 2015-12-03 16:21:30.190878302 -0800
> @@ -2,10 +2,10 @@
> #define _LINUX_PKEYS_H
>
> #include <linux/mm_types.h>
> -#include <asm/mmu_context.h>
>
> #ifdef CONFIG_ARCH_HAS_PKEYS
> #include <asm/pkeys.h>
> +#include <asm/mmu_context.h>
> #else /* ! CONFIG_ARCH_HAS_PKEYS */
>
> /*
> @@ -17,6 +17,11 @@ static inline bool arch_validate_pkey(in
> {
> return true;
> }
> +
> +static inline int vma_pkey(struct vm_area_struct *vma)
> +{
> + return 0;
> +}
> #endif /* ! CONFIG_ARCH_HAS_PKEYS */
>
> #endif /* _LINUX_PKEYS_H */
> diff -puN mm/Kconfig~pkeys-85-mprotect_pkey mm/Kconfig
> --- a/mm/Kconfig~pkeys-85-mprotect_pkey 2015-12-03 16:21:30.185878075 -0800
> +++ b/mm/Kconfig 2015-12-03 16:21:30.190878302 -0800
> @@ -673,3 +673,10 @@ config ARCH_USES_HIGH_VMA_FLAGS
> bool
> config ARCH_HAS_PKEYS
> bool
> +
> +config NR_PROTECTION_KEYS
> + int
> + # Everything supports a _single_ key, so allow folks to
> + # at least call APIs that take keys, but require that the
> + # key be 0.
> + default 1
> diff -puN mm/mprotect.c~pkeys-85-mprotect_pkey mm/mprotect.c
> --- a/mm/mprotect.c~pkeys-85-mprotect_pkey 2015-12-03 16:21:30.186878121 -0800
> +++ b/mm/mprotect.c 2015-12-03 16:21:30.191878347 -0800
> @@ -24,6 +24,7 @@
> #include <linux/migrate.h>
> #include <linux/perf_event.h>
> #include <linux/ksm.h>
> +#include <linux/pkeys.h>
> #include <asm/uaccess.h>
> #include <asm/pgtable.h>
> #include <asm/cacheflush.h>
> @@ -344,10 +345,13 @@ fail:
> return error;
> }
>
> -SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
> - unsigned long, prot)
> +/*
> + * pkey=-1 when doing a legacy mprotect()
> + */
> +static int do_mprotect_pkey(unsigned long start, size_t len,
> + unsigned long prot, int pkey)
> {
> - unsigned long vm_flags, nstart, end, tmp, reqprot;
> + unsigned long nstart, end, tmp, reqprot;
> struct vm_area_struct *vma, *prev;
> int error = -EINVAL;
> const int grows = prot & (PROT_GROWSDOWN|PROT_GROWSUP);
> @@ -373,8 +377,6 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
> if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
> prot |= PROT_EXEC;
>
> - vm_flags = calc_vm_prot_bits(prot, 0);
> -
> down_write(¤t->mm->mmap_sem);
>
> vma = find_vma(current->mm, start);
> @@ -407,7 +409,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
>
> /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
>
> - newflags = vm_flags;
> + /*
> + * If this is a vanilla, non-pkey mprotect, inherit the
> + * pkey from the VMA we are working on.
> + */
> + if (pkey == -1)
> + newflags = calc_vm_prot_bits(prot, vma_pkey(vma));
> + else
> + newflags = calc_vm_prot_bits(prot, pkey);
> newflags |= (vma->vm_flags & ~(VM_READ | VM_WRITE | VM_EXEC));
>
> /* newflags >> 4 shift VM_MAY% in place of VM_% */
> @@ -443,3 +452,18 @@ out:
> up_write(¤t->mm->mmap_sem);
> return error;
> }
> +
> +SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
> + unsigned long, prot)
> +{
> + return do_mprotect_pkey(start, len, prot, -1);
> +}
> +
> +SYSCALL_DEFINE4(pkey_mprotect, unsigned long, start, size_t, len,
> + unsigned long, prot, int, pkey)
> +{
> + if (!arch_validate_pkey(pkey))
> + return -EINVAL;
> +
> + return do_mprotect_pkey(start, len, prot, pkey);
> +}
> _
> --
> To unsubscribe from this list: send the line "unsubscribe linux-api" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
next prev parent reply other threads:[~2015-12-05 6:50 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-04 1:14 [PATCH 00/34] x86: Memory Protection Keys (v5) Dave Hansen
2015-12-04 1:14 ` [PATCH 01/34] mm, gup: introduce concept of "foreign" get_user_pages() Dave Hansen
2015-12-04 1:14 ` [PATCH 02/34] x86, fpu: add placeholder for Processor Trace XSAVE state Dave Hansen
2015-12-04 1:14 ` [PATCH 03/34] x86, pkeys: Add Kconfig option Dave Hansen
2015-12-04 1:14 ` [PATCH 04/34] x86, pkeys: cpuid bit definition Dave Hansen
2015-12-04 1:14 ` [PATCH 05/34] x86, pkeys: define new CR4 bit Dave Hansen
2015-12-04 1:14 ` [PATCH 06/34] x86, pkeys: add PKRU xsave fields and data structure(s) Dave Hansen
2015-12-04 1:14 ` [PATCH 07/34] x86, pkeys: PTE bits for storing protection key Dave Hansen
2015-12-04 1:14 ` [PATCH 08/34] x86, pkeys: new page fault error code bit: PF_PK Dave Hansen
2015-12-04 1:14 ` [PATCH 09/34] x86, pkeys: store protection in high VMA flags Dave Hansen
2015-12-08 14:17 ` Thomas Gleixner
2015-12-04 1:14 ` [PATCH 10/34] x86, pkeys: arch-specific protection bits Dave Hansen
2015-12-08 15:15 ` [PATCH 10/34] x86, pkeys: arch-specific protection bitsy Thomas Gleixner
2015-12-08 16:34 ` Dave Hansen
2015-12-08 17:24 ` Thomas Gleixner
2015-12-08 18:06 ` Dave Hansen
2015-12-08 18:29 ` Thomas Gleixner
2015-12-08 18:35 ` Thomas Gleixner
2015-12-04 1:14 ` [PATCH 11/34] x86, pkeys: pass VMA down in to fault signal generation code Dave Hansen
2015-12-04 1:14 ` [PATCH 12/34] signals, pkeys: notify userspace about protection key faults Dave Hansen
2015-12-04 1:14 ` [PATCH 13/34] x86, pkeys: fill in pkey field in siginfo Dave Hansen
2015-12-04 1:14 ` [PATCH 14/34] x86, pkeys: add functions to fetch PKRU Dave Hansen
2015-12-08 15:18 ` Thomas Gleixner
2015-12-04 1:14 ` [PATCH 15/34] mm: factor out VMA fault permission checking Dave Hansen
2015-12-08 17:26 ` Thomas Gleixner
2015-12-04 1:14 ` [PATCH 16/34] x86, mm: simplify get_user_pages() PTE bit handling Dave Hansen
2015-12-08 18:01 ` Thomas Gleixner
2015-12-08 18:30 ` Dave Hansen
2015-12-04 1:14 ` [PATCH 17/34] x86, pkeys: check VMAs and PTEs for protection keys Dave Hansen
2015-12-08 18:11 ` Thomas Gleixner
2015-12-04 1:14 ` [PATCH 18/34] mm: add gup flag to indicate "foreign" mm access Dave Hansen
2015-12-04 1:14 ` [PATCH 19/34] x86, pkeys: optimize fault handling in access_error() Dave Hansen
2015-12-08 18:14 ` Thomas Gleixner
2015-12-04 1:14 ` [PATCH 20/34] x86, pkeys: differentiate instruction fetches Dave Hansen
2015-12-08 18:17 ` Thomas Gleixner
2015-12-04 1:14 ` [PATCH 21/34] x86, pkeys: dump PKRU with other kernel registers Dave Hansen
2015-12-08 18:19 ` Thomas Gleixner
2015-12-04 1:14 ` [PATCH 22/34] x86, pkeys: dump PTE pkey in /proc/pid/smaps Dave Hansen
2015-12-08 18:20 ` Thomas Gleixner
2015-12-04 1:14 ` [PATCH 23/34] x86, pkeys: add Kconfig prompt to existing config option Dave Hansen
2015-12-08 18:21 ` Thomas Gleixner
2015-12-04 1:14 ` [PATCH 24/34] mm, multi-arch: pass a protection key in to calc_vm_flag_bits() Dave Hansen
2015-12-04 1:14 ` [PATCH 25/34] x86, pkeys: add arch_validate_pkey() Dave Hansen
2015-12-08 18:39 ` Thomas Gleixner
2015-12-04 1:15 ` [PATCH 26/34] mm: implement new mprotect_key() system call Dave Hansen
2015-12-05 6:50 ` Michael Kerrisk (man-pages) [this message]
2015-12-07 16:44 ` Dave Hansen
2015-12-09 11:08 ` Michael Kerrisk (man-pages)
2015-12-09 15:48 ` Dave Hansen
2015-12-09 16:45 ` Michael Kerrisk (man-pages)
2015-12-09 17:05 ` Dave Hansen
2015-12-11 20:13 ` Michael Kerrisk (man-pages)
2015-12-04 1:15 ` [PATCH 27/34] x86, pkeys: make mprotect_key() mask off additional vm_flags Dave Hansen
2015-12-08 18:41 ` Thomas Gleixner
2015-12-04 1:15 ` [PATCH 28/34] x86: wire up mprotect_key() system call Dave Hansen
2015-12-08 18:44 ` Thomas Gleixner
2015-12-08 19:06 ` Dave Hansen
2015-12-08 20:38 ` Thomas Gleixner
2015-12-04 1:15 ` [PATCH 29/34] x86: separate out LDT init from context init Dave Hansen
2015-12-08 18:45 ` Thomas Gleixner
2015-12-04 1:15 ` [PATCH 30/34] x86, fpu: allow setting of XSAVE state Dave Hansen
2015-12-08 18:48 ` Thomas Gleixner
2015-12-04 1:15 ` [PATCH 31/34] x86, pkeys: allocation/free syscalls Dave Hansen
2015-12-04 1:15 ` [PATCH 32/34] x86, pkeys: add pkey set/get syscalls Dave Hansen
2015-12-04 1:15 ` [PATCH 33/34] x86, pkeys: actually enable Memory Protection Keys in CPU Dave Hansen
2015-12-04 1:15 ` [PATCH 34/34] x86, pkeys: Documentation Dave Hansen
2015-12-04 23:31 ` [PATCH 00/34] x86: Memory Protection Keys (v5) Andy Lutomirski
2015-12-04 23:38 ` Dave Hansen
2015-12-11 20:16 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5662894B.7090903@gmail.com \
--to=mtk.manpages@gmail.com \
--cc=dave.hansen@linux.intel.com \
--cc=dave@sr71.net \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).