From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1424855AbcFMQDk (ORCPT ); Mon, 13 Jun 2016 12:03:40 -0400 Received: from www.sr71.net ([198.145.64.142]:36041 "EHLO blackbird.sr71.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1424288AbcFMQDj (ORCPT ); Mon, 13 Jun 2016 12:03:39 -0400 Subject: Re: [PATCH 2/9] mm: implement new pkey_mprotect() system call To: Thomas Gleixner References: <20160609000117.71AC7623@viggo.jf.intel.com> <20160609000120.A3DD5140@viggo.jf.intel.com> Cc: linux-kernel@vger.kernel.org, x86@kernel.org, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, torvalds@linux-foundation.org, akpm@linux-foundation.org, dave.hansen@linux.intel.com From: Dave Hansen Message-ID: <575ED958.5060209@sr71.net> Date: Mon, 13 Jun 2016 09:03:36 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/11/2016 02:47 AM, Thomas Gleixner wrote: > On Wed, 8 Jun 2016, Dave Hansen wrote: >> > Proposed semantics: >> > 1. protection key 0 is special and represents the default, >> > unassigned protection key. It is always allocated. >> > 2. mprotect() never affects a mapping's pkey_mprotect()-assigned >> > protection key. A protection key of 0 (even if set explicitly) >> > represents an unassigned protection key. >> > 2a. mprotect(PROT_EXEC) on a mapping with an assigned protection >> > key may or may not result in a mapping with execute-only >> > properties. pkey_mprotect() plus pkey_set() on all threads >> > should be used to _guarantee_ execute-only semantics. >> > 3. mprotect(PROT_EXEC) may result in an "execute-only" mapping. The >> > kernel will internally attempt to allocate and dedicate a >> > protection key for the purpose of execute-only mappings. This >> > may not be possible in cases where there are no free protection >> > keys available. > Shouldn't we just reserve a protection key for PROT_EXEC unconditionally? Normal userspace does not do PROT_EXEC today. So, today, we'd effectively lose one of our keys by reserving it. Of the folks I've talked to who really want this feature, and *will* actually use it, one of the most common complaints is that there are too few keys. Folks who actively *want* true PROT_EXEC semantics can use the explicit pkey interfaces.