From patchwork Wed Feb 12 03:21:49 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeff Xu <jeffxu@chromium.org>
X-Patchwork-Id: 13971195
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com
 [209.85.214.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8AF321D95A9
	for <linux-hardening@vger.kernel.org>; Wed, 12 Feb 2025 03:21:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1739330520; cv=none;
 b=SOfBTNnlQhlrfNW1JtbSRwcY+0YxCrkiJeNtXI3Q3BXQDuAwkPWMD1LvgoUMwqUwkacfOLBLqXqlM/iahVq7l7bsRVuph+QBw1Q3m57WztoOcUe1lWsROxondBU2lKLOkLcOaZ5eJPd1GD0BWEGJnXNBK6XPSuPnRV3/sdDQ1zk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1739330520; c=relaxed/simple;
	bh=3VXEI9CDqujeRW1KtdOvB9JLbbeUVXm1g3iGikU4Xtw=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=QrlVr2tIAu9vW9XV0O5M9kn2YRiWe2WIRxxfQaYAPn+K6GNX314IQM3uBRXJxlD6/zC/ehSfeTFtcbhr28JPXFfnPquZ5xJy++XhTifDxa5P+i45wHScjrdfZNKpcMRstNSpBz1FwLqUsO8BhLTmpGZSA+BQVxke1oke/E02Hi4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=mfShiWRs; arc=none smtp.client-ip=209.85.214.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="mfShiWRs"
Received: by mail-pl1-f171.google.com with SMTP id
 d9443c01a7336-21f4aa501a4so10595815ad.1
        for <linux-hardening@vger.kernel.org>;
 Tue, 11 Feb 2025 19:21:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1739330518; x=1739935318;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=DGlgtnJud/tm4lyrsEmm3OjwE2GDthkuHJ1JyP15EEc=;
        b=mfShiWRsz7p9LTRqrjCqns4GtsKPBZkJw4/FHb0eg1hga8xrlkfsJU4tmRa+07c079
         m9VoRdh8qg3Sx/jqaUb877lZQPbpaWNekSzjYJZEYRr4lb2cFvFQeZkGgpNsRgkieXsW
         iDsxQTGX8hoW1Fv1Bu+XSi/wacNvQloD8+7zs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739330518; x=1739935318;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=DGlgtnJud/tm4lyrsEmm3OjwE2GDthkuHJ1JyP15EEc=;
        b=TwYpBv0WhydMYmH2deCJmL1pTAIgUc9BlkTNFfsegjRBbuSD+ajnuvh1oVZJrVd69H
         2vdgppyTQi4+biRwP0HBhy7IwRH5MYdBXzuDEPBsV9jfUNi8ulvg8S+RV2rPF87Q0uj4
         gHicTLWuNlhixbHVJ04JfMp+fg4/rtIMEzrXkyxfHCLWhe3CEcGadqekUsHckPx0uS4k
         jV/vno518gSGFth1cHQ3EDson5BgY5Ga7lrslFfUvB5w3Ko7E7/TTRtbjHPxT97u+BQD
         clUIXG2IAn3N+ez5Fry58xkdzLvGqG8UuTesuzPrv5TNWHy73dxGvttalvch2DwFd6n8
         fbhA==
X-Forwarded-Encrypted: i=1;
 AJvYcCXWwGJt7JKwcVP8mT/S3OmmuFN9FxYtZg1bE/nvgeYdohYCZ8p3tqOqtioBKvEvdgHTxIJFghM64UKC4swuaCY=@vger.kernel.org
X-Gm-Message-State: AOJu0YxvHXjdMRqNaVmJi5Z7CkM1AAZLfYBOTtCn02VWOrF9vrFi9tnv
	4Rqw7PEcZQHvPsg9EExC36ympvETGxS7efuiaD0gyb4XWb4kNh7parn9sBUNFQ==
X-Gm-Gg: ASbGncu+u1iyL0qEyPjkP/ayLzy5Dg9p9+j8ykYSNuaNm+0ExPzioMd6lJUWJOO0nip
	/70Eb3h7Ix2Y5D6SPjJpEKIhDTDtePiiHzPKTWF2CSiMeHufg5X+bPg1eat99BYsCFtkKJLANfq
	mDjLJPT7bsLm/BGXSOb3CN6FN7W/xJQ0siqvQB0rU4KFCD3bP1LmRiGxS0QqvUg1HgYRFhEbbts
	Hr8Suo7Z5gGKRdC++1dPGnxADcyQ4+O9PihJxfnVDbdqfGk+y/LVkq2rPPZVZ9xy/tCqCFvrREl
	yPEz9SmJ6/dXMtcE22zbs2gJam8OW6YrtQsI/xL2zZHT+SeH1w==
X-Google-Smtp-Source: 
 AGHT+IEURlNafHcVNKrTKgOcgxh+gG6kKLNCaOgM84jrdUBBOm8abnn5+RM1CQymWz2I341kNGd0sw==
X-Received: by 2002:a17:903:22c5:b0:21b:d105:26a7 with SMTP id
 d9443c01a7336-220bbb045admr10702145ad.6.1739330517663;
        Tue, 11 Feb 2025 19:21:57 -0800 (PST)
Received: from localhost (9.184.168.34.bc.googleusercontent.com.
 [34.168.184.9])
        by smtp.gmail.com with UTF8SMTPSA id
 98e67ed59e1d1-2fbf999b5cesm299750a91.34.2025.02.11.19.21.57
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 11 Feb 2025 19:21:57 -0800 (PST)
From: jeffxu@chromium.org
To: akpm@linux-foundation.org,
	keescook@chromium.org,
	jannh@google.com,
	torvalds@linux-foundation.org,
	vbabka@suse.cz,
	lorenzo.stoakes@oracle.com,
	Liam.Howlett@Oracle.com,
	adhemerval.zanella@linaro.org,
	oleg@redhat.com,
	avagin@gmail.com,
	benjamin@sipsolutions.net
Cc: linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org,
	linux-mm@kvack.org,
	jorgelo@chromium.org,
	sroettger@google.com,
	hch@lst.de,
	ojeda@kernel.org,
	thomas.weissschuh@linutronix.de,
	adobriyan@gmail.com,
	johannes@sipsolutions.net,
	pedro.falcato@gmail.com,
	hca@linux.ibm.com,
	willy@infradead.org,
	anna-maria@linutronix.de,
	mark.rutland@arm.com,
	linus.walleij@linaro.org,
	Jason@zx2c4.com,
	deller@gmx.de,
	rdunlap@infradead.org,
	davem@davemloft.net,
	peterx@redhat.com,
	f.fainelli@gmail.com,
	gerg@kernel.org,
	dave.hansen@linux.intel.com,
	mingo@kernel.org,
	ardb@kernel.org,
	mhocko@suse.com,
	42.hyeyoo@gmail.com,
	peterz@infradead.org,
	ardb@google.com,
	enh@google.com,
	rientjes@google.com,
	groeck@chromium.org,
	mpe@ellerman.id.au,
	aleksandr.mikhalitsyn@canonical.com,
	mike.rapoport@gmail.com,
	Jeff Xu <jeffxu@chromium.org>
Subject: [RFC PATCH v5 1/7] mseal,
 system mappings: kernel config and header change
Date: Wed, 12 Feb 2025 03:21:49 +0000
Message-ID: <20250212032155.1276806-2-jeffxu@google.com>
X-Mailer: git-send-email 2.48.1.502.g6dc24dfdaf-goog
In-Reply-To: <20250212032155.1276806-1-jeffxu@google.com>
References: <20250212032155.1276806-1-jeffxu@google.com>
Precedence: bulk
X-Mailing-List: linux-hardening@vger.kernel.org
List-Id: <linux-hardening.vger.kernel.org>
List-Subscribe: <mailto:linux-hardening+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-hardening+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Jeff Xu <jeffxu@chromium.org>

Provide infrastructure to mseal system mappings. Establish
two kernel configs (CONFIG_MSEAL_SYSTEM_MAPPINGS,
ARCH_HAS_MSEAL_SYSTEM_MAPPINGS) and a header file (userprocess.h)
for future patches.

As discussed during mseal() upstream process [1], mseal() protects
the VMAs of a given virtual memory range against modifications, such
as the read/write (RW) and no-execute (NX) bits. For complete
descriptions of memory sealing, please see mseal.rst [2].

The mseal() is useful to mitigate memory corruption issues where a
corrupted pointer is passed to a memory management system. For
example, such an attacker primitive can break control-flow integrity
guarantees since read-only memory that is supposed to be trusted can
become writable or .text pages can get remapped.

The system mappings are readonly only, memory sealing can protect
them from ever changing to writable or unmmap/remapped as different
attributes.

System mappings such as vdso, vvar, and sigpage (arm), vectors (arm)
are created by the kernel during program initialization, and could
be sealed after creation.

Unlike the aforementioned mappings, the uprobe mapping is not
established during program startup. However, its lifetime is the same
as the process's lifetime [3]. It could be sealed from creation.

The vsyscall on x86-64 uses a special address (0xffffffffff600000),
which is outside the mm managed range. This means mprotect, munmap, and
mremap won't work on the vsyscall. Since sealing doesn't enhance
the vsyscall's security, it is skipped in this patch. If we ever seal
the vsyscall, it is probably only for decorative purpose, i.e. showing
the 'sl' flag in the /proc/pid/smaps. For this patch, it is ignored.

It is important to note that the CHECKPOINT_RESTORE feature (CRIU) may
alter the system mappings during restore operations. UML(User Mode Linux)
and gVisor are also known to change the vdso/vvar mappings. Consequently,
this feature cannot be universally enabled across all systems. As such,
CONFIG_MSEAL_SYSTEM_MAPPINGS is disabled by default.

To support mseal of system mappings, architectures must define
CONFIG_ARCH_HAS_MSEAL_SYSTEM_MAPPINGS and update their special mappings
calls to pass mseal flag. Additionally, architectures must confirm they
do not unmap/remap system mappings during the process lifetime.

In this version, we've improved the handling of system mapping sealing from
previous versions, instead of modifying the _install_special_mapping
function itself, which would affect all architectures, we now call
_install_special_mapping with a sealing flag only within the specific
architecture that requires it. This targeted approach offers two key
advantages: 1) It limits the code change's impact to the necessary
architectures, and 2) It aligns with the software architecture by keeping
the core memory management within the mm layer, while delegating the
decision of sealing system mappings to the individual architecture, which
is particularly relevant since 32-bit architectures never require sealing.

Additionally, this patch introduces a new header,
include/linux/usrprocess.h, which contains the mseal_system_mappings()
function. This function helps the architecture determine if system
mapping is enabled within the current kernel configuration. It can be
extended in the future to handle opt-in/out prctl for enabling system
mapping sealing at the process level or a kernel cmdline feature.

A new header file was introduced because it was difficult to find the
best location for this function. Although include/linux/mm.h was
considered, this feature is more closely related to user processes
than core memory management. Additionally, future prctl or kernel
cmd-line implementations for this feature would not fit within the
scope of core memory management or mseal.c. This is relevant because
if we add unit-tests for mseal.c in the future, we would want to limit
mseal.c's dependencies to core memory management.

Prior to this patch series, we explored sealing special mappings from
userspace using glibc's dynamic linker. This approach revealed several
issues:
- The PT_LOAD header may report an incorrect length for vdso, (smaller
  than its actual size). The dynamic linker, which relies on PT_LOAD
  information to determine mapping size, would then split and partially
  seal the vdso mapping. Since each architecture has its own vdso/vvar
  code, fixing this in the kernel would require going through each
  archiecture. Our initial goal was to enable sealing readonly mappings,
  e.g. .text, across all architectures, sealing vdso from kernel since
  creation appears to be simpler than sealing vdso at glibc.
- The [vvar] mapping header only contains address information, not length
  information. Similar issues might exist for other special mappings.
- Mappings like uprobe are not covered by the dynamic linker,
  and there is no effective solution for them.

This feature's security enhancements will benefit ChromeOS, Android,
and other high security systems.

Testing:
This feature was tested on ChromeOS and Android for both x86-64 and ARM64.
- Enable sealing and verify vdso/vvar, sigpage, vector are sealed properly,
  i.e. "sl" shown in the smaps for those mappings, and mremap is blocked.
- Passing various automation tests (e.g. pre-checkin) on ChromeOS and
  Android to ensure the sealing doesn't affect the functionality of
  Chromebook and Android phone.

I also tested the feature on Ubuntu on x86-64:
- With config disabled, vdso/vvar is not sealed,
- with config enabled, vdso/vvar is sealed, and booting up Ubuntu is OK,
  normal operations such as browsing the web, open/edit doc are OK.

In addition, Benjamin Berg tested this on UML.

Link: https://lore.kernel.org/all/20240415163527.626541-1-jeffxu@chromium.org/ [1]
Link: Documentation/userspace-api/mseal.rst [2]
Link: https://lore.kernel.org/all/CABi2SkU9BRUnqf70-nksuMCQ+yyiWjo3fM4XkRkL-NrCZxYAyg@mail.gmail.com/ [3]

Signed-off-by: Jeff Xu <jeffxu@chromium.org>
---
 include/linux/userprocess.h | 18 ++++++++++++++++++
 init/Kconfig                | 18 ++++++++++++++++++
 security/Kconfig            | 18 ++++++++++++++++++
 3 files changed, 54 insertions(+)
 create mode 100644 include/linux/userprocess.h

diff --git a/include/linux/userprocess.h b/include/linux/userprocess.h
new file mode 100644
index 000000000000..bd11e2e972c5
--- /dev/null
+++ b/include/linux/userprocess.h
@@ -0,0 +1,18 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _LINUX_USER_PROCESS_H
+#define _LINUX_USER_PROCESS_H
+#include <linux/mm.h>
+
+/*
+ * mseal of userspace process's system mappings.
+ */
+static inline unsigned long mseal_system_mappings(void)
+{
+#ifdef CONFIG_MSEAL_SYSTEM_MAPPINGS
+	return VM_SEALED;
+#else
+	return 0;
+#endif
+}
+
+#endif
diff --git a/init/Kconfig b/init/Kconfig
index d0d021b3fa3b..892d2bcdf397 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1882,6 +1882,24 @@ config ARCH_HAS_MEMBARRIER_CALLBACKS
 config ARCH_HAS_MEMBARRIER_SYNC_CORE
 	bool
 
+config ARCH_HAS_MSEAL_SYSTEM_MAPPINGS
+	bool
+	help
+	  Control MSEAL_SYSTEM_MAPPINGS access based on architecture.
+
+	  A 64-bit kernel is required for the memory sealing feature.
+	  No specific hardware features from the CPU are needed.
+
+	  To enable this feature, the architecture needs to update their
+	  speical mappings calls to include the sealing flag and confirm
+	  that it doesn't unmap/remap system mappings during the life
+	  time of the process. After the architecture enables this, a
+	  distribution can set CONFIG_MSEAL_SYSTEM_MAPPING to manage access
+	  to the feature.
+
+	  For complete descriptions of memory sealing, please see
+	  Documentation/userspace-api/mseal.rst
+
 config HAVE_PERF_EVENTS
 	bool
 	help
diff --git a/security/Kconfig b/security/Kconfig
index f10dbf15c294..bfb35fc7a3c6 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -51,6 +51,24 @@ config PROC_MEM_NO_FORCE
 
 endchoice
 
+config MSEAL_SYSTEM_MAPPINGS
+	bool "mseal system mappings"
+	depends on 64BIT
+	depends on ARCH_HAS_MSEAL_SYSTEM_MAPPINGS
+	depends on !CHECKPOINT_RESTORE
+	help
+	  Seal system mappings such as vdso, vvar, sigpage, uprobes, etc.
+
+	  A 64-bit kernel is required for the memory sealing feature.
+	  No specific hardware features from the CPU are needed.
+
+	  Note: CHECKPOINT_RESTORE, UML, gVisor are known to relocate or
+	  unmap system mapping, therefore this config can't be enabled
+	  universally.
+
+	  For complete descriptions of memory sealing, please see
+	  Documentation/userspace-api/mseal.rst
+
 config SECURITY
 	bool "Enable different security models"
 	depends on SYSFS

From patchwork Wed Feb 12 03:21:50 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeff Xu <jeffxu@chromium.org>
X-Patchwork-Id: 13971196
Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com
 [209.85.216.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 89B391DA60F
	for <linux-hardening@vger.kernel.org>; Wed, 12 Feb 2025 03:21:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.47
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1739330521; cv=none;
 b=h1nmjUKXXbqMJ30qjnc/F47w6T0/cLhpodWOToNVTInQ2uHZ3+5GiHjgUOeEwPccgRTMUoI46CtGLOLvX+qHpagLHdvgHe6D6HDCZNtR2Lbf1NYNUbXBNBpjq9yjQjIIPeFjPkdF7/A0viGqhjXP3jt3TGyrkzvNN4YLr1mFYTM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1739330521; c=relaxed/simple;
	bh=w05nUehMgqwD35vj2y2xYw7+UYzGcB8hX3kEdKcacUM=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=s49qqmYEFmqj9yTp1FNiNdArlTS2ALKiuuxLigviA2m/MH3XwGfyebReRChmRQntHj7y455CvcCBk+A1VbgT7eXHk4TocYDkFN/rCKstEyykETdNo2+xUNjaJFuC1xKx3XFu7WOWqgarQqjLDBGUbNSrNQ3Muh40zNGsQZK541E=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=IawSfX5q; arc=none smtp.client-ip=209.85.216.47
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="IawSfX5q"
Received: by mail-pj1-f47.google.com with SMTP id
 98e67ed59e1d1-2f45526dea0so1494565a91.1
        for <linux-hardening@vger.kernel.org>;
 Tue, 11 Feb 2025 19:21:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1739330519; x=1739935319;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ncxizXOAVrQ+BWFck4tB/XehU76xAVIOQApqyTjKcXY=;
        b=IawSfX5qB2NIA773BpHMcYG7zdu1MGJW2P8MV+XmDVUcVx/AytsNNwZnoIm1Pi4s99
         hkQFSyRGCnTD6eqrdjnatsKPmMP0K9OHmosSfvrViiZiLvVkPP67mVmDU8Y5hGNqfWP5
         spnLjP2rCy5bRZIlxyIzozQUjzYj5fgPhQR3M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739330519; x=1739935319;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ncxizXOAVrQ+BWFck4tB/XehU76xAVIOQApqyTjKcXY=;
        b=mn/AZuEh2pAYUSeSHqwQWQzfCLgkdp7mP9ZcaWE56fzzfcldNteIh3iWCf9BK+4Nf3
         QFqySVGZeBYIlNmom2OI0vxEx+lNyD0tlRmZD2Y/SUCAAw8Dg+/MybuDWTIxP6L4ayl7
         wnVOcwqGjvSrJSTHP4LEbLFAP9FYrj1Up7aG4wBDorX/zo9RncsW89cgHkVX1irpWeXq
         4AxPb7Rmf3pNf3G/LccnZx3T+Tyh78xp/Jhp1IxrNqqfajMRT6Hn0+dcqwEgzLeCBHFM
         nNYvnIK87lu9H5rqfcWHyW6PGSJZCzUeEkgyDGC2nUxZpphtvIziAHh2dM7njtWC+TAb
         p+Ng==
X-Forwarded-Encrypted: i=1;
 AJvYcCXK6Sj1rsFT8t3zmM4Mfc2RUDNmHsyaNVxFWKVhS216vr0pW0Z2zOxTeBzhyg+BYQ+rO4vr6rCXnt98hyB2WUc=@vger.kernel.org
X-Gm-Message-State: AOJu0YwUlpwAmuBG5LHnBAqWLPA0ZH2BLWosf8QKsybCf450vdoq5k/T
	Jxow8qafJ/Zv49FMCSpFfmoiEOzOi1us70XqYWVNXhpZThGeAeMhjBEqka3cVw==
X-Gm-Gg: ASbGncvrx61yuZc5OaINeL16/V/J9X6cI6eJPSVsAkIoJVWUYufQxda/8W95FnAKamO
	AsmlJjufejiHvOfN+wcTxFneI/9aZzxl/nDsYq4zQ0OY7USiNgB3AwiBG1CnruuAxh40JL92CEA
	fD8EL4X+ggSFz9o9nDmG73wt75Hq8InC9HFWXS4kV94W2aXUY5siBax6mzY6tvj4Zih0EFg9hHn
	Rf5WzB7Zx16uSpTyCTEPnB9ulTvFAdlaRVTIMe+TRe2tQt6YmOmUrZPwnJ8n53U5x/BWCN14UJL
	i+gIJ+mcgbwzkjvz93pFUyKQw4HYEES1Mc1N6H5dybcW1AuJow==
X-Google-Smtp-Source: 
 AGHT+IE4/7BwbuwtwfhXwLsB0i3Q5aZn7rPFgpOtvzT4ULZm4VcW3dgNVOfd6aFz9L3M8GZfkNV1AQ==
X-Received: by 2002:a05:6a00:181a:b0:730:8cfb:d5f5 with SMTP id
 d2e1a72fcca58-7322c4031d2mr872747b3a.6.1739330518746;
        Tue, 11 Feb 2025 19:21:58 -0800 (PST)
Received: from localhost (9.184.168.34.bc.googleusercontent.com.
 [34.168.184.9])
        by smtp.gmail.com with UTF8SMTPSA id
 d2e1a72fcca58-73089c88552sm5087106b3a.93.2025.02.11.19.21.58
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 11 Feb 2025 19:21:58 -0800 (PST)
From: jeffxu@chromium.org
To: akpm@linux-foundation.org,
	keescook@chromium.org,
	jannh@google.com,
	torvalds@linux-foundation.org,
	vbabka@suse.cz,
	lorenzo.stoakes@oracle.com,
	Liam.Howlett@Oracle.com,
	adhemerval.zanella@linaro.org,
	oleg@redhat.com,
	avagin@gmail.com,
	benjamin@sipsolutions.net
Cc: linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org,
	linux-mm@kvack.org,
	jorgelo@chromium.org,
	sroettger@google.com,
	hch@lst.de,
	ojeda@kernel.org,
	thomas.weissschuh@linutronix.de,
	adobriyan@gmail.com,
	johannes@sipsolutions.net,
	pedro.falcato@gmail.com,
	hca@linux.ibm.com,
	willy@infradead.org,
	anna-maria@linutronix.de,
	mark.rutland@arm.com,
	linus.walleij@linaro.org,
	Jason@zx2c4.com,
	deller@gmx.de,
	rdunlap@infradead.org,
	davem@davemloft.net,
	peterx@redhat.com,
	f.fainelli@gmail.com,
	gerg@kernel.org,
	dave.hansen@linux.intel.com,
	mingo@kernel.org,
	ardb@kernel.org,
	mhocko@suse.com,
	42.hyeyoo@gmail.com,
	peterz@infradead.org,
	ardb@google.com,
	enh@google.com,
	rientjes@google.com,
	groeck@chromium.org,
	mpe@ellerman.id.au,
	aleksandr.mikhalitsyn@canonical.com,
	mike.rapoport@gmail.com,
	Jeff Xu <jeffxu@chromium.org>
Subject: [RFC PATCH v5 2/7] selftests: x86: test_mremap_vdso: skip if vdso is
 msealed
Date: Wed, 12 Feb 2025 03:21:50 +0000
Message-ID: <20250212032155.1276806-3-jeffxu@google.com>
X-Mailer: git-send-email 2.48.1.502.g6dc24dfdaf-goog
In-Reply-To: <20250212032155.1276806-1-jeffxu@google.com>
References: <20250212032155.1276806-1-jeffxu@google.com>
Precedence: bulk
X-Mailing-List: linux-hardening@vger.kernel.org
List-Id: <linux-hardening.vger.kernel.org>
List-Subscribe: <mailto:linux-hardening+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-hardening+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Jeff Xu <jeffxu@chromium.org>

Add code to detect if the vdso is memory sealed, skip the test
if it is.

Signed-off-by: Jeff Xu <jeffxu@chromium.org>
---
 .../testing/selftests/x86/test_mremap_vdso.c  | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/tools/testing/selftests/x86/test_mremap_vdso.c b/tools/testing/selftests/x86/test_mremap_vdso.c
index d53959e03593..c68077c56b22 100644
--- a/tools/testing/selftests/x86/test_mremap_vdso.c
+++ b/tools/testing/selftests/x86/test_mremap_vdso.c
@@ -14,6 +14,7 @@
 #include <errno.h>
 #include <unistd.h>
 #include <string.h>
+#include <stdbool.h>
 
 #include <sys/mman.h>
 #include <sys/auxv.h>
@@ -55,13 +56,50 @@ static int try_to_remap(void *vdso_addr, unsigned long size)
 
 }
 
+#define VDSO_NAME "[vdso]"
+#define VMFLAGS "VmFlags:"
+#define MSEAL_FLAGS "sl"
+#define MAX_LINE_LEN 512
+
+bool vdso_sealed(FILE *maps)
+{
+	char line[MAX_LINE_LEN];
+	bool has_vdso = false;
+
+	while (fgets(line, sizeof(line), maps)) {
+		if (strstr(line, VDSO_NAME))
+			has_vdso = true;
+
+		if (has_vdso && !strncmp(line, VMFLAGS, strlen(VMFLAGS))) {
+			if (strstr(line, MSEAL_FLAGS))
+				return true;
+
+			return false;
+		}
+	}
+
+	return false;
+}
+
 int main(int argc, char **argv, char **envp)
 {
 	pid_t child;
+	FILE *maps;
 
 	ksft_print_header();
 	ksft_set_plan(1);
 
+	maps = fopen("/proc/self/smaps", "r");
+	if (!maps) {
+		ksft_test_result_skip("Could not open /proc/self/smaps\n");
+		return 0;
+	}
+
+	if (vdso_sealed(maps)) {
+		ksft_test_result_skip("vdso is sealed\n");
+		return 0;
+	}
+
 	child = fork();
 	if (child == -1)
 		ksft_exit_fail_msg("failed to fork (%d): %m\n", errno);

From patchwork Wed Feb 12 03:21:51 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeff Xu <jeffxu@chromium.org>
X-Patchwork-Id: 13971197
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7EB921DB958
	for <linux-hardening@vger.kernel.org>; Wed, 12 Feb 2025 03:22:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1739330522; cv=none;
 b=s/pVa1DjDGBsA7/k5tqakRmCsuahfPBum0y/FbJSXnRnMIqamo6lWZBxn6HrE14pwHRY2bmF7agTjeJCzgbvBYH4w172tCkEv+5CKhzFsUzoeMMtQrNbq5pCZa/GRqWBdCwhoKHhGIqnCYPX0ITvx+ZvurXW6fnESSQIgL93Vt8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1739330522; c=relaxed/simple;
	bh=l7hq5FUIDAkHBVw6OKr53T6zReeP1iwdJbypvd6CNes=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=bjWyTjJigMig03oBII/gNicmJIm9Im/liLxEo1p7clgNufHoqolFJMbx8z4r0oLgKIAEU7mY+rKI8dHxu7e7WW2HgVCx+fCCHt8hfeXmtJ6GPDQZ2CR3EAGscmh3YZBcgwVpDVTaZfsTWy9NmwsAH8vyQYEj72zmu//EwcsIcro=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=DvKsIggC; arc=none smtp.client-ip=209.85.214.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="DvKsIggC"
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-21f5ccd9742so9857305ad.1
        for <linux-hardening@vger.kernel.org>;
 Tue, 11 Feb 2025 19:22:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1739330520; x=1739935320;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=QF+XsAOZtoeX6mlWsDERSJyrasHSdBo5DRJV2HHqSDI=;
        b=DvKsIggCl4elQjG5VJYQlLuE59jue/Pr6e8h4fPvq5X1W+UcbT91teA1Dkr8QjZXVN
         D8KAGlfnSnQOIPNkAqvolth3KVcMybise8IgMIksvXSAIIZ9Hh24jPluiIug3j51im6B
         NHfvMrFYfYu7d81+w8evXpprkxvHPbzujRa+s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739330520; x=1739935320;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=QF+XsAOZtoeX6mlWsDERSJyrasHSdBo5DRJV2HHqSDI=;
        b=vxdKsjkMcUwksWAxMiYyfsi6KwdC6QpkV1baf9csOSYtO+G+vKvPoKl55CEKIhY9s6
         aBN1tMGbuHcixNgEvCCUT/WBEAm+UOTl5cn1C3Dg+gRQ69UqoPp5QOZbY1yqY0ZSec68
         gnMUFjuoEOCgGQOriqua79WsWqefl0GeoKAC+bSFr4D4hD5v9uLmM2vqlSaStp68ukci
         U+H4mFwcDQuDC/gG8unaAWX/M8WZ+UE4eGqTUQcpmL/o8qQ8reqR4Cg0l1fBnR+jAMoC
         1hGlkE04bbf+FfztWy/XQHA6TsC/iyXhmKVFU4VGDcJ+VsYdTn/YeG9rFcq05hFfIr0H
         GPiw==
X-Forwarded-Encrypted: i=1;
 AJvYcCXAVSgTqogQ9+y1hvWkPzc3Hf1SzmDPudJibnthUz/965eOeyP7jZ0JMKN2tBupBsko0CANc5P6mH/ISxk11wc=@vger.kernel.org
X-Gm-Message-State: AOJu0YwuGtJPCI9yJli6aWbiMEJkuRNGh33/oYXbwqADUlRFljEmLkiu
	tC2rj/ebUQ97MaBAzo3X0aAwG7TADQyNkg75Ry+NNRuMUpGzGoIc7ndzgb5GLg==
X-Gm-Gg: ASbGnctQ3yLQKY3OLeHH4sYy+vZE9ctwJxR30vLvNOE41J04qSSpmbg+/1efFlFJ+gb
	v/u8hMR2I2cCkMK4oUzUgrZM4ydey6QlRJcgWUgLtsIL5yzmJ2u/KcpGPsS09M0Jwrbkw9M0zS6
	yy8GEqv31QEgaIipV+/fBgPNwFLh+Xm5iud+MeNqcZvQpmFSjPGJskY8Tf+dCguWDa2/DN4rA5F
	qlVB5A2UuZNOFXLS9NjNxARuLPRNjAd6zBgiGRD4KgEsygNuQqse7GJukjbnLwsVOrpLv/6QMTU
	enGTjJKF7GTM3wn5Q95W2zXVUWTmEIc/YmswLKIrnvw1B88GiQ==
X-Google-Smtp-Source: 
 AGHT+IHHM7M1gkeTK0DkmrzJae9kr1fBnAHXJ9XN96tPbv9kYILCpzpkfCEUqgGotDXyfntPOksCow==
X-Received: by 2002:a17:902:f68f:b0:21f:207:bd88 with SMTP id
 d9443c01a7336-220bbf0220fmr10761195ad.3.1739330519734;
        Tue, 11 Feb 2025 19:21:59 -0800 (PST)
Received: from localhost (9.184.168.34.bc.googleusercontent.com.
 [34.168.184.9])
        by smtp.gmail.com with UTF8SMTPSA id
 d9443c01a7336-21f3683db25sm102503155ad.134.2025.02.11.19.21.59
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 11 Feb 2025 19:21:59 -0800 (PST)
From: jeffxu@chromium.org
To: akpm@linux-foundation.org,
	keescook@chromium.org,
	jannh@google.com,
	torvalds@linux-foundation.org,
	vbabka@suse.cz,
	lorenzo.stoakes@oracle.com,
	Liam.Howlett@Oracle.com,
	adhemerval.zanella@linaro.org,
	oleg@redhat.com,
	avagin@gmail.com,
	benjamin@sipsolutions.net
Cc: linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org,
	linux-mm@kvack.org,
	jorgelo@chromium.org,
	sroettger@google.com,
	hch@lst.de,
	ojeda@kernel.org,
	thomas.weissschuh@linutronix.de,
	adobriyan@gmail.com,
	johannes@sipsolutions.net,
	pedro.falcato@gmail.com,
	hca@linux.ibm.com,
	willy@infradead.org,
	anna-maria@linutronix.de,
	mark.rutland@arm.com,
	linus.walleij@linaro.org,
	Jason@zx2c4.com,
	deller@gmx.de,
	rdunlap@infradead.org,
	davem@davemloft.net,
	peterx@redhat.com,
	f.fainelli@gmail.com,
	gerg@kernel.org,
	dave.hansen@linux.intel.com,
	mingo@kernel.org,
	ardb@kernel.org,
	mhocko@suse.com,
	42.hyeyoo@gmail.com,
	peterz@infradead.org,
	ardb@google.com,
	enh@google.com,
	rientjes@google.com,
	groeck@chromium.org,
	mpe@ellerman.id.au,
	aleksandr.mikhalitsyn@canonical.com,
	mike.rapoport@gmail.com,
	Jeff Xu <jeffxu@chromium.org>
Subject: [RFC PATCH v5 3/7] mseal, system mappings: enable x86-64
Date: Wed, 12 Feb 2025 03:21:51 +0000
Message-ID: <20250212032155.1276806-4-jeffxu@google.com>
X-Mailer: git-send-email 2.48.1.502.g6dc24dfdaf-goog
In-Reply-To: <20250212032155.1276806-1-jeffxu@google.com>
References: <20250212032155.1276806-1-jeffxu@google.com>
Precedence: bulk
X-Mailing-List: linux-hardening@vger.kernel.org
List-Id: <linux-hardening.vger.kernel.org>
List-Subscribe: <mailto:linux-hardening+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-hardening+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Jeff Xu <jeffxu@chromium.org>

Provide support for CONFIG_MSEAL_SYSTEM_MAPPINGS on x86-64,
covering the vdso, vvar, vvar_vclock.

Production release testing passes on Android and Chrome OS.

Signed-off-by: Jeff Xu <jeffxu@chromium.org>
---
 arch/x86/Kconfig          |  1 +
 arch/x86/entry/vdso/vma.c | 17 +++++++++++------
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 87198d957e2f..8fa17032ca46 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -26,6 +26,7 @@ config X86_64
 	depends on 64BIT
 	# Options that are inherently 64-bit kernel only:
 	select ARCH_HAS_GIGANTIC_PAGE
+	select ARCH_HAS_MSEAL_SYSTEM_MAPPINGS
 	select ARCH_SUPPORTS_INT128 if CC_HAS_INT128
 	select ARCH_SUPPORTS_PER_VMA_LOCK
 	select ARCH_SUPPORTS_HUGE_PFNMAP if TRANSPARENT_HUGEPAGE
diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c
index 39e6efc1a9ca..b5273dadd64a 100644
--- a/arch/x86/entry/vdso/vma.c
+++ b/arch/x86/entry/vdso/vma.c
@@ -13,6 +13,7 @@
 #include <linux/random.h>
 #include <linux/elf.h>
 #include <linux/cpu.h>
+#include <linux/userprocess.h>
 #include <linux/ptrace.h>
 #include <linux/time_namespace.h>
 
@@ -247,6 +248,7 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr)
 	struct mm_struct *mm = current->mm;
 	struct vm_area_struct *vma;
 	unsigned long text_start;
+	unsigned long vm_flags;
 	int ret = 0;
 
 	if (mmap_write_lock_killable(mm))
@@ -264,11 +266,12 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr)
 	/*
 	 * MAYWRITE to allow gdb to COW and set breakpoints
 	 */
+	vm_flags = VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC;
+	vm_flags |= mseal_system_mappings();
 	vma = _install_special_mapping(mm,
 				       text_start,
 				       image->size,
-				       VM_READ|VM_EXEC|
-				       VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
+				       vm_flags,
 				       &vdso_mapping);
 
 	if (IS_ERR(vma)) {
@@ -276,11 +279,12 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr)
 		goto up_fail;
 	}
 
+	vm_flags = VM_READ|VM_MAYREAD|VM_IO|VM_DONTDUMP|VM_PFNMAP;
+	vm_flags |= mseal_system_mappings();
 	vma = _install_special_mapping(mm,
 				       addr,
 				       (__VVAR_PAGES - VDSO_NR_VCLOCK_PAGES) * PAGE_SIZE,
-				       VM_READ|VM_MAYREAD|VM_IO|VM_DONTDUMP|
-				       VM_PFNMAP,
+				       vm_flags,
 				       &vvar_mapping);
 
 	if (IS_ERR(vma)) {
@@ -289,11 +293,12 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr)
 		goto up_fail;
 	}
 
+	vm_flags = VM_READ|VM_MAYREAD|VM_IO|VM_DONTDUMP|VM_PFNMAP;
+	vm_flags |= mseal_system_mappings();
 	vma = _install_special_mapping(mm,
 				       addr + (__VVAR_PAGES - VDSO_NR_VCLOCK_PAGES) * PAGE_SIZE,
 				       VDSO_NR_VCLOCK_PAGES * PAGE_SIZE,
-				       VM_READ|VM_MAYREAD|VM_IO|VM_DONTDUMP|
-				       VM_PFNMAP,
+				       vm_flags,
 				       &vvar_vclock_mapping);
 
 	if (IS_ERR(vma)) {

From patchwork Wed Feb 12 03:21:52 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeff Xu <jeffxu@chromium.org>
X-Patchwork-Id: 13971198
Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com
 [209.85.216.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6757A1DDA1B
	for <linux-hardening@vger.kernel.org>; Wed, 12 Feb 2025 03:22:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.47
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1739330523; cv=none;
 b=rncRt1l2HP7EAU70XE3PONWvIRobthTtHJLkwmQ7skH6MyM5BJppG3qa4nve200X6Tyv4AjO8rf27HRw/OUNuTmuh9WIdGTdrvDyFRzNxt79eDTX9L4ogf8gq7uYvYYYlb+slE74SL86atw2eoNhkQuUG5P043BIl6HdbLbVOLs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1739330523; c=relaxed/simple;
	bh=rbKCgrhSnltAq4HphfqxDQL2WDHmk7Ibm7vobAi6Ezk=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=DXboqkF8BacApswKnH3PjdUgXuojx7uViDqYU/aMhJS94lObLtEiogadKADd1FYzMk06TE3+mznI+qzGLx8WTDudaeLpcrgNh11YBP1BKiRdqUrie2o2+4wzGtsViq8Vx7kzsQCjTASdT5JUCpbt9J6c4kvfJKdUQJsb4deqLDk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=ZxpavU03; arc=none smtp.client-ip=209.85.216.47
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="ZxpavU03"
Received: by mail-pj1-f47.google.com with SMTP id
 98e67ed59e1d1-2fa1a428f6aso1403308a91.1
        for <linux-hardening@vger.kernel.org>;
 Tue, 11 Feb 2025 19:22:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1739330521; x=1739935321;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=l7pPl+80co4+z7JP7yvzolDYDYVYpoOhsDUrxcZkGCI=;
        b=ZxpavU03xFkpCelm5FYcB82bogOeN93OZfk0WyvdJHXoBuBCLZcjLWeCKYOquRgSQ2
         Gzn45gr/KMF1DbDg2DSJIFeFHITzgy4KFc4zq7Ta2rPlOTkNPrdjXRSKI7zK3Jvl2KgN
         l9UM4N3k9cQ7wWtg86ODmAvy8RmOWO65QKhFk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739330521; x=1739935321;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=l7pPl+80co4+z7JP7yvzolDYDYVYpoOhsDUrxcZkGCI=;
        b=Xe542+OKV08f5mISwthX31gT/NMPdXlI3Kvbv435TnlbLmLRmt26VHRLHfdLPR8zbm
         lU+i54D9sW6u7tNjN5W2mNti5akOdflhEij9AugON1o6DTAxQ3R8e9M4aQj1NnUs7A1w
         kTFeCwbovBkojgWlkSOpcNPem9GZiRU63Ld4oh7arxsLaSurjcZDZv3M+3GuxLLHEEao
         xPemoPzGRJplCrJIEpsjyrKwjqb+qjs/dhVawrAtKP/BEf5OzmmJ75dz8/T06NW7yvG+
         S+drX8TTEhmk/Nnfe9oNxxhVjpaq+y+TtQdfNdQ3so0oKQ4uGSqf7x1zHoAIbSwfGsjI
         lR9Q==
X-Forwarded-Encrypted: i=1;
 AJvYcCXNmD+UwJcjh+3j1UYtqmaC5tY5UuOJp6dOQUrKqQJIVlbslz77RF5rZZD6d97ZMnQpZ0iFIO947sc7/XaNPU8=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx7eO6IQ2IVVWrODIzPuFRbE+EwSI7VISwJ0znvBiuSMrHBFoPj
	G7u61MLnjnmozhJfXHZ8xhync7aZHtoXeRWN6cfqD8BSbx8p8ZV3RWbQ5h66zA==
X-Gm-Gg: ASbGncvcb7DUxh28ZyPGufx2RGvBzBxxICmgwXOI1XMr+RCTu683FhJ2SZs5oc4mEmJ
	6VziixifM6msoMmvsnmnJPAbwszuCza8+VSyuaQ3qltzxMjbDKoadyOWc17DlHUHI2BQDheNAZ9
	UvTIa8KSGQbFLtPlPhUHeI06qv0iWW29VBB5HLczXKCD7OLVwwKwX2S0yq62lIjflWly25teJ3+
	zhg3qyM2Lv5KtzfSMDG1aGbiK3sgzDi7EjbNLv80EaYfvSf5s2XUJZHhBPn6yOpxkF/Y2Dq9j4w
	V03Qf/7ld8tzGU9Gwp0CmPH8Q1ZtBFa5rRtJSYFMwgOSH6Kayg==
X-Google-Smtp-Source: 
 AGHT+IEQjI3mXwIsERllpCdgEEkG55fGZ2UKV6IZsw6M1hblfR3OjmOt9QtTdXsaFePhUPJi1BBTqA==
X-Received: by 2002:a05:6a00:ac06:b0:725:46cc:719a with SMTP id
 d2e1a72fcca58-7322c3780fdmr864380b3a.1.1739330520652;
        Tue, 11 Feb 2025 19:22:00 -0800 (PST)
Received: from localhost (9.184.168.34.bc.googleusercontent.com.
 [34.168.184.9])
        by smtp.gmail.com with UTF8SMTPSA id
 d2e1a72fcca58-7309569d6efsm4018014b3a.92.2025.02.11.19.22.00
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 11 Feb 2025 19:22:00 -0800 (PST)
From: jeffxu@chromium.org
To: akpm@linux-foundation.org,
	keescook@chromium.org,
	jannh@google.com,
	torvalds@linux-foundation.org,
	vbabka@suse.cz,
	lorenzo.stoakes@oracle.com,
	Liam.Howlett@Oracle.com,
	adhemerval.zanella@linaro.org,
	oleg@redhat.com,
	avagin@gmail.com,
	benjamin@sipsolutions.net
Cc: linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org,
	linux-mm@kvack.org,
	jorgelo@chromium.org,
	sroettger@google.com,
	hch@lst.de,
	ojeda@kernel.org,
	thomas.weissschuh@linutronix.de,
	adobriyan@gmail.com,
	johannes@sipsolutions.net,
	pedro.falcato@gmail.com,
	hca@linux.ibm.com,
	willy@infradead.org,
	anna-maria@linutronix.de,
	mark.rutland@arm.com,
	linus.walleij@linaro.org,
	Jason@zx2c4.com,
	deller@gmx.de,
	rdunlap@infradead.org,
	davem@davemloft.net,
	peterx@redhat.com,
	f.fainelli@gmail.com,
	gerg@kernel.org,
	dave.hansen@linux.intel.com,
	mingo@kernel.org,
	ardb@kernel.org,
	mhocko@suse.com,
	42.hyeyoo@gmail.com,
	peterz@infradead.org,
	ardb@google.com,
	enh@google.com,
	rientjes@google.com,
	groeck@chromium.org,
	mpe@ellerman.id.au,
	aleksandr.mikhalitsyn@canonical.com,
	mike.rapoport@gmail.com,
	Jeff Xu <jeffxu@chromium.org>
Subject: [RFC PATCH v5 4/7] mseal, system mappings: enable arm64
Date: Wed, 12 Feb 2025 03:21:52 +0000
Message-ID: <20250212032155.1276806-5-jeffxu@google.com>
X-Mailer: git-send-email 2.48.1.502.g6dc24dfdaf-goog
In-Reply-To: <20250212032155.1276806-1-jeffxu@google.com>
References: <20250212032155.1276806-1-jeffxu@google.com>
Precedence: bulk
X-Mailing-List: linux-hardening@vger.kernel.org
List-Id: <linux-hardening.vger.kernel.org>
List-Subscribe: <mailto:linux-hardening+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-hardening+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Jeff Xu <jeffxu@chromium.org>

Provide support for CONFIG_MSEAL_SYSTEM_MAPPINGS on arm64, covering
the vdso, vvar, and compat-mode vectors and sigpage mappings.

Production release testing passes on Android and Chrome OS.

Signed-off-by: Jeff Xu <jeffxu@chromium.org>
---
 arch/arm64/Kconfig       |  1 +
 arch/arm64/kernel/vdso.c | 23 ++++++++++++++++-------
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index fcdd0ed3eca8..39202aa9a5af 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -38,6 +38,7 @@ config ARM64
 	select ARCH_HAS_KEEPINITRD
 	select ARCH_HAS_MEMBARRIER_SYNC_CORE
 	select ARCH_HAS_MEM_ENCRYPT
+	select ARCH_HAS_MSEAL_SYSTEM_MAPPINGS
 	select ARCH_HAS_NMI_SAFE_THIS_CPU_OPS
 	select ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
 	select ARCH_HAS_NONLEAF_PMD_YOUNG if ARM64_HAFT
diff --git a/arch/arm64/kernel/vdso.c b/arch/arm64/kernel/vdso.c
index e8ed8e5b713b..cfe2f5b344c4 100644
--- a/arch/arm64/kernel/vdso.c
+++ b/arch/arm64/kernel/vdso.c
@@ -15,6 +15,7 @@
 #include <linux/gfp.h>
 #include <linux/kernel.h>
 #include <linux/mm.h>
+#include <linux/userprocess.h>
 #include <linux/sched.h>
 #include <linux/signal.h>
 #include <linux/slab.h>
@@ -183,6 +184,7 @@ static int __setup_additional_pages(enum vdso_abi abi,
 {
 	unsigned long vdso_base, vdso_text_len, vdso_mapping_len;
 	unsigned long gp_flags = 0;
+	unsigned long vm_flags;
 	void *ret;
 
 	BUILD_BUG_ON(VVAR_NR_PAGES != __VVAR_PAGES);
@@ -197,8 +199,10 @@ static int __setup_additional_pages(enum vdso_abi abi,
 		goto up_fail;
 	}
 
+	vm_flags = VM_READ|VM_MAYREAD|VM_PFNMAP;
+	vm_flags |= mseal_system_mappings();
 	ret = _install_special_mapping(mm, vdso_base, VVAR_NR_PAGES * PAGE_SIZE,
-				       VM_READ|VM_MAYREAD|VM_PFNMAP,
+				       vm_flags,
 				       &vvar_map);
 	if (IS_ERR(ret))
 		goto up_fail;
@@ -208,9 +212,10 @@ static int __setup_additional_pages(enum vdso_abi abi,
 
 	vdso_base += VVAR_NR_PAGES * PAGE_SIZE;
 	mm->context.vdso = (void *)vdso_base;
+	vm_flags = VM_READ|VM_EXEC|gp_flags|VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC;
+	vm_flags |= mseal_system_mappings();
 	ret = _install_special_mapping(mm, vdso_base, vdso_text_len,
-				       VM_READ|VM_EXEC|gp_flags|
-				       VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
+				       vm_flags,
 				       vdso_info[abi].cm);
 	if (IS_ERR(ret))
 		goto up_fail;
@@ -326,6 +331,7 @@ arch_initcall(aarch32_alloc_vdso_pages);
 static int aarch32_kuser_helpers_setup(struct mm_struct *mm)
 {
 	void *ret;
+	unsigned long vm_flags;
 
 	if (!IS_ENABLED(CONFIG_KUSER_HELPERS))
 		return 0;
@@ -334,9 +340,10 @@ static int aarch32_kuser_helpers_setup(struct mm_struct *mm)
 	 * Avoid VM_MAYWRITE for compatibility with arch/arm/, where it's
 	 * not safe to CoW the page containing the CPU exception vectors.
 	 */
+	vm_flags = VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYEXEC;
+	vm_flags |= mseal_system_mappings();
 	ret = _install_special_mapping(mm, AARCH32_VECTORS_BASE, PAGE_SIZE,
-				       VM_READ | VM_EXEC |
-				       VM_MAYREAD | VM_MAYEXEC,
+				       vm_flags,
 				       &aarch32_vdso_maps[AA32_MAP_VECTORS]);
 
 	return PTR_ERR_OR_ZERO(ret);
@@ -345,6 +352,7 @@ static int aarch32_kuser_helpers_setup(struct mm_struct *mm)
 static int aarch32_sigreturn_setup(struct mm_struct *mm)
 {
 	unsigned long addr;
+	unsigned long vm_flags;
 	void *ret;
 
 	addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
@@ -357,9 +365,10 @@ static int aarch32_sigreturn_setup(struct mm_struct *mm)
 	 * VM_MAYWRITE is required to allow gdb to Copy-on-Write and
 	 * set breakpoints.
 	 */
+	vm_flags = VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC;
+	vm_flags |= mseal_system_mappings();
 	ret = _install_special_mapping(mm, addr, PAGE_SIZE,
-				       VM_READ | VM_EXEC | VM_MAYREAD |
-				       VM_MAYWRITE | VM_MAYEXEC,
+				       vm_flags,
 				       &aarch32_vdso_maps[AA32_MAP_SIGPAGE]);
 	if (IS_ERR(ret))
 		goto out;

From patchwork Wed Feb 12 03:21:53 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeff Xu <jeffxu@chromium.org>
X-Patchwork-Id: 13971199
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 54ADB1E1A32
	for <linux-hardening@vger.kernel.org>; Wed, 12 Feb 2025 03:22:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1739330523; cv=none;
 b=jzRB4UuwULPXXPkmbW4BrBs3wbSQFk/ZgQBZvyLbN4HnLeiwINHVJJceI+RyRVQdjgeKdykcjfnIarSvv65UX0NZi0urJLNGzBtIR+agEK0BuoHpQ4SYWDqLLF4guHxpYDHPJkV9OUoPsVDwI0tWyPKJqc08bpSpC6W13wtkYrY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1739330523; c=relaxed/simple;
	bh=vaPHeEEUVjAtZeidG2hNXfFKCf7yTmWopFw9HmRLawQ=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=ANeWodgaQP1c368o76xUzbt+jOjXJTr8sZGBZ6YQy4VZpE0ROVwAA9J+4RBgccTuyhR/AiGX1SOMV9xKvMwBUe2gmQpwqLYezwPzJh0fDzxovJF96jdBYmTMqfU3OA2V0nmuqwo7KD9aNfTBRTtUUhKeI1NZCFJoiKkYZ0jfIaw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=g4fzrQYR; arc=none smtp.client-ip=209.85.214.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="g4fzrQYR"
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-21f4aa501a4so10595945ad.1
        for <linux-hardening@vger.kernel.org>;
 Tue, 11 Feb 2025 19:22:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1739330522; x=1739935322;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=9CGVA5eSPFfsHEVs7rjQnee/yKRru+0Ft1a+zzsFXds=;
        b=g4fzrQYRZQn8oU/MkluKtm4c4tfyjg0lKP1WP/EccputHeDTs9CVEGRC21WSYmUW9P
         9GYsvTmiMKZ9IcV/oeH2zzR41YqIf6gMQwX0OIUazmdE+Nk1yQFqe/i98OeqMscwY6Ev
         SYGHcSePt1WWnh2Aim2cwItO2U4IPkMEgLO/0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739330522; x=1739935322;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=9CGVA5eSPFfsHEVs7rjQnee/yKRru+0Ft1a+zzsFXds=;
        b=AbTduzev1rFMert1enoouDFA4CbGuLztIKGKSByx5oB8TzFT1YVuZCvL2IYGGZgeQE
         iLVAhIlJ+ApsWoTQzzwRpq9o2C1OEnuBx6QsoGSaWA1/eiEuTECYTvnIoxifVhP0TYaj
         G8cqjuCkTd+1xmO6EkU3q2X70wT8nk0nXrxa/xKqs5agKiam1iZ4nMu9Ye9aZILEd6tz
         sZFxrG7KLKzhDazeIGVH3eBE01cRaAJY6OIY/vQwcZqzrXIM/0eI/UmDtpoCEbOAV3bH
         71CUkX5AN6tJYc1Bg7KQJQt2l5F+lwAogoaDHZRdhNvlYQNsN0ADNb5DCy3H3JUDiW2l
         xHMw==
X-Forwarded-Encrypted: i=1;
 AJvYcCX8JuhLQJFADtrXQ6Qji7Hx99+hiMwjFCUt2HOi5dg8s5v/FJcFwmG8qyJrG3Wr5FyDQmmlQBMugCjzPi7egdA=@vger.kernel.org
X-Gm-Message-State: AOJu0YxPCosMUQ7SOjVe3VnNcjAmkqgIjurCAWrcD17zGqVN8oxkzaiU
	jSsjxqEEmIobxL/Y8cT+c4r14Rq5klBAnTICKciYxMmuNphL5L9A3KMz0t1kUg==
X-Gm-Gg: ASbGnctcRuCIIQC/GvQODChhI0H4P8UntmNA9v6JK6rfeErfedeNGu+X1BnEVwNdcCa
	LKkRxu1uMbqkfYELmH99p0JOZr4TYZ+56dNcKP2EOEtOSs1xz78bEI0QWibM+AY1SM5aGG5lzt9
	yqX+meQWRfGO73ozwJIiIkB08VfWMjfXlAD5QPPIizlIw5AtlA77tgvbzV84+pyqTZE75ENM6n1
	+bEZR9xBS9Z8n4WpAmh9sjqg5/ZSGEEJwU654euCGF0Z7Go2L6WAN+5gGt584+c1wF5Gdpwcvxz
	KPOML0EteUkTk4B+/RGcSq5dRgaguJyRKMoIxLf02kAfSGNlfw==
X-Google-Smtp-Source: 
 AGHT+IGRZPknLjE2cjsyC6HVD4KIdBjVV6wxieEwLxc5+sxlPK5wduEZddMX8O/rsN2prx5qJfmRrA==
X-Received: by 2002:a17:903:22c5:b0:21b:d105:26a7 with SMTP id
 d9443c01a7336-220bbb045admr10703335ad.6.1739330521639;
        Tue, 11 Feb 2025 19:22:01 -0800 (PST)
Received: from localhost (9.184.168.34.bc.googleusercontent.com.
 [34.168.184.9])
        by smtp.gmail.com with UTF8SMTPSA id
 d9443c01a7336-21f3683d8b2sm102324115ad.119.2025.02.11.19.22.01
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 11 Feb 2025 19:22:01 -0800 (PST)
From: jeffxu@chromium.org
To: akpm@linux-foundation.org,
	keescook@chromium.org,
	jannh@google.com,
	torvalds@linux-foundation.org,
	vbabka@suse.cz,
	lorenzo.stoakes@oracle.com,
	Liam.Howlett@Oracle.com,
	adhemerval.zanella@linaro.org,
	oleg@redhat.com,
	avagin@gmail.com,
	benjamin@sipsolutions.net
Cc: linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org,
	linux-mm@kvack.org,
	jorgelo@chromium.org,
	sroettger@google.com,
	hch@lst.de,
	ojeda@kernel.org,
	thomas.weissschuh@linutronix.de,
	adobriyan@gmail.com,
	johannes@sipsolutions.net,
	pedro.falcato@gmail.com,
	hca@linux.ibm.com,
	willy@infradead.org,
	anna-maria@linutronix.de,
	mark.rutland@arm.com,
	linus.walleij@linaro.org,
	Jason@zx2c4.com,
	deller@gmx.de,
	rdunlap@infradead.org,
	davem@davemloft.net,
	peterx@redhat.com,
	f.fainelli@gmail.com,
	gerg@kernel.org,
	dave.hansen@linux.intel.com,
	mingo@kernel.org,
	ardb@kernel.org,
	mhocko@suse.com,
	42.hyeyoo@gmail.com,
	peterz@infradead.org,
	ardb@google.com,
	enh@google.com,
	rientjes@google.com,
	groeck@chromium.org,
	mpe@ellerman.id.au,
	aleksandr.mikhalitsyn@canonical.com,
	mike.rapoport@gmail.com,
	Jeff Xu <jeffxu@chromium.org>,
	Benjamin Berg <benjamin.berg@intel.com>
Subject: [RFC PATCH v5 5/7] mseal, system mappings: enable uml architecture
Date: Wed, 12 Feb 2025 03:21:53 +0000
Message-ID: <20250212032155.1276806-6-jeffxu@google.com>
X-Mailer: git-send-email 2.48.1.502.g6dc24dfdaf-goog
In-Reply-To: <20250212032155.1276806-1-jeffxu@google.com>
References: <20250212032155.1276806-1-jeffxu@google.com>
Precedence: bulk
X-Mailing-List: linux-hardening@vger.kernel.org
List-Id: <linux-hardening.vger.kernel.org>
List-Subscribe: <mailto:linux-hardening+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-hardening+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Jeff Xu <jeffxu@chromium.org>

Provide support for CONFIG_MSEAL_SYSTEM_MAPPINGS on UML, covering
the vdso.

Testing passes on UML.

Signed-off-by: Jeff Xu <jeffxu@chromium.org>
Tested-by: Benjamin Berg <benjamin.berg@intel.com>
---
 arch/um/Kconfig        | 1 +
 arch/x86/um/vdso/vma.c | 7 +++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/arch/um/Kconfig b/arch/um/Kconfig
index 18051b1cfce0..eb2d439a5334 100644
--- a/arch/um/Kconfig
+++ b/arch/um/Kconfig
@@ -10,6 +10,7 @@ config UML
 	select ARCH_HAS_FORTIFY_SOURCE
 	select ARCH_HAS_GCOV_PROFILE_ALL
 	select ARCH_HAS_KCOV
+	select ARCH_HAS_MSEAL_SYSTEM_MAPPINGS
 	select ARCH_HAS_STRNCPY_FROM_USER
 	select ARCH_HAS_STRNLEN_USER
 	select HAVE_ARCH_AUDITSYSCALL
diff --git a/arch/x86/um/vdso/vma.c b/arch/x86/um/vdso/vma.c
index f238f7b33cdd..a68919db0ff7 100644
--- a/arch/x86/um/vdso/vma.c
+++ b/arch/x86/um/vdso/vma.c
@@ -6,6 +6,7 @@
 #include <linux/slab.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
+#include <linux/userprocess.h>
 #include <asm/page.h>
 #include <asm/elf.h>
 #include <linux/init.h>
@@ -54,6 +55,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
 {
 	struct vm_area_struct *vma;
 	struct mm_struct *mm = current->mm;
+	unsigned long vm_flags;
 	static struct vm_special_mapping vdso_mapping = {
 		.name = "[vdso]",
 	};
@@ -65,9 +67,10 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
 		return -EINTR;
 
 	vdso_mapping.pages = vdsop;
+	vm_flags = VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC;
+	vm_flags |= mseal_system_mappings();
 	vma = _install_special_mapping(mm, um_vdso_addr, PAGE_SIZE,
-		VM_READ|VM_EXEC|
-		VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
+		vm_flags,
 		&vdso_mapping);
 
 	mmap_write_unlock(mm);

From patchwork Wed Feb 12 03:21:54 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeff Xu <jeffxu@chromium.org>
X-Patchwork-Id: 13971200
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com
 [209.85.214.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5441B1E7C19
	for <linux-hardening@vger.kernel.org>; Wed, 12 Feb 2025 03:22:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1739330524; cv=none;
 b=sKrO0k0X9TTjlACFlsgf7UzrEpPI9Io2c1kLRH7RKU94UNWwC9Bsc56N/MkjWUV3sVPQuroPNndLk79NbICLyUTfWUHWnB62IRgPzilQYsSgvL7lJbE6VQXkbIdihBfleh5ONV2o+ubKuzBRslE6eH6joPFoe0zYENkkiAYk/3w=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1739330524; c=relaxed/simple;
	bh=rT7bFBNt1F+exb7tPl5r3kNd1kDl3uip2zjF/VDFZKc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Wmk32bw8tSt+LIRlu9GO4seHVm3Vj/EXbZwLxP9AlKBp0Il8/Rwl90iOUr80c1Nq4H+JCO9TZh1iM+9xeQouv4Wxl7iqjO6L5Tym+NlC8aHgn/83fqtDM/4rheJuYNFPxCnEirbk3CM8/cUOZTIUn7KoFBYNNLmz9UrUjQB0PwE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=oMBtQLEh; arc=none smtp.client-ip=209.85.214.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="oMBtQLEh"
Received: by mail-pl1-f175.google.com with SMTP id
 d9443c01a7336-2166db59927so13167025ad.0
        for <linux-hardening@vger.kernel.org>;
 Tue, 11 Feb 2025 19:22:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1739330522; x=1739935322;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ZDmXk529F7J07bTvTA0+iYc1CKNvDiUkVRu5HOXs43g=;
        b=oMBtQLEhicnC/QBq+zDSHW76MzQFFq0HsIZFVCPUMsGqjbq6p2X6iIpbKBy27li2lA
         I97CnA5u5B93kl85ZqwGNjcA8aBHHgKk3XC5kLLPgDZiFzFf0WN0Y7cFyxsHqIGkMpdS
         2OsnraFHHbuZkA0x7tFnh3mu+zolDMtXz0YsM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739330522; x=1739935322;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ZDmXk529F7J07bTvTA0+iYc1CKNvDiUkVRu5HOXs43g=;
        b=YqS52uitmYPVkSCvnvJWE+EjcV/0O6LVeELlLpeu7xtvVEKvmQ8mmyFcFoeIsllQJl
         NVHglxYpPmdOhSwwPPVKPI5h3aIVCpp8P73isxXxx+/csKHTn2MuiSxnVAiMWjpBOsw0
         XEF4b6/5DqgKUtdFkWI205+nn7cEFFS/trfRQpr75h67H22RivzgDv5fJe4g1GNn60TS
         dEAHThSDgXUjbTEMQLF490m7AokcgI7E2pgfem9uP2IG1Dt0GOiQb16fdeQe3TPRn+6t
         ANJv/xWV7O77m70FrSCIIw4bRr7WKOC0/u4uwWemlrBuJGdnjiydwZaRuGUMTwK/2nAZ
         hEPA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVUdsjTCJAyjBCLH+QVe2uraJ6EBojlboqDtgRpJbMeMca/cNdWOpZDo4OHTN/Nxfx/vFbhw151RIA2Qqk3aXw=@vger.kernel.org
X-Gm-Message-State: AOJu0YwEVHTfCombsUOxfFF6gBKnRe8rA8E73cq/mUBAhY7DD6bciFQ4
	kztmra50JexhTvHUZDwADZLBfODHc1HssqfBaK38+MMmnsuk7q4jSGImyH93Ow==
X-Gm-Gg: ASbGncsV0Otdc5P7T/UzD2pyUVWmchto49C4LC6OuOjzDJuuH027FJIMHhpqrobZO95
	JXyf7J8CjgqnSyrouKciwE4wyniALQjRex7xd1hUK3c6QCsi5n3LO1l8B8qzfuoQgBQhTd1eesm
	yjNO4qDlsZ9Ckw2ytmsTWi64OMy9hszt3dqguQcfS75iBFGM30wmtFUTdglswM68LhDyER48h3B
	jQUh1p8paWdFPm7FeX0KT4ElloghN4SHvT55ANmWHXPexJp7EPNW2MsS1yqt76jFN600lhVROrH
	J1kc5tDNYpFEQHEVTEOrnvUHETKkRBVO5HmasCYSGEYsGEaXlw==
X-Google-Smtp-Source: 
 AGHT+IGLyjV6DGNlQC70XXyU6c8VYNX9NRu9NY3TAy8HoniHcIPDAY3iv7rogZ2WB1DXQE04jazm3Q==
X-Received: by 2002:a17:902:f791:b0:20c:da9a:d5b9 with SMTP id
 d9443c01a7336-220bbad0cf2mr11063425ad.5.1739330522551;
        Tue, 11 Feb 2025 19:22:02 -0800 (PST)
Received: from localhost (9.184.168.34.bc.googleusercontent.com.
 [34.168.184.9])
        by smtp.gmail.com with UTF8SMTPSA id
 d9443c01a7336-21f36897faesm102883195ad.213.2025.02.11.19.22.02
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 11 Feb 2025 19:22:02 -0800 (PST)
From: jeffxu@chromium.org
To: akpm@linux-foundation.org,
	keescook@chromium.org,
	jannh@google.com,
	torvalds@linux-foundation.org,
	vbabka@suse.cz,
	lorenzo.stoakes@oracle.com,
	Liam.Howlett@Oracle.com,
	adhemerval.zanella@linaro.org,
	oleg@redhat.com,
	avagin@gmail.com,
	benjamin@sipsolutions.net
Cc: linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org,
	linux-mm@kvack.org,
	jorgelo@chromium.org,
	sroettger@google.com,
	hch@lst.de,
	ojeda@kernel.org,
	thomas.weissschuh@linutronix.de,
	adobriyan@gmail.com,
	johannes@sipsolutions.net,
	pedro.falcato@gmail.com,
	hca@linux.ibm.com,
	willy@infradead.org,
	anna-maria@linutronix.de,
	mark.rutland@arm.com,
	linus.walleij@linaro.org,
	Jason@zx2c4.com,
	deller@gmx.de,
	rdunlap@infradead.org,
	davem@davemloft.net,
	peterx@redhat.com,
	f.fainelli@gmail.com,
	gerg@kernel.org,
	dave.hansen@linux.intel.com,
	mingo@kernel.org,
	ardb@kernel.org,
	mhocko@suse.com,
	42.hyeyoo@gmail.com,
	peterz@infradead.org,
	ardb@google.com,
	enh@google.com,
	rientjes@google.com,
	groeck@chromium.org,
	mpe@ellerman.id.au,
	aleksandr.mikhalitsyn@canonical.com,
	mike.rapoport@gmail.com,
	Jeff Xu <jeffxu@chromium.org>
Subject: [RFC PATCH v5 6/7] mseal, system mappings: uprobe mapping
Date: Wed, 12 Feb 2025 03:21:54 +0000
Message-ID: <20250212032155.1276806-7-jeffxu@google.com>
X-Mailer: git-send-email 2.48.1.502.g6dc24dfdaf-goog
In-Reply-To: <20250212032155.1276806-1-jeffxu@google.com>
References: <20250212032155.1276806-1-jeffxu@google.com>
Precedence: bulk
X-Mailing-List: linux-hardening@vger.kernel.org
List-Id: <linux-hardening.vger.kernel.org>
List-Subscribe: <mailto:linux-hardening+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-hardening+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Jeff Xu <jeffxu@chromium.org>

Provide support to mseal the uprobe mapping.

Unlike other system mappings, the uprobe mapping is not
established during program startup. However, its lifetime is the same
as the process's lifetime. It could be sealed from creation.

Signed-off-by: Jeff Xu <jeffxu@chromium.org>
---
 kernel/events/uprobes.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 2ca797cbe465..55e0fa21eee6 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -22,6 +22,7 @@
 #include <linux/ptrace.h>	/* user_enable_single_step */
 #include <linux/kdebug.h>	/* notifier mechanism */
 #include <linux/percpu-rwsem.h>
+#include <linux/userprocess.h>
 #include <linux/task_work.h>
 #include <linux/shmem_fs.h>
 #include <linux/khugepaged.h>
@@ -1662,6 +1663,7 @@ static const struct vm_special_mapping xol_mapping = {
 static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
 {
 	struct vm_area_struct *vma;
+	unsigned long vm_flags;
 	int ret;
 
 	if (mmap_write_lock_killable(mm))
@@ -1682,8 +1684,10 @@ static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
 		}
 	}
 
+	vm_flags = VM_EXEC|VM_MAYEXEC|VM_DONTCOPY|VM_IO;
+	vm_flags |= mseal_system_mappings();
 	vma = _install_special_mapping(mm, area->vaddr, PAGE_SIZE,
-				VM_EXEC|VM_MAYEXEC|VM_DONTCOPY|VM_IO,
+				vm_flags,
 				&xol_mapping);
 	if (IS_ERR(vma)) {
 		ret = PTR_ERR(vma);

From patchwork Wed Feb 12 03:21:55 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeff Xu <jeffxu@chromium.org>
X-Patchwork-Id: 13971201
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 471251EDA22
	for <linux-hardening@vger.kernel.org>; Wed, 12 Feb 2025 03:22:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1739330525; cv=none;
 b=FJJcYuwVNRTEDbO+HluwbKzSVAKi+heIjiCXR/0aXpR/VuP9nuRmZ2rXyThPVIame+9jd+qdwtlvoeATgzHUkyEaI5gHhfLNvFdFQWr9yB9CkazuN406unNWBi1nXf+WVbBZ/gBhck472UlZsMAhn/aOSIjWjEmLZgMsw2b72x4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1739330525; c=relaxed/simple;
	bh=PT30LLdMtYpa2VkGGccvOtXA9HUhUF4omPyr+dgwXow=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=A/z7rYw7yGhJzEz2NqZRCUz0zs8k9ttKicNs/wYfhL6Y8o460zoYLRQrDnbJVbTembkhXb7b9zpZsxTEFwvtoPBx3I790CfmSdeu9rLgXeHEO2nhSdKthKdJJdvu+pG5LmPJtXzpMPW3YcGFvT+RhZ5Vybkzi964te9NESrJCZ4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=fKW9fDp2; arc=none smtp.client-ip=209.85.214.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="fKW9fDp2"
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-21f5015bce7so7983835ad.2
        for <linux-hardening@vger.kernel.org>;
 Tue, 11 Feb 2025 19:22:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1739330523; x=1739935323;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=wlSoQdNptgY7247+UT5J4unGLwbIYWVI4vHulpaAU8w=;
        b=fKW9fDp2tFP/xaBH4j02xTqPENg0CY4C1V9yvjlbf2JfdBiPP4Egi1G/IKpypaxKLn
         jaJiyhvJ/NiT7MUyqWdXIKuODWWjfvj4ZHx4nIrcspQDdNAqCjCfCbnQxyO+qFoHJ+3r
         Gc7JYbGnUCUbrW8xYgwHZJ66xs7dgjcMkNcTs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739330523; x=1739935323;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=wlSoQdNptgY7247+UT5J4unGLwbIYWVI4vHulpaAU8w=;
        b=VOTGWJeFy5014Rv/My3fI+3QSOjSu/Cd++L1Ni4ppMcX4h4PaJR5QJbbU15EeYj4XQ
         tvrE9wqLHoHRr4dWjtGHW16M+7DNBb/P0YcMdb5os7mFfk7LC5tAnaOQf7bENODqraH6
         kdXgCgn56W9s1JuiWCqaf6giXdvaXPAHtvMccHtxznQvWCSq940ADflX8qDNb4wiLIOO
         AZBVm+Eyw17dgf2LPRSFHGJ32mL0RelLtfGikDJd/ycPAGgovHZaeW7ekNwUy+HIWjwJ
         Y00FbvU7n0QqwWoQo1m8qQhuV6q+pG5FYZQTO3zaksQPZXvvqzbQvbtI9+N41HEY7mMD
         1pLA==
X-Forwarded-Encrypted: i=1;
 AJvYcCXo7DQsN4M/u6XPjlj8LTj08lfeWlE0RUNpSiNQT4FO1Cgv89y/RkemMQdyOyg15fHYFMH+KQUsS9+5N8GMElU=@vger.kernel.org
X-Gm-Message-State: AOJu0YxgOBf+jwkyil8IEWVaKxNlIIWWC8bE4OdeFfp8TDJ+v6Fl0MU9
	7Fdae8ANHSLcjSZ8YUrahm+4ivThCJfZq6dmyVHgFAlrdnoGglZ6uugXZnOAfQ==
X-Gm-Gg: ASbGncszIj2eLnMLZD34stk9X1pCg0ZSiqbu+6wiSF3NcphFy0fBdHIPFErqhjHHJ+C
	OuaMidZGGoA2XAbHlsIAMcfk34QiDP+6NLBcEv+RZ7W2lkP42hoD6s5cGI5pvzlbYsVwe+dHEIp
	wvG/AWQLfjWnJ882wncdd/O3jLqtLqcV58X0vcTZXS1g638FLX1sa20HHWlXNg9BL2bCxvLy8jc
	w1Dvg6CIe8B6X/9GiYF9EN0XFlZ8WEJHfqkzcSMSoHD9PoFzRaNpj54L/zDFHHba3w0LkyC+9zX
	hdeWg6F4jNXfF+DlEgWxdt4fjiWV03eJUn9lbyfn5eTqHO7fwQ==
X-Google-Smtp-Source: 
 AGHT+IHih9DPBHtIxeZtSPdWvKIHKG8FUBtw2uxCsB6lpgOAKvHZ+pA5HJl7oCK9T6pOYiqVU0U5tA==
X-Received: by 2002:a17:903:2bcb:b0:21f:356:758f with SMTP id
 d9443c01a7336-220bbaae950mr11340995ad.3.1739330523575;
        Tue, 11 Feb 2025 19:22:03 -0800 (PST)
Received: from localhost (9.184.168.34.bc.googleusercontent.com.
 [34.168.184.9])
        by smtp.gmail.com with UTF8SMTPSA id
 d9443c01a7336-21faa49249dsm32295415ad.158.2025.02.11.19.22.02
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 11 Feb 2025 19:22:03 -0800 (PST)
From: jeffxu@chromium.org
To: akpm@linux-foundation.org,
	keescook@chromium.org,
	jannh@google.com,
	torvalds@linux-foundation.org,
	vbabka@suse.cz,
	lorenzo.stoakes@oracle.com,
	Liam.Howlett@Oracle.com,
	adhemerval.zanella@linaro.org,
	oleg@redhat.com,
	avagin@gmail.com,
	benjamin@sipsolutions.net
Cc: linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org,
	linux-mm@kvack.org,
	jorgelo@chromium.org,
	sroettger@google.com,
	hch@lst.de,
	ojeda@kernel.org,
	thomas.weissschuh@linutronix.de,
	adobriyan@gmail.com,
	johannes@sipsolutions.net,
	pedro.falcato@gmail.com,
	hca@linux.ibm.com,
	willy@infradead.org,
	anna-maria@linutronix.de,
	mark.rutland@arm.com,
	linus.walleij@linaro.org,
	Jason@zx2c4.com,
	deller@gmx.de,
	rdunlap@infradead.org,
	davem@davemloft.net,
	peterx@redhat.com,
	f.fainelli@gmail.com,
	gerg@kernel.org,
	dave.hansen@linux.intel.com,
	mingo@kernel.org,
	ardb@kernel.org,
	mhocko@suse.com,
	42.hyeyoo@gmail.com,
	peterz@infradead.org,
	ardb@google.com,
	enh@google.com,
	rientjes@google.com,
	groeck@chromium.org,
	mpe@ellerman.id.au,
	aleksandr.mikhalitsyn@canonical.com,
	mike.rapoport@gmail.com,
	Jeff Xu <jeffxu@chromium.org>
Subject: [RFC PATCH v5 7/7] mseal, system mappings: update mseal.rst
Date: Wed, 12 Feb 2025 03:21:55 +0000
Message-ID: <20250212032155.1276806-8-jeffxu@google.com>
X-Mailer: git-send-email 2.48.1.502.g6dc24dfdaf-goog
In-Reply-To: <20250212032155.1276806-1-jeffxu@google.com>
References: <20250212032155.1276806-1-jeffxu@google.com>
Precedence: bulk
X-Mailing-List: linux-hardening@vger.kernel.org
List-Id: <linux-hardening.vger.kernel.org>
List-Subscribe: <mailto:linux-hardening+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-hardening+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Jeff Xu <jeffxu@chromium.org>

Update memory sealing documentation to include details about system
mappings.

Signed-off-by: Jeff Xu <jeffxu@chromium.org>
---
 Documentation/userspace-api/mseal.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Documentation/userspace-api/mseal.rst b/Documentation/userspace-api/mseal.rst
index 41102f74c5e2..1e4c996dfb75 100644
--- a/Documentation/userspace-api/mseal.rst
+++ b/Documentation/userspace-api/mseal.rst
@@ -130,6 +130,11 @@ Use cases
 
 - Chrome browser: protect some security sensitive data structures.
 
+- System mappings:
+  If supported by an architecture (via CONFIG_ARCH_HAS_MSEAL_SYSTEM_MAPPINGS),
+  the CONFIG_MSEAL_SYSTEM_MAPPINGS seals system mappings, e.g. vdso, vvar,
+  uprobes, sigpage, vectors, etc.
+
 When not to use mseal
 =====================
 Applications can apply sealing to any virtual memory region from userspace,