From patchwork Mon Feb 24 22:52:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 13989022 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3E6CBC021B6 for ; Mon, 24 Feb 2025 22:52:53 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 14280280005; Mon, 24 Feb 2025 17:52:52 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 0F119280001; Mon, 24 Feb 2025 17:52:52 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E8565280005; Mon, 24 Feb 2025 17:52:51 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id CD110280001 for ; Mon, 24 Feb 2025 17:52:51 -0500 (EST) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 7623E1C7272 for ; Mon, 24 Feb 2025 22:52:51 +0000 (UTC) X-FDA: 83156339742.08.64DCCBE Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by imf25.hostedemail.com (Postfix) with ESMTP id 8B97AA000A for ; Mon, 24 Feb 2025 22:52:49 +0000 (UTC) Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b="gqz7r/kd"; spf=pass (imf25.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.214.171 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1740437569; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Gr43TU7OB3/UBZWZ8a0+AJgECDu1pAru/awGEv3HrHg=; b=C3nZe4ozb33Qs3d1Asj3awLkMhUPtHFHhd3R1sEaMngKEJAb7A9Q27Ljpox3Q/O4CQgwp1 IVbmVLNZPHaul98an5g1cry1oV9g7MFupq8PhxG2HrWsV5dbeeXVRk7ORw0IY6GG3XatoB mid8J8klpGVfd/EesM4XaEk7IFmz+r4= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1740437569; a=rsa-sha256; cv=none; b=7lsYSk2jvsbnz2XiGNFKXw8Gg1c14ENmNNgB8/xWoYOnf3yt+N7R6gzBdMGYOOXyOAeHfu ioWcxaQ7ADKJYjZhsVYZ0Gx0JcXKllD0SI//9cEzidi97Dilq+uFxzMeB3PtWOkcWRskV6 hoR79qpEMr4sFW4/mqnzHR2zaZNr3E0= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b="gqz7r/kd"; spf=pass (imf25.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.214.171 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-2217ea6d8daso12818335ad.3 for ; Mon, 24 Feb 2025 14:52:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1740437568; x=1741042368; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Gr43TU7OB3/UBZWZ8a0+AJgECDu1pAru/awGEv3HrHg=; b=gqz7r/kdSPEIPhyt5oEXCH5a07ZPxRPpj9Lh+5G9EXkKBHsX6009D6j8+BsxBbjobb MAKkHONifO7Sb8Ya4q7ZgVsL+m7ccf2Io6CJMtJE6p2VybBkjAeI6t26jtLNI1VzLtW4 g2mtlM6I4FLpAriA8EvSl7k+mBARel7NowVCM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740437568; x=1741042368; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Gr43TU7OB3/UBZWZ8a0+AJgECDu1pAru/awGEv3HrHg=; b=ouzoFVG/PiJvmLx3E9AnsqisEEXmCg+rAZxwPkgSDpH9PZ3o20zRH18Wnozd2x7ZpS TTgLIY8a8LFM6E0uj2NUnuJKxeCj2asbi4lNClm9DR3uhhG95FBH58Z4ERWlXQHIJ1VV snrqWasDQ9YtUfjgZ0oDaq1OZ8NzmRfAgDagrbUVvzxq3ISt8YXnaMBmtI1TqTHizYP4 2smQVS2IKWZOF1RaK4TgTAfo1fj951WptKyykUNnOa9CdsoUNo1plU1GX3waqVqdUcHi ieJ3JBtVfPec5F1e5jPWbTGffO/Xb3Iy0DdDQRBHlqS0ZbU2dsfnEpOt1pOCZU2fkzBq 4mBA== X-Forwarded-Encrypted: i=1; AJvYcCWCXKG8q6HEsdZavvjQUJQxu8Kd/pNJMygTSndcjsKuKuDUeew+gImO+Zy/16qTdCDQQ24+qHmQxQ==@kvack.org X-Gm-Message-State: AOJu0YwP1bOOQ18ukG3H8yZGhFo6IeUC4wvp0pzrvmDv+kUC2wH3TDbT bPchb3RT+tdmFobDMwNUZ9rRZ3Do2I7VbBQfAXYQAZGxN4YiKuSznyV44oDw2g== X-Gm-Gg: ASbGncvoVcgqfOpfMpbZUCq9VxQDhyKbGBITKfGXZVKvNpMpDlG3q+jyDIlKvGZr8zA tBa8jT54y515eqZ9EEGY5QJjlGsVn4Rf5LGOzsrPTn10CvI2tCx/ArqjO47y01yGdmdN7Pqn39e v/g2D5O0HcTGz1LshmJ9Wv3B05ZOlXo8ValxNoYzIMmY/jbtjtWLqPPAqvMlBxq7ChHElcKBWih Cskvktgh3xuUgH3P8peyDBGL4iFxVqvzU3o3iWBxFvrgg67iUMINOqDJP/RAfVJQ33JXm3HEVDX 1Y/zTPi4ymt6Iu+679FUp9BzZSc7xz3qe53lffJg7juVYLlXKuNMILZYNahu X-Google-Smtp-Source: AGHT+IESaZ58UChl4iGsoSvsujhtUwwJr3CbpWnJiWfiHt9MzqGV0YmPpuc1uUFRRY7FoYU65Kkk1w== X-Received: by 2002:a17:902:da92:b0:220:dae5:34b5 with SMTP id d9443c01a7336-2219ff5f4b9mr92927075ad.7.1740437568464; Mon, 24 Feb 2025 14:52:48 -0800 (PST) Received: from localhost (201.59.83.34.bc.googleusercontent.com. [34.83.59.201]) by smtp.gmail.com with UTF8SMTPSA id d9443c01a7336-2230a000a73sm1412625ad.42.2025.02.24.14.52.47 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 24 Feb 2025 14:52:47 -0800 (PST) From: jeffxu@chromium.org To: akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, torvalds@linux-foundation.org, vbabka@suse.cz, lorenzo.stoakes@oracle.com, Liam.Howlett@Oracle.com, adhemerval.zanella@linaro.org, oleg@redhat.com, avagin@gmail.com, benjamin@sipsolutions.net Cc: linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, jorgelo@chromium.org, sroettger@google.com, hch@lst.de, ojeda@kernel.org, thomas.weissschuh@linutronix.de, adobriyan@gmail.com, johannes@sipsolutions.net, pedro.falcato@gmail.com, hca@linux.ibm.com, willy@infradead.org, anna-maria@linutronix.de, mark.rutland@arm.com, linus.walleij@linaro.org, Jason@zx2c4.com, deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net, peterx@redhat.com, f.fainelli@gmail.com, gerg@kernel.org, dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org, mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org, ardb@google.com, enh@google.com, rientjes@google.com, groeck@chromium.org, mpe@ellerman.id.au, aleksandr.mikhalitsyn@canonical.com, mike.rapoport@gmail.com, Jeff Xu Subject: [PATCH v7 1/7] mseal, system mappings: kernel config and header change Date: Mon, 24 Feb 2025 22:52:40 +0000 Message-ID: <20250224225246.3712295-2-jeffxu@google.com> X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog In-Reply-To: <20250224225246.3712295-1-jeffxu@google.com> References: <20250224225246.3712295-1-jeffxu@google.com> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Queue-Id: 8B97AA000A X-Rspamd-Server: rspam07 X-Stat-Signature: sc8zkh3isc7if8msmjnfb9qasytwpen5 X-HE-Tag: 1740437569-659823 X-HE-Meta: U2FsdGVkX18Voa3/rg6Ox7PGhIc4miJssJHPYitL2zhAh7B7V68mJIu8zJP/gW+/XS6LJMLceV0m5EzA+UAmZQkGbfRhB2EwDBe3OPxm8gOOuV4PE8asVwEypdJURKORNoYpZRmEUGqEqHMZ3Sh0VuEbM4c9SlEu9R9DuvfYTfKco8ohOBiAOYrr0Rr8qr7u4youOSvMvtFB9MNNp6kUlNW0EdYuh58XxTlsiD1lcFKV/fb+LX+kVKFdKc748I9puSYBqJHfQ2eymAydIl+1SzofLOgTZN36wZHfrekDX6onoSVFnKjqkdpzwTTGl0ivPR+U1rUH1TkbIyD86YfKJbO1pvxqtR1bodNCLhmh41QpFoiC7ZtHNkqBXFkUYJVhrCGnDrzKdK5XCD0npJtKpke33C+KqL2mN2Y25JMIa3BlvpUgKFKiw2fiQ9geF+Q8jH09X1viWTV56nMfc3C93JRtEMYJodkJ0xpfTlnM/ROhmbtfcE/Ruomwd/dP7DeDVbP/KAk8YElY2628VNzlRXhOaK0jMnQRCng3d+EP6xG5lsbG5RIJBNmPHhZxHwe55AGPzhGhQ27uYXgjW9pfLfwnUbyY1eMEL10ZfeqErSc35+buxCP3AyASZtR7RmQKKfTSQ5DPn7YahDADyPQ97OVRPxbJt3EfydZ4iT0RF8jPAZDi+uiB05rarixSqS49+dl4Zyr5nIzf6LuK0GdDcqcxEEIamBIyhjp7dEIwGJ3ojDAV/z1M7O5DJsgkkDB/4+ZA1OW+tCB8R9CzhTusVkrJHGvO17nAe1hgP8C5bjrfqZtXjeWqcShPKYC2RVugwP3jTyJtC1DaOZkW/S6yJWgRdPmm3avk/BvTiuADkXKiiqKrJb8gbB+U2dkmH1fyVnX/LYaX7ZGo9w0gFvCDJKUmTNhclpzhxYJzjtkgOVH3PFOdhrGoCbGITkleh060jbHZZOUniKyel9/FcCK 9xXfiZnM d/BLBWLLm7jhX24rO2GRwyEH88BlvOtSPaPj5TjA/BAIg6kCTSk12JPl0gQyS0bDzRsDYVHP9B5J8bGBq4r5icshvu9aSUhExOviwedPNPuKcxnJcy0vIOWYdTXEqbbxNJnSEKGp2Zhcp88qaLRDiC6NodwigeKwPNJIGSuqQePLu9qJFggHiOx2ciblyGSqxeGcrnyQ4D6T5eq57C+IhIi2CevxZA3RdV4mLr+Y1ugIa6gZ5FLUhKJp/P2qHFMOgRl6XU2yPowbCWq0edqBF+LO3I3wW2G/TpmejcGC9DmrN8hdD25zt7+TbSkEivlWmZG6zjJJfJ8S1Pn3X9nASAF+nPEu1I627mwKEoNFFDyDdF6d/p0mYy7kXYg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Jeff Xu Provide infrastructure to mseal system mappings. Establish two kernel configs (CONFIG_MSEAL_SYSTEM_MAPPINGS, ARCH_HAS_MSEAL_SYSTEM_MAPPINGS) and VM_SEALED_SYSMAP macro for future patches. Signed-off-by: Jeff Xu --- include/linux/mm.h | 10 ++++++++++ init/Kconfig | 18 ++++++++++++++++++ security/Kconfig | 18 ++++++++++++++++++ 3 files changed, 46 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index 7b1068ddcbb7..8b800941678d 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -4155,4 +4155,14 @@ int arch_get_shadow_stack_status(struct task_struct *t, unsigned long __user *st int arch_set_shadow_stack_status(struct task_struct *t, unsigned long status); int arch_lock_shadow_stack_status(struct task_struct *t, unsigned long status); + +/* + * mseal of userspace process's system mappings. + */ +#ifdef CONFIG_MSEAL_SYSTEM_MAPPINGS +#define VM_SEALED_SYSMAP VM_SEALED +#else +#define VM_SEALED_SYSMAP VM_NONE +#endif + #endif /* _LINUX_MM_H */ diff --git a/init/Kconfig b/init/Kconfig index d0d021b3fa3b..07435e33f965 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1882,6 +1882,24 @@ config ARCH_HAS_MEMBARRIER_CALLBACKS config ARCH_HAS_MEMBARRIER_SYNC_CORE bool +config ARCH_HAS_MSEAL_SYSTEM_MAPPINGS + bool + help + Control MSEAL_SYSTEM_MAPPINGS access based on architecture. + + A 64-bit kernel is required for the memory sealing feature. + No specific hardware features from the CPU are needed. + + To enable this feature, the architecture needs to update their + special mappings calls to include the sealing flag and confirm + that it doesn't unmap/remap system mappings during the life + time of the process. After the architecture enables this, a + distribution can set CONFIG_MSEAL_SYSTEM_MAPPING to manage access + to the feature. + + For complete descriptions of memory sealing, please see + Documentation/userspace-api/mseal.rst + config HAVE_PERF_EVENTS bool help diff --git a/security/Kconfig b/security/Kconfig index f10dbf15c294..15a86a952910 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -51,6 +51,24 @@ config PROC_MEM_NO_FORCE endchoice +config MSEAL_SYSTEM_MAPPINGS + bool "mseal system mappings" + depends on 64BIT + depends on ARCH_HAS_MSEAL_SYSTEM_MAPPINGS + depends on !CHECKPOINT_RESTORE + help + Seal system mappings such as vdso, vvar, sigpage, uprobes, etc. + + A 64-bit kernel is required for the memory sealing feature. + No specific hardware features from the CPU are needed. + + Note: CHECKPOINT_RESTORE, UML, gVisor, rr are known to relocate or + unmap system mapping, therefore this config can't be enabled + universally. + + For complete descriptions of memory sealing, please see + Documentation/userspace-api/mseal.rst + config SECURITY bool "Enable different security models" depends on SYSFS From patchwork Mon Feb 24 22:52:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 13989023 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA0FFC021A4 for ; Mon, 24 Feb 2025 22:52:55 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0A622280007; Mon, 24 Feb 2025 17:52:53 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 05464280001; Mon, 24 Feb 2025 17:52:52 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DE9EC280007; Mon, 24 Feb 2025 17:52:52 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id C4292280001 for ; Mon, 24 Feb 2025 17:52:52 -0500 (EST) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 6F4C8802F3 for ; Mon, 24 Feb 2025 22:52:52 +0000 (UTC) X-FDA: 83156339784.25.7B456CB Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by imf01.hostedemail.com (Postfix) with ESMTP id 7ECC04000C for ; Mon, 24 Feb 2025 22:52:50 +0000 (UTC) Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=XU1AA155; spf=pass (imf01.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.214.180 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1740437570; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=uLPC0aGcYNb1lvLik1r4PuSirlrOiN9ljuV/brKB6K4=; b=Czqa7UAEY5wddSHwqfYKiZu07PML+TP+6rneqN/80gEhN9gbAfGRV1shpsWJrRyjPTy3tB Qc+Krqi/yj16c9jelA9Arhxyvs2nF25oQdsHjGIEp+rEDIzzE0PMG2vbyEmUZMTnNfvkKw /7KqsmmDQ0fNCxAkYMH4P0CxRpOb1CY= ARC-Authentication-Results: i=1; imf01.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=XU1AA155; spf=pass (imf01.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.214.180 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1740437570; a=rsa-sha256; cv=none; b=pp4H3yGr0np9ed0Ny0hzYsR00n4pzIaz+h6GwaDZvhaxTRtAGzxp/j+GTWxLbhgPk4QIrK tMD1sYuRafQAUnaLPjnBDbZei/ovt8s4qfLZWsLD2zrPrWZQPYJsHWFEeAD/FoFiz3d/y1 mK8GGOKuS/NIHtIGSiTovrqaVPCXMFs= Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-22134a64d8cso12090965ad.3 for ; Mon, 24 Feb 2025 14:52:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1740437569; x=1741042369; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=uLPC0aGcYNb1lvLik1r4PuSirlrOiN9ljuV/brKB6K4=; b=XU1AA155YoD3ndaDCnF9vftLJmsGLzwmp497qOYrU8JbsBxXWyOiTVo2TmzcJYrQH+ +9XwLPSPnzF3WWq1lEzHcek4axKonrIsva25UwyE24RYarq+juNykAAEMfwwHAZlHXC6 DzuyXD3vgpg5sNwhxgB4Yuebhsoq3fvxcrVHE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740437569; x=1741042369; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uLPC0aGcYNb1lvLik1r4PuSirlrOiN9ljuV/brKB6K4=; b=dFHg8ll/r7ugRaHSBQOShmFXB4GIu2RTqGeNa9j2anLY9EP0xSaHbAW+l9UN+Z/3wQ DibmQQxIYgozb9sXcaoi6CnrlJrFDx9qwtY0dXONQXO9rGQccYb3Y9BjpJ4WW+dtH32l 2djQ2FzhXUl7GyPhriGYmQWpIbSmPs4VZA2ekI5iA1pfW2ds7XpJx5/WcVifm2nw/Lu6 2PTBwOSSfSVF8kBfe7HyOWnKCcc/4I8DmqozhZuEOkNPLm1W8WjbcGy0bi+GHSsZ1fDV dRTtRvAGHzm2ND9KRsf3ouphmbLpdGZDMgFToV+MoGpAZuvfL7sauMDGuiCGwnO4xDfH IbXQ== X-Forwarded-Encrypted: i=1; AJvYcCXf6my670hFhW7usX5QTpB3cJ11rSlZvrHPXYFQSp0iXh6wSzFR9yYwmKiuF/KCplkwr9F4XaTvZA==@kvack.org X-Gm-Message-State: AOJu0YxVS/dLbETH8seBcIYnQLBQTCQn9O/bdGdK4vWaewVnJ78Hvr7O Cmlm97ASvd1u6MWaEJl4DlQru8pi7WPXqZztNdPVZz887fD8pmXczm9uiTbp1w== X-Gm-Gg: ASbGncvxEttV7SdDZzhuAqsfwNI/MbMK+Var+6jsbZcpbaGg550l+HNMzRK9gWAOb6r 2IsXW+6h5NLDJQ5JLbE03CJ/roXZAzfYDUU3s4PEcaQwSleIHB0UrRTtBIXT2tq7c/pQ2WXvFFG f9HjOuJaqpd1rTS45DYHDDj5Nwznxs3ibFkDMD+cSwcwRKTA9IJVx8T9bnceQWygC9LRs8CUVvq NFIKcp7pWUUk1VcTXzqQVjz9Nw78xh2c4OfgP+mcxUqmq67BPuw3OMxltjkQ11KnsvUDEZ+uasW 4cWTRbLzbiliD5WBlNZY9oXCtJQW9r32QTj7D5lRdnFBcBDJD6NLWH7iF2iu X-Google-Smtp-Source: AGHT+IHCp48/6UHF/fa/HDiAGSPZBXV+VJjrvt3aHCsldayQ5uHsZNAe0/b2WwYSN5ozi8oGHlQeSA== X-Received: by 2002:a17:902:fc8d:b0:220:f708:b7a2 with SMTP id d9443c01a7336-2219ffdfe62mr95535885ad.11.1740437569437; Mon, 24 Feb 2025 14:52:49 -0800 (PST) Received: from localhost (201.59.83.34.bc.googleusercontent.com. [34.83.59.201]) by smtp.gmail.com with UTF8SMTPSA id d9443c01a7336-2230a092fe4sm1292045ad.147.2025.02.24.14.52.48 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 24 Feb 2025 14:52:48 -0800 (PST) From: jeffxu@chromium.org To: akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, torvalds@linux-foundation.org, vbabka@suse.cz, lorenzo.stoakes@oracle.com, Liam.Howlett@Oracle.com, adhemerval.zanella@linaro.org, oleg@redhat.com, avagin@gmail.com, benjamin@sipsolutions.net Cc: linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, jorgelo@chromium.org, sroettger@google.com, hch@lst.de, ojeda@kernel.org, thomas.weissschuh@linutronix.de, adobriyan@gmail.com, johannes@sipsolutions.net, pedro.falcato@gmail.com, hca@linux.ibm.com, willy@infradead.org, anna-maria@linutronix.de, mark.rutland@arm.com, linus.walleij@linaro.org, Jason@zx2c4.com, deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net, peterx@redhat.com, f.fainelli@gmail.com, gerg@kernel.org, dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org, mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org, ardb@google.com, enh@google.com, rientjes@google.com, groeck@chromium.org, mpe@ellerman.id.au, aleksandr.mikhalitsyn@canonical.com, mike.rapoport@gmail.com, Jeff Xu , Kees Cook Subject: [PATCH v7 2/7] selftests: x86: test_mremap_vdso: skip if vdso is msealed Date: Mon, 24 Feb 2025 22:52:41 +0000 Message-ID: <20250224225246.3712295-3-jeffxu@google.com> X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog In-Reply-To: <20250224225246.3712295-1-jeffxu@google.com> References: <20250224225246.3712295-1-jeffxu@google.com> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 7ECC04000C X-Stat-Signature: xeobig6kq3jgw86u7fehzcczynrxmeoi X-HE-Tag: 1740437570-481469 X-HE-Meta: U2FsdGVkX187AN8lXlzPgDxnCKHm9vEi4vM9aELGQpFNRJvqHHhhqwA50f9NNKpXBV2kAOOGVqQ9SHu6tiIEqCCACgf7Gi+b3xyVYI0MTchVvWy8Z8gYWy2Pl6N5pmJZ9PVyw7Efxv5rl0/W5KeV6RgDvK/rcPyziWNHrMO75cw2VhnBem75LEkugXk8Xst6tKG06OGD/XtHXe7GlPQeoZaEqRpX2M+JRW5jhbYR41iXMx1WmwowWnXaXsTFlBtZiKNqVB0nJOTjJzhu11cM5yL1sFJ5JbV9RYiWnuWJffKB9RvyPswuPHKlTEu0HUsf1KgrlUuVZU36dNp3dHvkdaSYOcpLErG5T5fWYE6Bz1poPWvN9znkuQsvsjvzedmPY0J38ixFHuOVlUYNxyC9Ie/E3ECLjGQ+a/w67Gan2JYSODy8rewbZDAvAklchp5Yhm9010uldUPdSp2a/QBkIi5iNKL6H07tbF8NuggCJs8kU2R2G2vBFQAhlWgqXQXvX3QihwZ7KOmdYOw2QZm3rG7j55ofIYR6UMq3KnVNcvHUSXNZHkNBboubAk7Gy4Ss90kfft182ijcnnrhNCJvsDxMI0ckXAVc1yWQBrgh+996jhCP+EFTkiuTybOUfrKGwB5x5zcwsakevuoZXsfOT9AP+I93LWqJF+zgjYItcPE/4lvejrU6cPkyRX32QRV65Obgb5+PFHunn0elHDAMjCinD64SxrzX08F1LsiF/7kItZMasMAS8v+0Ib94VK7l6wkh4cXzCsnyID7N51xovuqg91UdIUv51bPbe4P+xYzCihuP9GZrAbzn4UJml4IkRC6Ejj/iJROUzye/b2OtNc65SBFZgZwCYSMdKJuV/FE+boqhbSOJcUVB2ULiBAalwJf6wfDr5V1SH9Q1iaJghF5jQQN8LdNGKbmdvsclo4GcoMcEKrLu69hvCGA9RUuv15JrsrvFfJbQr6kFwpz ZRdp2I3d R8gYU8m/twe670JhPepShFLdl6HrN9GcJBQfKthqnarKRBxt1/PyTc3rEnwHDqEde/Wd+6sxpPu8EPj13FQFU79bc1EsDwvjTSWDyi0SDoPkLRuSXfUkbUEaFx0HxOLK2bZ6qm4+ZNymzOuDq2SzXD6DtyxAn+Z6SIQdydEk8in/TKEl8a/xgXeqQQP/S7UBO0a37cyw1QUJhm8u7sGJawc/Sh5mVMOWY7qds/aiFOmaJphITNd/f+jfh57nbJNw+aui/9haikKap4XJ/herOJYmLXZ7drylODfAWAVuWhjrQLLig3t9C4e4VWvZQzxE5275lXNxbmIQEGtiM9W9ae4edm4Q3ZlZtszY5gkhEki/OqjPd/13N6TREaq3lpCF/gwgbG+GXqClRNKWgfzRP7mc04GYbWvHQAJE3/JuOh0DvB9gxUduwA0HOEMJ+FccQRA/R X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Jeff Xu Add code to detect if the vdso is memory sealed, skip the test if it is. Signed-off-by: Jeff Xu Reviewed-by: Kees Cook --- .../testing/selftests/x86/test_mremap_vdso.c | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/tools/testing/selftests/x86/test_mremap_vdso.c b/tools/testing/selftests/x86/test_mremap_vdso.c index d53959e03593..94bee6e0c813 100644 --- a/tools/testing/selftests/x86/test_mremap_vdso.c +++ b/tools/testing/selftests/x86/test_mremap_vdso.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include @@ -55,13 +56,55 @@ static int try_to_remap(void *vdso_addr, unsigned long size) } +#define VDSO_NAME "[vdso]" +#define VMFLAGS "VmFlags:" +#define MSEAL_FLAGS "sl" +#define MAX_LINE_LEN 512 + +bool vdso_sealed(FILE *maps) +{ + char line[MAX_LINE_LEN]; + bool has_vdso = false; + + while (fgets(line, sizeof(line), maps)) { + if (strstr(line, VDSO_NAME)) + has_vdso = true; + + if (has_vdso && !strncmp(line, VMFLAGS, strlen(VMFLAGS))) { + if (strstr(line, MSEAL_FLAGS)) + return true; + + return false; + } + } + + return false; +} + int main(int argc, char **argv, char **envp) { pid_t child; + FILE *maps; ksft_print_header(); ksft_set_plan(1); + maps = fopen("/proc/self/smaps", "r"); + if (!maps) { + ksft_test_result_skip( + "Could not open /proc/self/smaps, errno=%d\n", + errno); + + return 0; + } + + if (vdso_sealed(maps)) { + ksft_test_result_skip("vdso is sealed\n"); + return 0; + } + + fclose(maps); + child = fork(); if (child == -1) ksft_exit_fail_msg("failed to fork (%d): %m\n", errno); From patchwork Mon Feb 24 22:52:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 13989024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27E2EC021B8 for ; Mon, 24 Feb 2025 22:52:58 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 33C7728000B; Mon, 24 Feb 2025 17:52:54 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 2EEAB280001; Mon, 24 Feb 2025 17:52:54 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0153128000B; Mon, 24 Feb 2025 17:52:53 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id D9CA4280001 for ; Mon, 24 Feb 2025 17:52:53 -0500 (EST) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 8B8761A02BA for ; Mon, 24 Feb 2025 22:52:53 +0000 (UTC) X-FDA: 83156339826.17.212C27D Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by imf10.hostedemail.com (Postfix) with ESMTP id A0858C0006 for ; Mon, 24 Feb 2025 22:52:51 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=STqW59cR; spf=pass (imf10.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.214.177 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1740437571; a=rsa-sha256; cv=none; b=o2/cc1mxWpsMRDCCC4VytnNYNUOyW7hTP5nAKTsHHpz8b6rdcmylkehKxI4m+xj5NPqHKa kbju4enE75RKHfECwpdrq78Tis27At5rmAQkkVEOyEwTOlV5fFL0vO5p3iktY76Et4z9M5 Xrgz2dDsxuLaEGByEqE7zQ3/W2c3vEw= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=STqW59cR; spf=pass (imf10.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.214.177 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1740437571; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=HehPKH2HS0HzCH0hQSNM2QcWWpZkmDJGAEgO0vW2y+g=; b=1o89z5GjncBLQcPjoBpTEJM7rPMmGHwShypseIF6jyL1RjlWudSNmrOauxDvY8+6onXkys 585kNfo2cWmxYPSkAnDluuuZbmB444EqFMxIOUSgCwEnVAEfvURm2s9f4bOKSlbvsIzlTv CIUsg80UX0AN5LRiVPl8llc99lIzOKI= Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-220d47b035fso11398535ad.1 for ; Mon, 24 Feb 2025 14:52:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1740437570; x=1741042370; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=HehPKH2HS0HzCH0hQSNM2QcWWpZkmDJGAEgO0vW2y+g=; b=STqW59cRolshSWtrU4m/TuMFMksvS7IehtJrTPPbA7pnprEP6qcONh6FyAvDWvj9GC 43mNnTd3G4aBDQN07F/FLpZuxg2a+gTbOwD9n0Iow126VMeQ7wmb5Ivj6+fDg9lxT0CV ev6vTf6B98dK7lhWZThZfva6IXmQsey8koJSI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740437570; x=1741042370; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HehPKH2HS0HzCH0hQSNM2QcWWpZkmDJGAEgO0vW2y+g=; b=J8EPc17ctCsjwSe0tKnf3pV2vTzIzsqzdI74eQTnDoR48wKT0o/g2H7VlK/MZWKMMP O0xHeDwZ4G+iVxVD8TBzfG86c4jmok8uK37n4tM0n2unsQZgweuHRz7z1C3VHMpjUCLB Z1tZVOtnEII2PBGS+bPzJ87Fe5IwHt1+rbsMAYWMFRcBUZDJ/gbg5wBXOy9rNPavms/Q O/BfZX0vvUxndIhuXVJxR7LpAj6jwypgJsjVGaxjd1oFDNYinFh6dJm+bR2DJU0ysu/I kECpyNsjUk0fItH5JJPBmpZJNfRQx7mIsbRZhP6xGuuWoTrhfCId59ZYLR3Q1Mh1Ckwc U0VA== X-Forwarded-Encrypted: i=1; AJvYcCU1EaHanQ5i+hVVDb83Idq+8KTM52+70cnS6lZVtCxzDNbGHw7Z9SL72dF5WdEv910qqKXpmYlemw==@kvack.org X-Gm-Message-State: AOJu0YwR6mIS/aTzQshD65pYwfNUgUsUh2VCiUwaIrAKcm6NUSNIUxBY 8ls1d9NBAlUE9HpISI/uFsZ0dNsvRrVKdkbGyiIiUCFE5IQv2tB/ZXenKw9NCA== X-Gm-Gg: ASbGncsLmjgrDNf+YO5jzl6+BsRM9sXPKyzSf8G8O6ZDOov1z7T3xwdwoMukXdBh5Cd 0sFwsuKJYQ9sg/yto2Y/eUjwpXGCiWH0NIjOhqdhoQ8CD+Lg2oQbslrZJLSy1xI9eTnxAC1wiqe kWJvRsECGSffa30iY9PXzS12NwEu/+lPoalob9+opEXb4FbJ7MQJvVxmQLSNlwiODkUZQsOA4Ut AbjRD44Vhg70cYhxJY4sEjmdVb/xCjFwfwUPYOtn9qFSe3q5GieyrTbLSLGeBDX+8rTeZG7UU+F LONe5rl+oKqM8Jd2UYA9GUTXnhif0nz4a363g2vX/DYnThc6AfQDpRUY0PGm X-Google-Smtp-Source: AGHT+IHvxyCpkXXkYjTLWWPzvLXpjBHCjYNwj83VFoOFzg3xddNwivdcqHIMBcGsWOCoYPcqKcpgHA== X-Received: by 2002:a17:902:e5d0:b0:215:9a73:6c4f with SMTP id d9443c01a7336-2219ff50d56mr94813075ad.6.1740437570374; Mon, 24 Feb 2025 14:52:50 -0800 (PST) Received: from localhost (201.59.83.34.bc.googleusercontent.com. [34.83.59.201]) by smtp.gmail.com with UTF8SMTPSA id d9443c01a7336-2230a0ae9acsm1300615ad.225.2025.02.24.14.52.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 24 Feb 2025 14:52:49 -0800 (PST) From: jeffxu@chromium.org To: akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, torvalds@linux-foundation.org, vbabka@suse.cz, lorenzo.stoakes@oracle.com, Liam.Howlett@Oracle.com, adhemerval.zanella@linaro.org, oleg@redhat.com, avagin@gmail.com, benjamin@sipsolutions.net Cc: linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, jorgelo@chromium.org, sroettger@google.com, hch@lst.de, ojeda@kernel.org, thomas.weissschuh@linutronix.de, adobriyan@gmail.com, johannes@sipsolutions.net, pedro.falcato@gmail.com, hca@linux.ibm.com, willy@infradead.org, anna-maria@linutronix.de, mark.rutland@arm.com, linus.walleij@linaro.org, Jason@zx2c4.com, deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net, peterx@redhat.com, f.fainelli@gmail.com, gerg@kernel.org, dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org, mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org, ardb@google.com, enh@google.com, rientjes@google.com, groeck@chromium.org, mpe@ellerman.id.au, aleksandr.mikhalitsyn@canonical.com, mike.rapoport@gmail.com, Jeff Xu Subject: [PATCH v7 3/7] mseal, system mappings: enable x86-64 Date: Mon, 24 Feb 2025 22:52:42 +0000 Message-ID: <20250224225246.3712295-4-jeffxu@google.com> X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog In-Reply-To: <20250224225246.3712295-1-jeffxu@google.com> References: <20250224225246.3712295-1-jeffxu@google.com> MIME-Version: 1.0 X-Stat-Signature: x48er15hq9hyzifqaayt5bw4haz5buy4 X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: A0858C0006 X-Rspam-User: X-HE-Tag: 1740437571-557523 X-HE-Meta: U2FsdGVkX18CIu/RgTM5SpOnBiv51i7auiHGLkJ6BZT0Y77YQoshvq7cSjNEfV3WpPwN5u0vCsXRkbFuFxjSqcSwMXYntHqRvqum8wuCr5TPGlhYQm32zGIXmnalGkybk1FtsP2sZy1AH8IIH5LRvxoKxEoLsmeHiaAqWnGPF78KMvdPjtk38mfmnjAP1dZJFZ7sm38S5S/ZIFsNqBrbdibrTUPwxr6YMQ0T0gZOrjAyaPSs53pcJ4qrrGqc44JOpp3kOth240qKJElLwcKrN8rF3J4bp/VD/bJEhuyCklgPaw6rFL3O2iirAChcEsC71UMGJe+DvKcCs3ilLt2bFeP97Rhj6x+CZUi2kPZngiwOYY91K8ubz19lZWdKSMw/IzZ4xixK8hfBl3HcS0+ifWaiwlACwPLXmyCn4rpxiji9Gl9vN1Qy4Uk/VEHTSNLNhpYZ6rnxfgSisqjY9whWwNjUQHn90Fz9R10kdUzWhqXGJqfi0w3dxLwUkkm+tIPWsDJl8zyL7VWZEfLCJjuvuWi+HQlQwbeae4fGoayzVhgYE053kCrtxpWO1f9IyglyUwn5BCuuGZTcPnwueSAY7QbtF9XXQOM/ISj7jhqguDE3PyCzI8CGh37zrjzWDRvxwSmo3/KZc1yXSE73kuFdedWQIBQ0IdHKP35KKMgRvuRvPyb3cMEQHbXsc7iVEKu3Qk1VqbwdGZZ+7KkiUCcbh9zQFMCb0ae2HiNYhkGtw4DqQ0ey3FQjTemLZ/DVaCNuUiYY7qJaawb2O/US22Ftgqk+Q6lpB+YpG1vawSDlD/sgGDRLkHLK/sRn2hIPmOoFuw/v9e4e9ktlhk+Uxo/S9Nx4C6aZ1min/R2TFD6GGlZRrldzFRP8ySkcs4eXkSgaOU3Ra8Wm6wO9kID9jk9dva1yDYCD/s9zt1VluKlSK+X4efnhHKkjl1ZI4lmFAzMCM2K1JBa1gvagFAARuRl BMx8xjtB s4XlKM1gh2vLdKJUP5BKZrhoAvnZNA96mYch0Had1gvmg4g92Lz52myr4m1hMviP2zsTKrnrjCFCCiLJSnw3nG2vuRZbnt0ixOv4pG56A38KLnKCr6XXLe0GY3L3K47tt92u5A9E9dZifqVsdvce1IqFIcGBv8+LXkDBd7MT1/woVFz69MZgaQmVx2c7OMz/ybccePeWzarnooT7W3r/fjUXqMa0TJzB2NS5P6J5QZI1iYuCEybQtHK/WeRugN+50God2vyUcpsVIURAKaTSY9Q7+fgMCX5LET2Cz/uMmUAYQ39OxjXEvt6xFVn1rFFgFrB8TFakTCEmAVa9TbsgffaIoegRJuBUgV3W534465kJ+Zb28TvPAZ9cluw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Jeff Xu Provide support for CONFIG_MSEAL_SYSTEM_MAPPINGS on x86-64, covering the vdso, vvar, vvar_vclock. Production release testing passes on Android and Chrome OS. Signed-off-by: Jeff Xu --- arch/x86/Kconfig | 1 + arch/x86/entry/vdso/vma.c | 16 ++++++++++------ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 87198d957e2f..8fa17032ca46 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -26,6 +26,7 @@ config X86_64 depends on 64BIT # Options that are inherently 64-bit kernel only: select ARCH_HAS_GIGANTIC_PAGE + select ARCH_HAS_MSEAL_SYSTEM_MAPPINGS select ARCH_SUPPORTS_INT128 if CC_HAS_INT128 select ARCH_SUPPORTS_PER_VMA_LOCK select ARCH_SUPPORTS_HUGE_PFNMAP if TRANSPARENT_HUGEPAGE diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c index 39e6efc1a9ca..1b1c009f20a8 100644 --- a/arch/x86/entry/vdso/vma.c +++ b/arch/x86/entry/vdso/vma.c @@ -247,6 +247,7 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr) struct mm_struct *mm = current->mm; struct vm_area_struct *vma; unsigned long text_start; + unsigned long vm_flags; int ret = 0; if (mmap_write_lock_killable(mm)) @@ -264,11 +265,12 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr) /* * MAYWRITE to allow gdb to COW and set breakpoints */ + vm_flags = VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC; + vm_flags |= VM_SEALED_SYSMAP; vma = _install_special_mapping(mm, text_start, image->size, - VM_READ|VM_EXEC| - VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC, + vm_flags, &vdso_mapping); if (IS_ERR(vma)) { @@ -276,11 +278,12 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr) goto up_fail; } + vm_flags = VM_READ|VM_MAYREAD|VM_IO|VM_DONTDUMP|VM_PFNMAP; + vm_flags |= VM_SEALED_SYSMAP; vma = _install_special_mapping(mm, addr, (__VVAR_PAGES - VDSO_NR_VCLOCK_PAGES) * PAGE_SIZE, - VM_READ|VM_MAYREAD|VM_IO|VM_DONTDUMP| - VM_PFNMAP, + vm_flags, &vvar_mapping); if (IS_ERR(vma)) { @@ -289,11 +292,12 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr) goto up_fail; } + vm_flags = VM_READ|VM_MAYREAD|VM_IO|VM_DONTDUMP|VM_PFNMAP; + vm_flags |= VM_SEALED_SYSMAP; vma = _install_special_mapping(mm, addr + (__VVAR_PAGES - VDSO_NR_VCLOCK_PAGES) * PAGE_SIZE, VDSO_NR_VCLOCK_PAGES * PAGE_SIZE, - VM_READ|VM_MAYREAD|VM_IO|VM_DONTDUMP| - VM_PFNMAP, + vm_flags, &vvar_vclock_mapping); if (IS_ERR(vma)) { From patchwork Mon Feb 24 22:52:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 13989025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8E95C021B6 for ; Mon, 24 Feb 2025 22:53:00 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2A13128000D; Mon, 24 Feb 2025 17:52:55 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 2553B280001; Mon, 24 Feb 2025 17:52:55 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id ED3FD28000D; Mon, 24 Feb 2025 17:52:54 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id CEC63280001 for ; Mon, 24 Feb 2025 17:52:54 -0500 (EST) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 87C7F802EB for ; Mon, 24 Feb 2025 22:52:54 +0000 (UTC) X-FDA: 83156339868.24.6FA7F24 Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by imf22.hostedemail.com (Postfix) with ESMTP id 9DCB8C0010 for ; Mon, 24 Feb 2025 22:52:52 +0000 (UTC) Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=B+iGgnNu; spf=pass (imf22.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.214.174 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1740437572; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=mnbYZdR9Dsd6yNbIvKX9KQDi82tgjieU0sfh+fobVnA=; b=TbVELK0a769fvwhRqfEUrzRS8Pv3W2cinvpj/Y4NK5PXILuMJJd8CBl2A+A5WPJIujThgi 9P2PgTotlXdzWpcAe1SmlHH+5VstjtQzZGxvB9uEu3xtz4DaELqzw00aDsVEEG+OB7OAfT 8eLutysRvc93b9K9HHzZbAxXSWZILXs= ARC-Authentication-Results: i=1; imf22.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=B+iGgnNu; spf=pass (imf22.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.214.174 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1740437572; a=rsa-sha256; cv=none; b=xdvQM/zLV0gfbiocZ2XBLFGDAoJvM5xAciJddkTABN0njsQUBrp+CtehrXw6e67iNuAEZG OCn6IlYdHl1WETa3+9XxEmD1VgPu7vaF9StLIsX2G1piD0CFkxG8JrDSVuctloZ0th3P76 BTayRjHpwbJh5vKcF3QKi5VQhbGGpDY= Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-21f8f3bd828so10884175ad.2 for ; Mon, 24 Feb 2025 14:52:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1740437571; x=1741042371; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mnbYZdR9Dsd6yNbIvKX9KQDi82tgjieU0sfh+fobVnA=; b=B+iGgnNuu1OzI1cJsgjWODJXF7sR6iC1lUXz3OjVGAHdnRLz6NmlsLnTPSa/kRzms7 T4RWDelQ86UXSt6D9KqNhqgDAOzHBnzFSabE7kOgUzAHtp/PC/6OMVrinLU6K6gQC91s lGu//CVNnUqtSjkWv3s8L+q8/CBILow9diE8s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740437571; x=1741042371; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mnbYZdR9Dsd6yNbIvKX9KQDi82tgjieU0sfh+fobVnA=; b=audb7gjNh2addHzMnvGpl6Q+cDQxCizlzxog76PYQ8HifBRLEKlHUUg0Zq0MKhvBRS 912bGN1o/k7ECjCAdSRLOcQucn1qXW0nc3i+djaITxCQeRm8ZOwpyuO2H/WaJpBFUqAR dNmEkS1/cw1a0YQIsqy9t8BdUW8pj/h7b5Rrn9kcCEYPExVSVmbdAhtPN7n9KB/F/4Pi yv1gXMJODrQVAnQTZEuBiZS8vU1Ehfzhxx07tpG9W38QZeGYktGTu720AT+sYcv8e2x/ /OlVOL+ipJfsL/FSEUaH2+3fGe608KL+zLFA/vK8/7oi+99u2yz3PiGrqrwHixy49AIK F/lA== X-Forwarded-Encrypted: i=1; AJvYcCUoiTM/d12PZrQ/frG8FlpyYW96JDGfBWLLDjWc5cSLuDUDWKFaRWUukIaKYFGActAfzWy+8VV6Ew==@kvack.org X-Gm-Message-State: AOJu0Ywr0/nGKnZVmM7EnpKhGjUeaADIGTpnbLB8q7kYGSVCiFVPs5sH eVJW3w6qUatelby2YNUZjCAIcdjTUNWwyAGnl2xJ9hGqaVJRj0cmkjauLRWN8g== X-Gm-Gg: ASbGncsbwo7d6hmQpATx4KvDqLCKjVCnknBmO09EZAJQeZfoDO4aAmqc65mnHnK12Ua Z22xv/TT82QdU2KO0gLE/AZEcwqDOvPl2KRi034G+FFeaHZtkT83qajxqzWlxrEx3N5tjKnhFZ8 r4BeH7af2+k7erGJECG0vREL8eD1y3SwqIVNbcpqIglgybDhpuMPc+8e2PXemWSZnRLX59r5ykr JwsEnHkmOscMBGfI3tMAgGad4zk0K5YomIa7wrNBVv9c5ZOPKgnGdS494mH1tOEAHgkuchUHRf4 xW5elxUA3rC24t0keDjS8vBYY03MG5lnI7pPDU9cNk3W9uKtKpZvpGkM4uAS X-Google-Smtp-Source: AGHT+IEhSKFRCZXsG2Zy3hOdxapBXQNVpwEKFfeiuGKe7NPaKl+bBQmXHsBtgSBl5DplToMs80po9g== X-Received: by 2002:a17:902:cec6:b0:215:aa88:e142 with SMTP id d9443c01a7336-2219ff6e82amr92327965ad.7.1740437571460; Mon, 24 Feb 2025 14:52:51 -0800 (PST) Received: from localhost (201.59.83.34.bc.googleusercontent.com. [34.83.59.201]) by smtp.gmail.com with UTF8SMTPSA id d9443c01a7336-2230a000536sm1358685ad.45.2025.02.24.14.52.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 24 Feb 2025 14:52:50 -0800 (PST) From: jeffxu@chromium.org To: akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, torvalds@linux-foundation.org, vbabka@suse.cz, lorenzo.stoakes@oracle.com, Liam.Howlett@Oracle.com, adhemerval.zanella@linaro.org, oleg@redhat.com, avagin@gmail.com, benjamin@sipsolutions.net Cc: linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, jorgelo@chromium.org, sroettger@google.com, hch@lst.de, ojeda@kernel.org, thomas.weissschuh@linutronix.de, adobriyan@gmail.com, johannes@sipsolutions.net, pedro.falcato@gmail.com, hca@linux.ibm.com, willy@infradead.org, anna-maria@linutronix.de, mark.rutland@arm.com, linus.walleij@linaro.org, Jason@zx2c4.com, deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net, peterx@redhat.com, f.fainelli@gmail.com, gerg@kernel.org, dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org, mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org, ardb@google.com, enh@google.com, rientjes@google.com, groeck@chromium.org, mpe@ellerman.id.au, aleksandr.mikhalitsyn@canonical.com, mike.rapoport@gmail.com, Jeff Xu Subject: [PATCH v7 4/7] mseal, system mappings: enable arm64 Date: Mon, 24 Feb 2025 22:52:43 +0000 Message-ID: <20250224225246.3712295-5-jeffxu@google.com> X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog In-Reply-To: <20250224225246.3712295-1-jeffxu@google.com> References: <20250224225246.3712295-1-jeffxu@google.com> MIME-Version: 1.0 X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 9DCB8C0010 X-Stat-Signature: 6ctx9yks3fo6cj6p1smhuhdanexnjhqr X-Rspam-User: X-HE-Tag: 1740437572-186655 X-HE-Meta: U2FsdGVkX1+SXLqgStXSNiswgm1omlrtRCzuGmVLhGpONryMg59fdjBRh9KARjjpJ0ePyvTIYZ0oagROJXdLjZtQClVADBeUZuNcUjASxCeMjpq5beGCOjkYDTNvnYUWka3WjNz8VWWcC3RgSBI5v5ZNwqfz9e/2UaRD1wR/OcvGf7nFkLpavDWys9dKwlBQZLPpFSHIX29NADAwVb37ct9bWzgkzer8HgUByJ1+uGfLISq3r7+qocD8GG/TK60r50qUmXPhpvVHoPC3X41zZBgky2gIO8zGYLpMLl1JH5h1z98eL6cN4LjA+FpmjdQi+XhAetni4Tso/pf5bfcoIZ9vnyFLlVJTJYI/puX8dK6zzCpWX44d/N1HUGFnUszJDarvmEpZA20X7R2aaaIIA3N8akr/3UvGKmXgkYml2Xeq8Vl2wb1Nn/Np9YX0XhuLZnFPYLfKxOim9E0+jF0GrNff5cTLbVLLvZt91Z0TBkLDrJKfBoQjfiBaYl/duFG6JK+nTFQ/egq9a7k3+Q6GNPwa3DhP8PFhMg4OR0m4Sm/HG5iRexiL1UXViJmJPoYnMz2apH37eVZjExa3mS3h+F+npt1uCs201AS26U11WTY4SSaIRUjdHQYrHEluJU1LoII0v6tjHtQjE+xL3sdEBp1zLkFmZX/+H9+p2k6ZRQB+2FlxQgru/it4WFo8AIXdP0zUssyLp8BmWFPxD4Kuj3xLz/IyM5YlCmLyHQVcvgjY8lmim1tm0uXP6X4mzApLMzfB/kmLWw3dx58kYv8BmGAG61SGJs9DY4Kv+/18qilKQo/P19Rro5BIGk8Qljik4Lw18ZCzu5l+XuvACW7WC/MaRGwoKS7mw0g+yJrZrai2rwFWiiYCvBiiApgjnd4p9L7UBANb78BxvfUIdGIU9gSfUxzT/5lTsGkZ5G5wres6mE0kUPTxtlsNfCG5n+wM8CJHAXELhSbbEGWhGn8 kujJdkBT /w+26q/20rADywqCl6Idralv8E0Sx4ahuhpbv2iBENJDlapS2+YB7vk2MEAyqbJUdrjp1o8t915Uv0gcUyCasuqVE++ZocFkoIF+iNAusT9CsFhYbYeC1AXx/uCGN0XOThsd8zeOliSKhaQv5MomQoYH78FWm9VoRinNNVAN6pWlsOhAN7uXf2UduAHLPBV79oUGWiH701xD0LkTtS8Awj9XvTa4bijpEvc3ELBjtes2NVMVoJatg/fbezy4ct0HIl+S6NJ0lbrvHOHplFRJVX/n5rh5vjJLakAsSGbxNWYsewnG/RdQeFYRrXi3xKN9pyjGaiw5L3XzV5BonQzIWquLnOb+1CWpSv3r46Jw+aJUrchkMm8urNePQVg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Jeff Xu Provide support for CONFIG_MSEAL_SYSTEM_MAPPINGS on arm64, covering the vdso, vvar, and compat-mode vectors and sigpage mappings. Production release testing passes on Android and Chrome OS. Signed-off-by: Jeff Xu --- arch/arm64/Kconfig | 1 + arch/arm64/kernel/vdso.c | 22 +++++++++++++++------- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index fcdd0ed3eca8..39202aa9a5af 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -38,6 +38,7 @@ config ARM64 select ARCH_HAS_KEEPINITRD select ARCH_HAS_MEMBARRIER_SYNC_CORE select ARCH_HAS_MEM_ENCRYPT + select ARCH_HAS_MSEAL_SYSTEM_MAPPINGS select ARCH_HAS_NMI_SAFE_THIS_CPU_OPS select ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE select ARCH_HAS_NONLEAF_PMD_YOUNG if ARM64_HAFT diff --git a/arch/arm64/kernel/vdso.c b/arch/arm64/kernel/vdso.c index e8ed8e5b713b..12e6ab396018 100644 --- a/arch/arm64/kernel/vdso.c +++ b/arch/arm64/kernel/vdso.c @@ -183,6 +183,7 @@ static int __setup_additional_pages(enum vdso_abi abi, { unsigned long vdso_base, vdso_text_len, vdso_mapping_len; unsigned long gp_flags = 0; + unsigned long vm_flags; void *ret; BUILD_BUG_ON(VVAR_NR_PAGES != __VVAR_PAGES); @@ -197,8 +198,10 @@ static int __setup_additional_pages(enum vdso_abi abi, goto up_fail; } + vm_flags = VM_READ|VM_MAYREAD|VM_PFNMAP; + vm_flags |= VM_SEALED_SYSMAP; ret = _install_special_mapping(mm, vdso_base, VVAR_NR_PAGES * PAGE_SIZE, - VM_READ|VM_MAYREAD|VM_PFNMAP, + vm_flags, &vvar_map); if (IS_ERR(ret)) goto up_fail; @@ -208,9 +211,10 @@ static int __setup_additional_pages(enum vdso_abi abi, vdso_base += VVAR_NR_PAGES * PAGE_SIZE; mm->context.vdso = (void *)vdso_base; + vm_flags = VM_READ|VM_EXEC|gp_flags|VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC; + vm_flags |= VM_SEALED_SYSMAP; ret = _install_special_mapping(mm, vdso_base, vdso_text_len, - VM_READ|VM_EXEC|gp_flags| - VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC, + vm_flags, vdso_info[abi].cm); if (IS_ERR(ret)) goto up_fail; @@ -326,6 +330,7 @@ arch_initcall(aarch32_alloc_vdso_pages); static int aarch32_kuser_helpers_setup(struct mm_struct *mm) { void *ret; + unsigned long vm_flags; if (!IS_ENABLED(CONFIG_KUSER_HELPERS)) return 0; @@ -334,9 +339,10 @@ static int aarch32_kuser_helpers_setup(struct mm_struct *mm) * Avoid VM_MAYWRITE for compatibility with arch/arm/, where it's * not safe to CoW the page containing the CPU exception vectors. */ + vm_flags = VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYEXEC; + vm_flags |= VM_SEALED_SYSMAP; ret = _install_special_mapping(mm, AARCH32_VECTORS_BASE, PAGE_SIZE, - VM_READ | VM_EXEC | - VM_MAYREAD | VM_MAYEXEC, + vm_flags, &aarch32_vdso_maps[AA32_MAP_VECTORS]); return PTR_ERR_OR_ZERO(ret); @@ -345,6 +351,7 @@ static int aarch32_kuser_helpers_setup(struct mm_struct *mm) static int aarch32_sigreturn_setup(struct mm_struct *mm) { unsigned long addr; + unsigned long vm_flags; void *ret; addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0); @@ -357,9 +364,10 @@ static int aarch32_sigreturn_setup(struct mm_struct *mm) * VM_MAYWRITE is required to allow gdb to Copy-on-Write and * set breakpoints. */ + vm_flags = VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC; + vm_flags |= VM_SEALED_SYSMAP; ret = _install_special_mapping(mm, addr, PAGE_SIZE, - VM_READ | VM_EXEC | VM_MAYREAD | - VM_MAYWRITE | VM_MAYEXEC, + vm_flags, &aarch32_vdso_maps[AA32_MAP_SIGPAGE]); if (IS_ERR(ret)) goto out; From patchwork Mon Feb 24 22:52:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 13989026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 69E1CC021B6 for ; Mon, 24 Feb 2025 22:53:03 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 082C2280015; Mon, 24 Feb 2025 17:52:56 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id EAD0D280001; Mon, 24 Feb 2025 17:52:55 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C8A06280015; Mon, 24 Feb 2025 17:52:55 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id ADB46280001 for ; Mon, 24 Feb 2025 17:52:55 -0500 (EST) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 644C41202B5 for ; Mon, 24 Feb 2025 22:52:55 +0000 (UTC) X-FDA: 83156339910.27.DD7E85E Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by imf06.hostedemail.com (Postfix) with ESMTP id 75F8C18000B for ; Mon, 24 Feb 2025 22:52:53 +0000 (UTC) Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=c3alEO4H; spf=pass (imf06.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.214.178 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1740437573; a=rsa-sha256; cv=none; b=264pZ3ilIAOCUyABu4E330Zc2gEeZZeLbd4YbgNwie4Nm/TBgjHnRplwVsyvFmrauJJlK2 IXJGqYQS3pEG1DUAIOxyl1DIywXNt001mXmSs9ysVfgmMovRkWH31zZ6HuWquYiudVpXDv bgD/fc2QLoQWc+5fDivCgsRUuSAES5s= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=c3alEO4H; spf=pass (imf06.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.214.178 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1740437573; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=9JxfqC34JK5pAuQi2kIh7I1xgd0YTjcXZqYM95ZHnLw=; b=u0XrZCl63GkTJDmeOoV3kdD7m1/rPSAoOaMLLDaNf2cBfK0O999TzxMnxL+Iq8j+dPX3wc 0g6MzRJLEtjOdl/ZfpjftBnzAgK2sz+lr9jlt4FB62NZDfjwQ4MXxQVdjralFrZTcMk9YA hJ0U/tI3bu41JRtJYiw2yedR7L9IvQ8= Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-21f8f3bd828so10884225ad.2 for ; Mon, 24 Feb 2025 14:52:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1740437572; x=1741042372; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9JxfqC34JK5pAuQi2kIh7I1xgd0YTjcXZqYM95ZHnLw=; b=c3alEO4HD6CGVGSR9ke3+IrmurMIMDPGKzTm700qFSCVn+TdiXXnRl7sSFRqIsE4+m JkfSh0H4tHVUFwty+OSRyUASVKqBTjdW7ASok/zFnYz2k+t4hqLj32bHyPB/ZJYMLPca JKoc/wfsuZCVuiX+x/3WrcWaidhD8j9mRWEzw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740437572; x=1741042372; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9JxfqC34JK5pAuQi2kIh7I1xgd0YTjcXZqYM95ZHnLw=; b=foI7wrFxT3iw8hQUUTy1XL+6Lln8Bs8LmetS8sSyg8y0E7LELyxB+1Il6EA+AyCKNQ fnDfwBkP1vbcCUud3J2h5CYVAz/SoxH4/XHJ5HskLNRPSiBO9XHAXaf4xq2Azlnsmci1 kZ3HC9gBgxmfaZr6TlBcPl+sk+6UVDJEQx/8hYRXpIPaVE05MCifXYXDf818Eq9UPGZ9 LtyEX24akZlvLcRJQSceFiUg5NvJdz0sr2YJ2h08OtzbUs3qAf4MLQORxl3szr7JPX1z g3qE9QoqJbmHZoqyCFeXvrR2ldz9F0+GzR8uqcmhJrCKVTMF4jXBFccV3SkvUq/N+gNI zSUA== X-Forwarded-Encrypted: i=1; AJvYcCXbu2nXf3AQc7HBqprzNf/9pwD833jfXsecApEwjVSbmfvy2ZTd2iuvH9HRw0wwJiIAgiuob6vzfA==@kvack.org X-Gm-Message-State: AOJu0YzxnX2a+F1j0u4lV7Ts41Zj94l4rN5IhHzpRy1oIPM7JTQD1Eb6 JFTGGeb2DwdTTwO0ZAWCJtcra7hNtrjudPIwAWvPet7VXWxoFkHofj1g8WJgxA== X-Gm-Gg: ASbGncsI01rUZPdB/kJJ1aW6q4Xar7/YpB/xaQZzDSjLcJ4D7MGQBpBhEghpzXaN/rw 89a04RUYueufXja2iZBoNRQXuXgV7F+/vPcVfXVRLtLdMDEbMEd1yKtpVm9q06wFqMCjy9qTtr7 1oj3KMPn9IhOpl97054/zp5CNcgAlQizLk2NZDC5sjqRgw2mzbUEXhFs+szH06IiVLbIkIX2RXY D2JHGYyeL7WoT6eFGykGZho9fWyuuALT1vd+1gtaUmjYtV6P+wV582gMy4ObTKdrEfpFEcLgNPN iNwO4AJDP5Gb/HyfePmSstj+TeAf/lvupkfHJL+Gs3tGoFIdmnveK+FxpDpi X-Google-Smtp-Source: AGHT+IF5qFqZ2XMAkd11tZhw0TNlD5KvpPShH7QiyA0ymh3azQkuml1yZnRKVOO/3ENETx0NVF9uNw== X-Received: by 2002:a17:903:18d:b0:220:f181:4e70 with SMTP id d9443c01a7336-2219ffdfa48mr97695445ad.10.1740437572458; Mon, 24 Feb 2025 14:52:52 -0800 (PST) Received: from localhost (201.59.83.34.bc.googleusercontent.com. [34.83.59.201]) by smtp.gmail.com with UTF8SMTPSA id d9443c01a7336-2230a095f02sm1313475ad.152.2025.02.24.14.52.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 24 Feb 2025 14:52:51 -0800 (PST) From: jeffxu@chromium.org To: akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, torvalds@linux-foundation.org, vbabka@suse.cz, lorenzo.stoakes@oracle.com, Liam.Howlett@Oracle.com, adhemerval.zanella@linaro.org, oleg@redhat.com, avagin@gmail.com, benjamin@sipsolutions.net Cc: linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, jorgelo@chromium.org, sroettger@google.com, hch@lst.de, ojeda@kernel.org, thomas.weissschuh@linutronix.de, adobriyan@gmail.com, johannes@sipsolutions.net, pedro.falcato@gmail.com, hca@linux.ibm.com, willy@infradead.org, anna-maria@linutronix.de, mark.rutland@arm.com, linus.walleij@linaro.org, Jason@zx2c4.com, deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net, peterx@redhat.com, f.fainelli@gmail.com, gerg@kernel.org, dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org, mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org, ardb@google.com, enh@google.com, rientjes@google.com, groeck@chromium.org, mpe@ellerman.id.au, aleksandr.mikhalitsyn@canonical.com, mike.rapoport@gmail.com, Jeff Xu , Benjamin Berg Subject: [PATCH v7 5/7] mseal, system mappings: enable uml architecture Date: Mon, 24 Feb 2025 22:52:44 +0000 Message-ID: <20250224225246.3712295-6-jeffxu@google.com> X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog In-Reply-To: <20250224225246.3712295-1-jeffxu@google.com> References: <20250224225246.3712295-1-jeffxu@google.com> MIME-Version: 1.0 X-Stat-Signature: cp3iwtmppu7fjx61oybpx4w6h1zcygdn X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 75F8C18000B X-Rspam-User: X-HE-Tag: 1740437573-457357 X-HE-Meta: U2FsdGVkX1//aXuprlYCdOZWIVmsiIjvUTUru6GpiK25YF1CCvUgesq/NXUgpOAqgB6VMIaKr+7KllF+dq5uCwhGzSkj/aqQjj/pgTGuL4glwL1t9c9lvDWF4sptW730hT4Yz4HWyi8omyFbtjNkqnXiSmE13k/MQldL2OCIc6t4DcJ4s4SggqlEGttj2VJM1VCrqlJIhM5Elj2fHQ5myDy0md6918vsK4sTJxxx9AieS3idt3SUhwuY28XTGzA7cPf0Xn4Ab82LYcSeOE8ume6It9R38sbd55Nfk0e9RM+tqm9b0DFRweuaIOvWCI5Qb77qs7EYFumPeJvKDy+yIYcECbq6kMSA9wyFZgrBOAiTljFVjfnrNXtu1hkgKP/DdPw1q6Uf1dt9zhGWQG6mQTpk3w6T8WcvFTnLlNnRZMahnP9FW+zWWpKoDiVpwVHFbSyHONGZ5EVMuhyGkL9/WW4wxg+2Z9lq5q8/w2mjUtXtBfic/PHMzD0mEMkuAu31brPOb2kYZFcwlakUXr4Hp1fmWsVEH7Ah5gNFgIcVqDmtq06Ky5Hyst/i/F6ECmdiF3JmHRfPKXH+V77FsMAPXFuCO44KtMoHMlrdQaU+NmbYFDt6yew2vVL+JxM11cC0adJ6XfQMk/rzSyX681tajyS/lRG8UIeAqEyEzWhdI4XFmGsvNjJn1Wy/aOdnuRVsonNR/3RMdtc/GEs85S1TkdgbYVWO+ENIQPJuPPFU3R0X7SaX7/qFUvm+BGRtWj2lHvUo72O1jPl+eDfAYKjNxptKNSOw5WlNWzg/RMHZd6HYF08JsvMJnBGQIk3Q0ZcTjsSCDVmw3Ep/GOCIg/lB7PrHediMfbNm37O13hOQJnxOXvnuUjKs2LdVoRgcMNx+qNlAfkrH/0nC+wvdLXFCysBsIIOihHQkJKM92t/AoHAeMo64GHx4Wm0gBXllzsDaT7R+2j+UDqZJW+OR6UV E3ICTpVs xfcu2aI4MM5qpG6h1TYvUaRAIKXAjiftjBsSpRpLagZdt95ps+QnGNqk0IEMJXXlVsyCiE3tHe+/Wp4tMyYjjX358UlT8Tu8mmtMNYF8fwrNFaY788AV4Rnf9KKYbXk9O6ZTRtAheICdxysBxfynpq5BNmyrQ2iClm84LUXJAttQc/OHPpzgMwdvd12tEix48pLRcULv8GPNS5giHfwj4d5H3Pt4kGStqX3KEjUE5QmK3LUPG9LF7LrFZSuINOWoj9iJHQDypilc3ItaEhymzWnILNirJ28ux5IDDJD6tAoZ1XOwMgGtxM5exeT0jyCS3/XZRfMfNyjMHfRygnmuhN6rj0aBC1SHxqXBIDYlC4NbIIZtmwBY4+D71BboUQyfR4Oq4tpRhODOfF+c= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Jeff Xu Provide support for CONFIG_MSEAL_SYSTEM_MAPPINGS on UML, covering the vdso. Testing passes on UML. Signed-off-by: Jeff Xu Tested-by: Benjamin Berg --- arch/um/Kconfig | 1 + arch/x86/um/vdso/vma.c | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/um/Kconfig b/arch/um/Kconfig index 18051b1cfce0..eb2d439a5334 100644 --- a/arch/um/Kconfig +++ b/arch/um/Kconfig @@ -10,6 +10,7 @@ config UML select ARCH_HAS_FORTIFY_SOURCE select ARCH_HAS_GCOV_PROFILE_ALL select ARCH_HAS_KCOV + select ARCH_HAS_MSEAL_SYSTEM_MAPPINGS select ARCH_HAS_STRNCPY_FROM_USER select ARCH_HAS_STRNLEN_USER select HAVE_ARCH_AUDITSYSCALL diff --git a/arch/x86/um/vdso/vma.c b/arch/x86/um/vdso/vma.c index f238f7b33cdd..fdfba858ffc9 100644 --- a/arch/x86/um/vdso/vma.c +++ b/arch/x86/um/vdso/vma.c @@ -54,6 +54,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) { struct vm_area_struct *vma; struct mm_struct *mm = current->mm; + unsigned long vm_flags; static struct vm_special_mapping vdso_mapping = { .name = "[vdso]", }; @@ -65,9 +66,10 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) return -EINTR; vdso_mapping.pages = vdsop; + vm_flags = VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC; + vm_flags |= VM_SEALED_SYSMAP; vma = _install_special_mapping(mm, um_vdso_addr, PAGE_SIZE, - VM_READ|VM_EXEC| - VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC, + vm_flags, &vdso_mapping); mmap_write_unlock(mm); From patchwork Mon Feb 24 22:52:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 13989027 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 246A5C021A4 for ; Mon, 24 Feb 2025 22:53:06 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7FA9E280016; Mon, 24 Feb 2025 17:52:57 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 7AAE1280001; Mon, 24 Feb 2025 17:52:57 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5AEAD280016; Mon, 24 Feb 2025 17:52:57 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 3916D280001 for ; Mon, 24 Feb 2025 17:52:57 -0500 (EST) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id AE328B062E for ; Mon, 24 Feb 2025 22:52:56 +0000 (UTC) X-FDA: 83156339952.01.6C3A9C5 Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by imf10.hostedemail.com (Postfix) with ESMTP id CF3E5C0005 for ; Mon, 24 Feb 2025 22:52:54 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Zl23T93J; spf=pass (imf10.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.214.176 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1740437574; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=1iZa0J3oai+8Welu6Zi/1CRi8cf0vv3kefTwVSjChmA=; b=6W2nWtv89ihzUSmk8x8yg0/ezIGK5lg5q/qV5Ws6x2YDWgA8o3PgszlJ+EaxrwLBuYh6+H dhZEGs/zir82MbeGGMsn1Zh2EmY3y2RBiaN8mrNlsAAf7hazUhdvHj5Pxl+ki4BHRqEJZU WKBulX8lb8iNvT42D6rkX1GnFqFNMCY= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Zl23T93J; spf=pass (imf10.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.214.176 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1740437574; a=rsa-sha256; cv=none; b=hnlSmKCNxN8jb9hw57ULW9gidy1I58UqMtNCdRdc8awlReLcKDwOu23K4XsenS4Nno0tcd Z5ldpjBsAwazMZ9WpgBf+dem8UbxfAIGytzqVq3bw3uJUStVJPboqGIKFjNKbTGSXg5JX7 EwWnzEhQfOO+t/9P4x8AULsi3iKZSI0= Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-220cd9959f6so12645025ad.1 for ; Mon, 24 Feb 2025 14:52:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1740437573; x=1741042373; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1iZa0J3oai+8Welu6Zi/1CRi8cf0vv3kefTwVSjChmA=; b=Zl23T93J7kWTHl5a9zMYnJIJA080T0bpn0zXTDI3Qr4eWcUKBzz99dFBVKPX+kVxfA Lw/o14eH4kWVHhNMIp8dKv3nPO0EFi3Bf6JYh+rF9rEKRUjuETxIP3IzoOHuaA/BCcfg 068qw6HbYdg2TdsBlBdfoiYLbH7ls5QPXVV/I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740437573; x=1741042373; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1iZa0J3oai+8Welu6Zi/1CRi8cf0vv3kefTwVSjChmA=; b=a6ZsVTnSDCCt+M/EPfnhhBHl5vsoOMQh4sn1jppgmKw6jt/OxM1temPDbwzpGaj8pV PBm8ByXJFGvGziHOlD+0a7zT1lnUDxOrX8T3FndEb1MKIXvvndlzJ/CQ1DRjkuJN2E1O kNUyp7Al8bXhxd51cuNH09Yi+hxH8VghvbFzg/I4Cv8sowrGB/05bCG9APqwVA6T7FZ5 C4FholzyjmwJDdlAlzLUNeClPfdze34Cn4MGAjF5p4E/LhOiCDMPmHlYFT3wShF4PwYA 09JtKK1MAAhrgrtzs+3quCqut09FshfL2fVUw2TYbxPnfoBkcCLhq2Jk2K/AXDueEFdo SNoQ== X-Forwarded-Encrypted: i=1; AJvYcCWvAFE+tRYwkwNn9Oo6OTo/fkZRcswUZPNkdR8D0adUfdovB11ehv2FNrLCCbFl5Z1Dd0BsPRPmSA==@kvack.org X-Gm-Message-State: AOJu0Yw1DWJDgU75TsbOL8PwsfMKbxVEckHip2Dk77SUGbeQmL0AoOJB AKWB5ql97YQxIKbygx+gw7sqkBe4r2XL+NvGtQQ7jAUbB/uES0YcfGoHHjgCvg== X-Gm-Gg: ASbGncupwuntoGG0KFqyQRkadycfNfcNPpFlHP8YAg3RqyA6yFBtuRNj+jeDdXbN0CN CZint8jntuHmlJm8nEMhOubWjJwAh23fYr1dTyCJSroVRj/3e0XwQ3uRaxZLkQS5aO6TmCkWldF bfk47+E0sGu+ZFyL7TQNYTJ8JMlJ9uO0qZ5g0IzVqM4lDtAiB4u00U5+yMiFS9EVWGKvNIbMhr6 9nZz38GCLfvErODrFEeFd1uuNY8DnV7nptTXJirt/+NSjdVnuLgpY+DmYCl3CyflUc6j6Bi+KvM FhbZwU3ni/5SO+2VWNz0N5aGN2PdpFh4ALy2But45lfkky3yqlf19QxlzQa2 X-Google-Smtp-Source: AGHT+IFg6PbCJykgEIaP4RauSlaTrid3Wz+OgE4C+L+jwZ9u9/LvDrktm5eCC+LrKCajBp0j3msv1g== X-Received: by 2002:a05:6a00:3cd4:b0:730:96fa:bdb5 with SMTP id d2e1a72fcca58-73426d9b38dmr8599645b3a.6.1740437573573; Mon, 24 Feb 2025 14:52:53 -0800 (PST) Received: from localhost (201.59.83.34.bc.googleusercontent.com. [34.83.59.201]) by smtp.gmail.com with UTF8SMTPSA id d2e1a72fcca58-7347a839dffsm173674b3a.172.2025.02.24.14.52.52 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 24 Feb 2025 14:52:52 -0800 (PST) From: jeffxu@chromium.org To: akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, torvalds@linux-foundation.org, vbabka@suse.cz, lorenzo.stoakes@oracle.com, Liam.Howlett@Oracle.com, adhemerval.zanella@linaro.org, oleg@redhat.com, avagin@gmail.com, benjamin@sipsolutions.net Cc: linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, jorgelo@chromium.org, sroettger@google.com, hch@lst.de, ojeda@kernel.org, thomas.weissschuh@linutronix.de, adobriyan@gmail.com, johannes@sipsolutions.net, pedro.falcato@gmail.com, hca@linux.ibm.com, willy@infradead.org, anna-maria@linutronix.de, mark.rutland@arm.com, linus.walleij@linaro.org, Jason@zx2c4.com, deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net, peterx@redhat.com, f.fainelli@gmail.com, gerg@kernel.org, dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org, mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org, ardb@google.com, enh@google.com, rientjes@google.com, groeck@chromium.org, mpe@ellerman.id.au, aleksandr.mikhalitsyn@canonical.com, mike.rapoport@gmail.com, Jeff Xu Subject: [PATCH v7 6/7] mseal, system mappings: uprobe mapping Date: Mon, 24 Feb 2025 22:52:45 +0000 Message-ID: <20250224225246.3712295-7-jeffxu@google.com> X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog In-Reply-To: <20250224225246.3712295-1-jeffxu@google.com> References: <20250224225246.3712295-1-jeffxu@google.com> MIME-Version: 1.0 X-Rspam-User: X-Stat-Signature: 8f9p3ca9bq3qzjrsj9zz3uiieydptu9r X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: CF3E5C0005 X-HE-Tag: 1740437574-849470 X-HE-Meta: U2FsdGVkX1/dU10CIXdQ9s1Hi+leNmFp5/je2lce1wx4myUZYkuC/axHTq8zp3ruOskzEU6nITxeKCGXwlKzET5k4Uua8w2s92Ox4Z4hjDIDcv5q2zvsvM6gakint6FFML/V7iaB5/EfuFwJAXVezOOWNUimtjuduZsnchNhATpOrrTj7af+Hb3sTFcCm8K+3iBrNwUR6W3/oBxNVD1wYdqv6UpHqxiwbB9HaI+hjJ7AxgsQF34iSjXhH1blOj4gv+vxi4jHOKQXDTFHYwxjEIe7jkaxpkwUppt0LD4nOtqzqdn8qpUh40hHYEA5n6cZaa1+fFvYbS6ZXHZhb5YD1WgVfuhY1xgBMhlRsAcK+8qCOuptICDjWPqfyHbrSePxrT+qn+UO/v/uhUWNybnvLFcYj+zRjCrzDGLqL5UL5kkdbMsIPQaBtjcP4oPR84QXJ+Lctr2CDQ/zmPEVZpB4HKL0YyLWNjj3NPOJL4uuoMzFXqkBsxKqKJHpk4B4Qn0TJFCqNPZ9cRkn4MMpqAGFlPkadBKG2SNAc1WR0uRcZRXmD42Av3ycLAN6zHszB9N+6iHcuQFMUZuh0/0MyYOtIBPpvqwkH5ORzulDardfoCscyvp+/x4+OpBQlICx5ZJnn1fa8C7wWYEKq032fmKmHGpA1jiQWYOiW09kB09t6mTDNhQ3p+/7+QQN61E9nueiq2AEzw3xpAzWSbpzdTOlpyDwAIwM5jG4pYDJhx93hAQb24IYR9/rbTI0FKZmUF21ucuI1xkP1xcXW7vdSocp7TPi2hdxO68gWllxzXhTRW9SRuAiw0IuVDmTpowFzTBBZAPTGUnVZjIetPOYOqxpuzPWmKYAuuJfB8teD/VjEm37ctV5xRjcA+lrIs+O4tvQkuVtjaXQuDwUKwmCc0+/yH3ELyCfpgmzvyS+TorJjx1XcZie7W7ivauA+aBf+5aGO9Kh9AwgV82MZJdU4Vz CiClFBwC +toee3RjcjpM9/6gumOl74lli1clROZbYrh6fbECNKjHF2PmQRjAEepkCDS8lR/0xO4Pmv3IKnQO0xOJz1CC8Tav1uhCjMo2F6u/KVedQcyPgUfa3FBWN1A5hD7YAiUUxnvXT7a7bBs8+MVaLYrKSJRWqCXOmgiQzvK5CNgxkE0ptBzNpxhexDkyMVnnFImEr4x6GMlEcv7WsghoQr6CaqKNg6/2eEC6pF48yceQK7b67fVXI2RRTeTe+dwAWf4HNabFBNrZtAPKKeo1NT65Q8PGtGutYeuC8a9im2ZZyxevOCJwK3DYbzMkfcVXuT74qnRZPnlNIUy70/UGwie51DAgjyJ1Ogoj34mndS5oFBzGVpYcpWgPKH9MGSA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Jeff Xu Provide support to mseal the uprobe mapping. Unlike other system mappings, the uprobe mapping is not established during program startup. However, its lifetime is the same as the process's lifetime. It could be sealed from creation. Signed-off-by: Jeff Xu --- kernel/events/uprobes.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c index 2ca797cbe465..8dcdfa0d306b 100644 --- a/kernel/events/uprobes.c +++ b/kernel/events/uprobes.c @@ -1662,6 +1662,7 @@ static const struct vm_special_mapping xol_mapping = { static int xol_add_vma(struct mm_struct *mm, struct xol_area *area) { struct vm_area_struct *vma; + unsigned long vm_flags; int ret; if (mmap_write_lock_killable(mm)) @@ -1682,8 +1683,10 @@ static int xol_add_vma(struct mm_struct *mm, struct xol_area *area) } } + vm_flags = VM_EXEC|VM_MAYEXEC|VM_DONTCOPY|VM_IO; + vm_flags |= VM_SEALED_SYSMAP; vma = _install_special_mapping(mm, area->vaddr, PAGE_SIZE, - VM_EXEC|VM_MAYEXEC|VM_DONTCOPY|VM_IO, + vm_flags, &xol_mapping); if (IS_ERR(vma)) { ret = PTR_ERR(vma); From patchwork Mon Feb 24 22:52:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Xu X-Patchwork-Id: 13989028 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB0A8C021A4 for ; Mon, 24 Feb 2025 22:53:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 38B93280017; Mon, 24 Feb 2025 17:52:58 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 36570280001; Mon, 24 Feb 2025 17:52:58 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1407D280017; Mon, 24 Feb 2025 17:52:58 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id E3D98280001 for ; Mon, 24 Feb 2025 17:52:57 -0500 (EST) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 914E81402D8 for ; Mon, 24 Feb 2025 22:52:57 +0000 (UTC) X-FDA: 83156339994.01.2464877 Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by imf15.hostedemail.com (Postfix) with ESMTP id A27E5A0002 for ; Mon, 24 Feb 2025 22:52:55 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=geZCTTWM; spf=pass (imf15.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.214.173 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1740437575; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=JC+iCaenVWT1qC+wv1WYjnvGE2KwlNSxR7B2FLEJRHA=; b=Ql7ST1A33BQlJbuM6ygDFkxO642sA7prBQ3Xv2j9AxQXVPdTHCpUKbcvT/BYdUAueUrvGT RSNrgy1w7uF9ZVppi0wHZy0xttvwTVtf6CMSiORwE47/kEVLER5w8RP69wI7QYbE1VuI7U Hm00qJGF9BRgCYMduAr/pE+r/N4YWQA= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=geZCTTWM; spf=pass (imf15.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.214.173 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1740437575; a=rsa-sha256; cv=none; b=D4FKVDYHjkzxQhK3qEy1fX9RBrmE5xuihyKl803wllvE6Qj5u99i0ruKHCshe+VmC+rBij 56idOr0ACO3Dqtm29KPnlYeRODPohNHcJjPlqlsCcADAndAXK5D8+qdIFSby9Oi0PXaosx Dpfjrl5lG9qrAlglnhNBFWR5LnY+hAQ= Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-2217875d103so11454495ad.3 for ; Mon, 24 Feb 2025 14:52:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1740437574; x=1741042374; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=JC+iCaenVWT1qC+wv1WYjnvGE2KwlNSxR7B2FLEJRHA=; b=geZCTTWMR9tGRDtNMNvvP+gQt/F92WXUmdxlB3w+DojbDXfJxrNRzJhyTC3/y2SQdg ijHsL/m9TnHcZGavPPw1ZNS9dtpbKs68DePPoC1gNL5vriK7ruVcbei5+3uKe7ADbtXj GeZDdNe6+ANHKqccT63BKVR4xMsylNz9onKK0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740437574; x=1741042374; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JC+iCaenVWT1qC+wv1WYjnvGE2KwlNSxR7B2FLEJRHA=; b=VlW6B3nVHWbrBafP0vp1Bnmf0TWwX+9wy7YOZWykEeghMGNxkPyAVcApbOZP7Sx8k4 GEGnnLXmFScKHk1NWxKCYAnnXiPO4FF5d0KYCgM4uV2wCdzXT7GDryEP1b6fI0LQ4Vcn NwWhWziMxGSRpaxQz2RBVkt7t0Fi2gtEsiLWo60dVRwx/mblGbvIV5m22flO98iDh4nX e2KmClvCQvd7lQHCUmna6w+d4enxg6yIqwrWXi4LwB4V0VKGzHVHgbnG69E4P3PdQbgT 7YnpGRD8b/xht5qjOv93xe9/PYUlUkCQ7OPjLjLpTkxSl9Zt41x+M5zpPWUWxVK/h7c9 /Wlg== X-Forwarded-Encrypted: i=1; AJvYcCVQzsRvuWl0uPWJUkQkmcTqZCqWrQTOXHRCnGa/81gNeWiISgIlCzhAfUzehYza/d8n1tR1/z5riA==@kvack.org X-Gm-Message-State: AOJu0YxNLRnUk2mzgeK9ntPHqvFUvW8Z7YjBHazXRVVnWOhGAVCTyoMz L9/TJz9ZmByBk+p7JbeZxx9lFNpg5IBTw1ml1pEvSfxT4Cg9fQo/s95qTKRwMg== X-Gm-Gg: ASbGncty5U8gAqmbAAYzVmeCZJlAKZHu9jR9Jb1zxqm3INoPaVfOzmIZl8YQ7P219XK sj2nHLdEVNIg66+5aH3vpT8W+T7SFHj4PMdmgeOKRna6G52FhghJrsWH2jb+VBJZxJ6n4VYW0n6 pDi6BX0H9MS+GPNXBTCu3lUOa6AqrScwL2KEbqD+ZDvN7wGdoGq/KOaS/ifXFMs+TbRQTOHi1Xj lf+r9YZvkoQBuQfWLP3EThz41mGAnVvXhFuRncFfIRrdJN0lWPizBg+I05Lu6BTKE7+S8dEQ5ij V/ItC+EMiy47wSd9I0ZMW/9EIc2/RZC2Rn4fSrgJsP3d4ZIaZr9NevenYzgU X-Google-Smtp-Source: AGHT+IFWvMJ1DifgHpp00NgiU+l7P2X3hIfGn/N0QZgxCBlNaoLWIru7jUXTs0mtOdXL84lprXpfPg== X-Received: by 2002:a05:6a20:3d89:b0:1ee:d621:3c3f with SMTP id adf61e73a8af0-1eef3b1fcddmr10299435637.0.1740437574612; Mon, 24 Feb 2025 14:52:54 -0800 (PST) Received: from localhost (201.59.83.34.bc.googleusercontent.com. [34.83.59.201]) by smtp.gmail.com with UTF8SMTPSA id 41be03b00d2f7-aedaa6475dasm110603a12.54.2025.02.24.14.52.53 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 24 Feb 2025 14:52:54 -0800 (PST) From: jeffxu@chromium.org To: akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, torvalds@linux-foundation.org, vbabka@suse.cz, lorenzo.stoakes@oracle.com, Liam.Howlett@Oracle.com, adhemerval.zanella@linaro.org, oleg@redhat.com, avagin@gmail.com, benjamin@sipsolutions.net Cc: linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, jorgelo@chromium.org, sroettger@google.com, hch@lst.de, ojeda@kernel.org, thomas.weissschuh@linutronix.de, adobriyan@gmail.com, johannes@sipsolutions.net, pedro.falcato@gmail.com, hca@linux.ibm.com, willy@infradead.org, anna-maria@linutronix.de, mark.rutland@arm.com, linus.walleij@linaro.org, Jason@zx2c4.com, deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net, peterx@redhat.com, f.fainelli@gmail.com, gerg@kernel.org, dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org, mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org, ardb@google.com, enh@google.com, rientjes@google.com, groeck@chromium.org, mpe@ellerman.id.au, aleksandr.mikhalitsyn@canonical.com, mike.rapoport@gmail.com, Jeff Xu , Kees Cook Subject: [PATCH v7 7/7] mseal, system mappings: update mseal.rst Date: Mon, 24 Feb 2025 22:52:46 +0000 Message-ID: <20250224225246.3712295-8-jeffxu@google.com> X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog In-Reply-To: <20250224225246.3712295-1-jeffxu@google.com> References: <20250224225246.3712295-1-jeffxu@google.com> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: A27E5A0002 X-Stat-Signature: 8piatqpue414d35ozggniczh6axcty99 X-HE-Tag: 1740437575-51698 X-HE-Meta: U2FsdGVkX1/Sdd/ZtCr0zUE1VQxwaenAIFDnG/LfrqnXsAyCjGD0Zrvn6K4A7nEzQ1ahCulq0xBZenh5x/QlcB2qGRPym25aNORcb1wl/Xe5wh0N88lpcWx/kkPDyaNz4AJwwSlcu0uJuSKFZOd8Wk/CMWG0MvWImN0++GiLdOSIe4fRqKJK+F+byt/f7GGj9iylHXRswno0iJoK2wibcttVqZ1ElkjQrAXzgow+Mk8lz7y0RZ6BKoCDQXwQUemlkDD2W1922F7+RZxjyHEW7taDLvqLFtWrvUuNhnND4em47qe1bb/KYxjOWjllhjTEM965IC1+MTYFApap2WRk2hsyDFyDIr+/NsNRR7wrAMfJv9oRsQY1dcehC1TCDubP28OWG2WibrhVp2YEoqVZwGFISGz9EWYomuT5mxTKRWGABQ099wh0FMRjxxLBcKArax2R6M2/sgguQTUEoBCZzleVtqbaYcyUXg8LcmaXFmHaLaw0wklQLp4KVEcDVd//mgMsEmxfsgi504esnUbTwd4pMJH41VOnua2pHWNZtPl47Nf8nYKpeepd2WeztP/bonTTnX/pIrrGvU6Ucz4nWiNiPE+xP2Jk1y4TwsQXqVG5HT67yehNrshKQO2AkVI2yBcFGMPaYPR1gRgurkTJ4fuOEc4C1En6V5SzqJo3EZRdQ2KCkoPwuzLAeSwLrIMtesvAzBghc0+mLc4P9ucN0D3oSNOebTs9+tH01ucd9Jw/5jERUQKvczzTAy0tyNXiS3mp8ADL7kysqCv5GIDeDF/UIYLO+MdyvXB30SznF+zMwhaVaIJff5dnxnmEwraJ7WO6s6X3mmehzNEeZpiWanMfQwouXEqsAclRbk3H7k3IiR7hWemLHZ3VKR8MYn/hP4tLCz1NFeWtGA307CVlM/TWVKwID4VR3TpH9WwX8VScHuU6l7GJ/Gp21E0eyjqGEgkSANAO5loF3NulBKc o6Dwi88B gd7/ukb5t3DzR46TbMWY9MZEPoYJbRanqqdj45B2JuPTMVJqc49NF/i41G5rnJNIkZf7x7NqA+RqDKHtDT+XkjXG4fnEpvoFbVWw16W2Afu6JrFisGelqNEEWu0e2nfxa/rJi1dnN7ZVW98BlgujzgwwvzEVI8nAsOdB30baqyFoN5mDwW5iPrZunHHrzCseMulsNT1LHbWoSjS24mjVPEOSJvzWiPQ4kobuuOmLOZ9sR7dyotXv5Dhz2FIFOSycF+WBAXLpts0hUba9w3M8TSdTiob4Mdb5fSbnzFEg2TdGadT/cNRkrJUfNA/Iz/vIdXRu2ZLA2eTvoyRFW9kM1kt17AvwfWxgpP112SBHNs+R2bhLZqlwdqbt3G6ifz2oAiIDRZfdUiLuCp4I= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Jeff Xu Update memory sealing documentation to include details about system mappings. Signed-off-by: Jeff Xu Reviewed-by: Kees Cook --- Documentation/userspace-api/mseal.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Documentation/userspace-api/mseal.rst b/Documentation/userspace-api/mseal.rst index 41102f74c5e2..10147281bf2d 100644 --- a/Documentation/userspace-api/mseal.rst +++ b/Documentation/userspace-api/mseal.rst @@ -130,6 +130,13 @@ Use cases - Chrome browser: protect some security sensitive data structures. +- System mappings: + If supported by an architecture (via CONFIG_ARCH_HAS_MSEAL_SYSTEM_MAPPINGS), + the CONFIG_MSEAL_SYSTEM_MAPPINGS seals system mappings, e.g. vdso, vvar, + uprobes, sigpage, vectors, etc. CHECKPOINT_RESTORE, UML, gVisor, rr are + known to relocate or unmap system mapping, therefore this config can't be + enabled universally. + When not to use mseal ===================== Applications can apply sealing to any virtual memory region from userspace,