From patchwork Fri May 19 01:19:10 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeff Xu <jeffxu@chromium.org>
X-Patchwork-Id: 13247582
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0381AC7EE29
	for <linux-mm@archiver.kernel.org>; Fri, 19 May 2023 01:19:33 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 2747B280002; Thu, 18 May 2023 21:19:32 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 1FCBC280001; Thu, 18 May 2023 21:19:32 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 02733280002; Thu, 18 May 2023 21:19:31 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com
 [216.40.44.15])
	by kanga.kvack.org (Postfix) with ESMTP id E0747280001
	for <linux-mm@kvack.org>; Thu, 18 May 2023 21:19:31 -0400 (EDT)
Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay07.hostedemail.com (Postfix) with ESMTP id B50D3160135
	for <linux-mm@kvack.org>; Fri, 19 May 2023 01:19:31 +0000 (UTC)
X-FDA: 80805246942.22.2E5A972
Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com
 [209.85.216.48])
	by imf27.hostedemail.com (Postfix) with ESMTP id D52FF40009
	for <linux-mm@kvack.org>; Fri, 19 May 2023 01:19:29 +0000 (UTC)
Authentication-Results: imf27.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=OGPd3mn4;
	dmarc=pass (policy=none) header.from=chromium.org;
	spf=pass (imf27.hostedemail.com: domain of jeffxu@chromium.org designates
 209.85.216.48 as permitted sender) smtp.mailfrom=jeffxu@chromium.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1684459169;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=TQS98FLuUxt8kfip9Nk8O1hVfeuWAt0sl7+06c/6tso=;
	b=rQwV439VtXYCzGbwNXOiGLJowG3vv/R4hKdSUP/BpA7k29AXWPgyHFPKDPbKxWzVTjxJYy
	fp5YyOxVi4Qf+kfwx4hFgwEPtXiJQD/40NBkEIRi8YLvq4AS+3H3EHmkvEAixIFA/mZ00Y
	6b9OpNv8BXVFreoBSPC0Fpopf54DYh4=
ARC-Authentication-Results: i=1;
	imf27.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=OGPd3mn4;
	dmarc=pass (policy=none) header.from=chromium.org;
	spf=pass (imf27.hostedemail.com: domain of jeffxu@chromium.org designates
 209.85.216.48 as permitted sender) smtp.mailfrom=jeffxu@chromium.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684459169; a=rsa-sha256;
	cv=none;
	b=IQdIl/kBr8dgchM0RwSmpTdst0cj5QLAWjDSRPZdfLw/QM41g2CZRkK/C5ikxZzQ/jaku1
	Jg/YYMVWU9W08CwyvyJFc4etx3gBQE+IBKvlwxXIVu6VKbb9j3juFCsTeflUa20cVeCtcB
	f2Tw8KEz7jXnw4R9L2c7ggG1WY4dV0Q=
Received: by mail-pj1-f48.google.com with SMTP id
 98e67ed59e1d1-253570deb8dso1416541a91.1
        for <linux-mm@kvack.org>; Thu, 18 May 2023 18:19:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1684459169; x=1687051169;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TQS98FLuUxt8kfip9Nk8O1hVfeuWAt0sl7+06c/6tso=;
        b=OGPd3mn4AXIrc1RRZIu250DTtUsK1KYvi8EfuJPLZrZrm+XTM1dOslqaOYntJ4QlnF
         P1XUdOXQFW2q48KVb2YvQI1UOuJ6zvUuQNOwxGx4Ltcqz+zGeskAKaAjKOirPNTB39HS
         jBq/1Yq0YsewgO7yu5hZy+p7qvRI04QhhT2rY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1684459169; x=1687051169;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=TQS98FLuUxt8kfip9Nk8O1hVfeuWAt0sl7+06c/6tso=;
        b=U4RIJNs+SAWYZq7HyeGbAXqwyHndEPtYkMjSQR3NqFJFsy/43wzmRE25htbGTzZtUi
         f7p6DHmetzWh0SW2/QM/6tPwW4Gw2DfYQjPYWtHsj4zBIp/GYChMmmkUnUv2EwfOGbZR
         WmPnJUeS1qjzPN+Gjt5WKuJ6wZYFPF1tpJTX6caN36XgGimp8tytffN/Pf4HMetSZw79
         RaTQr8ygLZdcmps60cU7PO/SvN28hNmYqv47b/w2NhAIUDuPThR+EVE6JwBP3QK7BmF7
         8OoikLIW0fbxjuWlQbuM1DxHVORUWSzIGBnUJEo14DzsIT+grhJhcWbY3iMMRyrxWVyn
         ZtDQ==
X-Gm-Message-State: AC+VfDxeCtXIw6g1GjmJzSSJ28+3ptMWr/6qFZjzwhRRD6PZo1HFnmYi
	/tGpZvP/N4owXjMV8cXIx242qA==
X-Google-Smtp-Source: 
 ACHHUZ61pfxccHt/KzXaf0wYbWk/1Tu3oFrft5OWJaPA3VQ8PQiXauBnEJkKqfgy+TrBmMg73D6nkg==
X-Received: by 2002:a17:90b:3ecc:b0:246:85ec:d816 with SMTP id
 rm12-20020a17090b3ecc00b0024685ecd816mr538354pjb.3.1684459168766;
        Thu, 18 May 2023 18:19:28 -0700 (PDT)
Received: from localhost (183.43.230.35.bc.googleusercontent.com.
 [35.230.43.183])
        by smtp.gmail.com with UTF8SMTPSA id
 a19-20020a17090acb9300b0025356cce0e4sm279592pju.24.2023.05.18.18.19.27
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 18 May 2023 18:19:28 -0700 (PDT)
From: jeffxu@chromium.org
To: dave.hansen@intel.com,
	luto@kernel.org,
	jorgelo@chromium.org,
	keescook@chromium.org,
	groeck@chromium.org,
	jannh@google.com,
	sroettger@google.com
Cc: akpm@linux-foundation.org,
	jeffxu@google.com,
	linux-kernel@vger.kernel.org,
	linux-kselftest@vger.kernel.org,
	linux-mm@kvack.org,
	linux-hardening@vger.kernel.org
Subject: [PATCH v1 2/6] PKEY: Add arch_check_pkey_enforce_api()
Date: Fri, 19 May 2023 01:19:10 +0000
Message-ID: <20230519011915.846407-3-jeffxu@chromium.org>
X-Mailer: git-send-email 2.40.1.698.g37aff9b760-goog
In-Reply-To: <20230519011915.846407-1-jeffxu@chromium.org>
References: <20230519011915.846407-1-jeffxu@chromium.org>
MIME-Version: 1.0
X-Rspam-User: 
X-Rspamd-Server: rspam12
X-Rspamd-Queue-Id: D52FF40009
X-Stat-Signature: gog97rtbapt8hjenwhmwjtw5ghc8ygno
X-HE-Tag: 1684459169-345939
X-HE-Meta: 
 U2FsdGVkX1+Z2IF4YLIvdPtptoW7eoPGFEaCgnCvVMn2qnpEaeuCTXrTy+JIGBt6+/aZ/vMjGAvD0Z6ch9rhYQQ/ooqZNmy/6iQ5EaT0IZ9gOTK3yD94x5LkokIz5690LKAYjw5Uw6rdwiB1DP8IFw3T+WSXBscpWxpyLnRMyfDWp8wHZQ9ZR2kd6fmzWlnDj2h0frRAZ5vHCJaa+j/GABlv2HxCafDylFVffJ2JxbCTJVGX9hPph8rse8RlXrELXxKAlqWoU7sG8QVEWFLON/ZhBLL1BJ1L9hYG3euknqShua0wiIg+YPi8g1+FkhDqBgr0QEtSkikyfs0BLYkMPyTdLvzEy2jtpXgn349+PwsWKkBaWOlaTF96rgFsuTjI9rNc9Km5QeAIPNq6QPtxaXRip1SgkPwZ/F1WdIr7jlq4qEChEECfrmx6N8T14XZSbFVADIUS2ZjsDTIyY5OIuzGWirwHjhmRPSnHrYt4NPxQXCfVoJE10fu8jem6+zO98u90UPqPyhpjddB5Ul4NhxoNuRAla3wcZdpUBPq+htRz+6LBWYnA1SpcU/KWCRVcx5T+8YRj5oXE6mHboZP0rQ3kINEt4CtoJZkuUJa0FaHpgjIrgHVC2F1/NQOsiDGkxsz8rROsFhDJJ3f6VDpjeM4EuzXpxcxDri9M8T3XemKjIkt6w0Yu0bob9P/o4OIUsBZdWCGRDjmDeJz44L5K3iJkIROsFQNqJ1b2D6cnOlo1uNYFTCoqNjrV8wWMq/dyJnYOvhYGK4Pwezfqx+6fgpOW1RMEUom+v3Ki5YmFMyaRh3tWJnowCxoOmATYGGFeC/s41EAHLKBIXof0jsVXUK3RkNXemPxRtDCiQaXMdU1Hc6GFoVGfSf9gs93ezGSIHW7YVWCn+rLw7cv42ru6H6ZnDAwR67kcROTh8sRVRJaXvP2Ez06yehpgV1tkWBWl89jrEktd+SNbVnGMqPl
 J/0W1H1g
 GXxW+NhJ+0/ltr5vSGPbm6livsJK9UdWJ0Fb7DNsuzNopnh8aP9BF1ugzb4aAViLJ1QSswoJlbmnyJkVvpi1JAUGodODXnQpTJs/tV4170vG6rbZZivHunmVV0ugx24Js2aR1CgGHS45q/VZ/etzc4YPu3Suu6ZzwPgGbOu7EZBYusuBTrSf2cLvi2qSLYyr3JN7ZzRYHzS+tmbr3el8YlrKgF+9OAmO3z7wpWq6/fu42b2zqmS75qACwutnfohKY/fsbHe4xhY9jJ4i0Cq9/Vy3miWG/Wh1kAu6S4QzWPKjbaGWWq6Hh+Q5r3WmSka2Qms5YgeUvBVqSKSZjjpiJrYZykdYkR5QqNGbym7l1cn6DvsvCPrC3o+8CSA==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Jeff Xu <jeffxu@google.com>

This patch adds an architecture-independent function,
arch_check_pkey_enforce_api(), that checks whether the calling thread
has write access to the PKRU for a given range of memory. If the
memory range is protected by PKEY_ENFORCE_API, then the thread must
have write access to the PKRU in order to make changes to the memory
mapping (such as mprotect/munmap).

This function is used by the kernel to enforce the
PKEY_ENFORCE_API flag.

Signed-off-by: Jeff Xu<jeffxu@google.com>
---
 arch/powerpc/include/asm/pkeys.h |  8 +++++
 arch/x86/include/asm/pkeys.h     | 50 ++++++++++++++++++++++++++++++++
 include/linux/pkeys.h            |  9 ++++++
 3 files changed, 67 insertions(+)

diff --git a/arch/powerpc/include/asm/pkeys.h b/arch/powerpc/include/asm/pkeys.h
index 943333ac0fee..24c481e5e95b 100644
--- a/arch/powerpc/include/asm/pkeys.h
+++ b/arch/powerpc/include/asm/pkeys.h
@@ -177,5 +177,13 @@ static inline bool arch_check_pkey_alloc_flags(unsigned long flags)
 	return true;
 }
 
+static inline int arch_check_pkey_enforce_api(struct mm_struct *mm,
+					      unsigned long start,
+					      unsigned long end)
+{
+	/* Allow by default */
+	return 0;
+}
+
 extern void pkey_mm_init(struct mm_struct *mm);
 #endif /*_ASM_POWERPC_KEYS_H */
diff --git a/arch/x86/include/asm/pkeys.h b/arch/x86/include/asm/pkeys.h
index ecadf04a8251..8b94ffc4ca32 100644
--- a/arch/x86/include/asm/pkeys.h
+++ b/arch/x86/include/asm/pkeys.h
@@ -161,4 +161,54 @@ static inline bool arch_check_pkey_alloc_flags(unsigned long flags)
 
 	return true;
 }
+
+static inline int __arch_check_vma_pkey_for_write(struct vm_area_struct *vma)
+{
+	int pkey = vma_pkey(vma);
+
+	if (mm_pkey_enforce_api(vma->vm_mm, pkey)) {
+		if (!__pkru_allows_write(read_pkru(), pkey))
+			return -EACCES;
+	}
+
+	return 0;
+}
+
+/*
+ * arch_check_pkey_enforce_api is used by the kernel to enforce
+ * PKEY_ENFORCE_API flag.
+ * It checks whether the calling thread  has write access to the PKRU
+ * for a given range of memory. If the  memory range is protected by
+ * PKEY_ENFORCE_API, then the thread must  have write access to the
+ * PKRU in order to make changes to the memory  mapping, such as
+ * mprotect/munmap.
+ */
+static inline int arch_check_pkey_enforce_api(struct mm_struct *mm,
+					      unsigned long start,
+					      unsigned long end)
+{
+	int error;
+	struct vm_area_struct *vma;
+
+	if (!arch_pkeys_enabled())
+		return 0;
+
+	while (true) {
+		vma = find_vma_intersection(mm, start, end);
+		if (!vma)
+			break;
+
+		error = __arch_check_vma_pkey_for_write(vma);
+		if (error)
+			return error;
+
+		if (vma->vm_end >= end)
+			break;
+
+		start = vma->vm_end;
+	}
+
+	return 0;
+}
+
 #endif /*_ASM_X86_PKEYS_H */
diff --git a/include/linux/pkeys.h b/include/linux/pkeys.h
index 81a482c3e051..7b00689e1c24 100644
--- a/include/linux/pkeys.h
+++ b/include/linux/pkeys.h
@@ -53,6 +53,15 @@ static inline bool arch_check_pkey_alloc_flags(unsigned long flags)
 		return false;
 	return true;
 }
+
+static inline int arch_check_pkey_enforce_api(struct mm_struct *mm,
+					      unsigned long start,
+					      unsigned long end)
+{
+	// Allow by default.
+	return 0;
+}
+
 #endif /* ! CONFIG_ARCH_HAS_PKEYS */
 
 #endif /* _LINUX_PKEYS_H */