arm64: Introduce execute-only page access permissions

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The ARMv8 architecture allows execute-only user permissions by clearing
the PTE_UXN and PTE_USER bits. The kernel, however, can still access
such page, so execute-only page permission does not protect against
read(2)/write(2) etc. accesses. Systems requiring such protection must
implement/enable features like SECCOMP.

This patch changes the arm64 __P100 and __S100 protection_map[] macros
to the new __PAGE_EXECONLY attributes. A side effect is that
pte_valid_user() no longer triggers for __PAGE_EXECONLY since PTE_USER
isn't set. To work around this, the check is done on the PTE_NG bit via
the pte_valid_ng() macro. VM_READ is also checked now for page faults.

Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>

Catalin Marinas 12 years ago bc07c2c6 15af1942

+8 -8

2 changed files

expand all

arch

arm64

include

asm

pgtable.h

fault.c

+6 -5

arch/arm64/include/asm/pgtable.h

··· 90 90 #define __PAGE_COPY_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN) 91 91 #define __PAGE_READONLY __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_UXN) 92 92 #define __PAGE_READONLY_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN) 93 + #define __PAGE_EXECONLY __pgprot(_PAGE_DEFAULT | PTE_NG | PTE_PXN) 93 94 94 95 #endif /* __ASSEMBLY__ */ 95 96 ··· 98 97 #define __P001 __PAGE_READONLY 99 98 #define __P010 __PAGE_COPY 100 99 #define __P011 __PAGE_COPY 101 - #define __P100 __PAGE_READONLY_EXEC 100 + #define __P100 __PAGE_EXECONLY 102 101 #define __P101 __PAGE_READONLY_EXEC 103 102 #define __P110 __PAGE_COPY_EXEC 104 103 #define __P111 __PAGE_COPY_EXEC ··· 107 106 #define __S001 __PAGE_READONLY 108 107 #define __S010 __PAGE_SHARED 109 108 #define __S011 __PAGE_SHARED 110 - #define __S100 __PAGE_READONLY_EXEC 109 + #define __S100 __PAGE_EXECONLY 111 110 #define __S101 __PAGE_READONLY_EXEC 112 111 #define __S110 __PAGE_SHARED_EXEC 113 112 #define __S111 __PAGE_SHARED_EXEC ··· 144 143 #define pte_write(pte) (!!(pte_val(pte) & PTE_WRITE)) 145 144 #define pte_exec(pte) (!(pte_val(pte) & PTE_UXN)) 146 145 147 - #define pte_valid_user(pte) \ 148 - ((pte_val(pte) & (PTE_VALID | PTE_USER)) == (PTE_VALID | PTE_USER)) 146 + #define pte_valid_ng(pte) \ 147 + ((pte_val(pte) & (PTE_VALID | PTE_NG)) == (PTE_VALID | PTE_NG)) 149 148 150 149 static inline pte_t pte_wrprotect(pte_t pte) 151 150 { ··· 199 198 static inline void set_pte_at(struct mm_struct *mm, unsigned long addr, 200 199 pte_t *ptep, pte_t pte) 201 200 { 202 - if (pte_valid_user(pte)) { 201 + if (pte_valid_ng(pte)) { 203 202 if (!pte_special(pte) && pte_exec(pte)) 204 203 __sync_icache_dcache(pte, addr); 205 204 if (pte_dirty(pte) && pte_write(pte))

+2 -3

arch/arm64/mm/fault.c

··· 173 173 good_area: 174 174 /* 175 175 * Check that the permissions on the VMA allow for the fault which 176 - * occurred. If we encountered a write or exec fault, we must have 177 - * appropriate permissions, otherwise we allow any permission. 176 + * occurred. 178 177 */ 179 178 if (!(vma->vm_flags & vm_flags)) { 180 179 fault = VM_FAULT_BADACCESS; ··· 195 196 struct task_struct *tsk; 196 197 struct mm_struct *mm; 197 198 int fault, sig, code; 198 - unsigned long vm_flags = VM_READ | VM_WRITE | VM_EXEC; 199 + unsigned long vm_flags = VM_READ | VM_WRITE; 199 200 unsigned int mm_flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE; 200 201 201 202 tsk = current;