From: catalin.marinas@arm•com (Catalin Marinas)
To: linux-arm-kernel@lists•infradead.org
Subject: [PATCH] arm64: Introduce execute-only page access permissions
Date: Tue, 6 May 2014 15:14:08 +0100 [thread overview]
Message-ID: <20140506141408.GC23957@arm.com> (raw)
In-Reply-To: <20140502180706.GB14645@arm.com>
On Fri, May 02, 2014 at 07:07:07PM +0100, Will Deacon wrote:
> On Fri, May 02, 2014 at 06:13:37PM +0100, Catalin Marinas wrote:
> > On Fri, May 02, 2014 at 06:00:28PM +0100, Will Deacon wrote:
> > > On Fri, May 02, 2014 at 04:49:52PM +0100, Catalin Marinas wrote:
> > > > The ARMv8 architecture allows execute-only user permissions by clearing
> > > > the PTE_UXN and PTE_USER bits. The kernel, however, can still access
> > > > such page.
> > > >
> > > > This patch changes the arm64 __P100 and __S100 protection_map[] macros
> > > > to the new __PAGE_EXECONLY attributes. A side effect is that
> > > > pte_valid_user() no longer triggers for __PAGE_EXECONLY since PTE_USER
> > > > isn't set. To work around this, the check is done on the PTE_NG bit via
> > > > the pte_valid_ng() macro. VM_READ is also checked now for page faults.
> > >
> > > How does this interact with things like ptrace and pipes? Can I get the
> > > kernel to read my text for me?
> >
> > access_process_vm() would work fine since this is done using the kernel
> > linear mapping (and get_user_pages). Also, if you get_user etc. it would
> > still work since LDR/STR in EL1 mode would not be restricted (only
> > LDRT/STRT but we don't use them).
>
> Depends on how you define `work fine'!
My definition of "working fine" is that they are not affected ;).
>
> > But note that this is only for pages explicitly marked PROT_EXEC only.
> > Standard user apps just use r-x mappings, so not affected.
>
> Ok, but it does mean that any task being subjected to --x permissions can
> trivially read from that mapping via a syscall, so this patch only makes
> sense in the context of something like seccomp, where you additionally
> restrict the set of syscalls available to the target.
Yes. For copy_from_user etc. we could (with a specific config option)
use LDRT/STRT and some pointer indirection changed by set_fs() but I
wouldn't bother for now.
> > > Also: do we really want to differ from x86 here?
> >
> > x86 has a hardware limitation IIUC, same as ARMv7. This was a request
> > from security people and they claim it's a feature they would like
> > (apparently on Chrome OS). Of course, they have to adapt their tools/JIT
> > to avoid literal pools on such mappings but there is ongoing work
> > already.
> >
> > We could make it configurable, though assume that it doesn't break any
> > user ABI (so far OK but it needs more testing), we could make it the
> > default.
>
> Why not make it depend on SECCOMP or AUDIT? I don't think it's at all
> useful without them.
That's potentially a user ABI change, so we should make sure we spot any
abuse of the --x permission independent of the kernel config options.
--
Catalin
next prev parent reply other threads:[~2014-05-06 14:14 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-02 15:49 [PATCH] arm64: Introduce execute-only page access permissions Catalin Marinas
2014-05-02 17:00 ` Will Deacon
2014-05-02 17:13 ` Catalin Marinas
2014-05-02 18:07 ` Will Deacon
2014-05-06 14:14 ` Catalin Marinas [this message]
-- strict thread matches above, loose matches on Subject: below --
2016-08-11 17:44 Catalin Marinas
2016-08-12 18:23 ` Kees Cook
2016-08-15 10:47 ` Catalin Marinas
2016-08-15 17:45 ` Kees Cook
2016-08-16 16:18 ` Catalin Marinas
2016-08-25 10:30 ` Will Deacon
2016-08-25 15:24 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140506141408.GC23957@arm.com \
--to=catalin.marinas@arm$(echo .)com \
--cc=linux-arm-kernel@lists$(echo .)infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox