From: catalin.marinas@arm.com (Catalin Marinas)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] arm64: Introduce execute-only page access permissions
Date: Fri, 2 May 2014 18:13:37 +0100 [thread overview]
Message-ID: <20140502171336.GA5341@arm.com> (raw)
In-Reply-To: <20140502170027.GE20642@arm.com>
On Fri, May 02, 2014 at 06:00:28PM +0100, Will Deacon wrote:
> On Fri, May 02, 2014 at 04:49:52PM +0100, Catalin Marinas wrote:
> > The ARMv8 architecture allows execute-only user permissions by clearing
> > the PTE_UXN and PTE_USER bits. The kernel, however, can still access
> > such page.
> >
> > This patch changes the arm64 __P100 and __S100 protection_map[] macros
> > to the new __PAGE_EXECONLY attributes. A side effect is that
> > pte_valid_user() no longer triggers for __PAGE_EXECONLY since PTE_USER
> > isn't set. To work around this, the check is done on the PTE_NG bit via
> > the pte_valid_ng() macro. VM_READ is also checked now for page faults.
>
> How does this interact with things like ptrace and pipes? Can I get the
> kernel to read my text for me?
access_process_vm() would work fine since this is done using the kernel
linear mapping (and get_user_pages). Also, if you get_user etc. it would
still work since LDR/STR in EL1 mode would not be restricted (only
LDRT/STRT but we don't use them).
But note that this is only for pages explicitly marked PROT_EXEC only.
Standard user apps just use r-x mappings, so not affected.
> Also: do we really want to differ from x86 here?
x86 has a hardware limitation IIUC, same as ARMv7. This was a request
from security people and they claim it's a feature they would like
(apparently on Chrome OS). Of course, they have to adapt their tools/JIT
to avoid literal pools on such mappings but there is ongoing work
already.
We could make it configurable, though assume that it doesn't break any
user ABI (so far OK but it needs more testing), we could make it the
default.
--
Catalin
next prev parent reply other threads:[~2014-05-02 17:13 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-02 15:49 [PATCH] arm64: Introduce execute-only page access permissions Catalin Marinas
2014-05-02 17:00 ` Will Deacon
2014-05-02 17:13 ` Catalin Marinas [this message]
2014-05-02 18:07 ` Will Deacon
2014-05-06 14:14 ` Catalin Marinas
-- strict thread matches above, loose matches on Subject: below --
2016-08-11 17:44 Catalin Marinas
2016-08-12 18:23 ` Kees Cook
2016-08-15 10:47 ` Catalin Marinas
2016-08-15 17:45 ` Kees Cook
2016-08-16 16:18 ` Catalin Marinas
2016-08-25 10:30 ` Will Deacon
2016-08-25 15:24 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140502171336.GA5341@arm.com \
--to=catalin.marinas@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).