Re: [PATCH v7 3/4] rseq: Make rseq work with protection keys

[Thomas Gleixner <tglx@linutronix.de>]

On Wed, Nov 26 2025 at 23:06, Florian Weimer wrote:
> * Thomas Gleixner:
>>          cur = pkey_extend(signal_perms);
>>
>> --> Perms are now [PK0=RW, PK1=R, PK2=RW, PK7=R]         
>>
>>          access_user_rseq();
>>          pkey_set(cur);
>>
>> If the RSEQ access is nested in the signal delivery return then nothing
>> happens as the permissions are not changing because they are already
>> extended: A | A = A :).
>
> Agreed.  And the pkey_extend/pkey_set don't have a prohibitive cost, I
> assume.  I got the impression you were trying to avoid that sequence,
> but I think it's more about defining the way pkey_extend works.

Correct.

I was trying to avoid doing it on the exit to user path, but after
thinking more about it, I'm not so worried about it anymore.

With the recent rewrite of the RSEQ handling in the exit code path that
should more or less vanish in the noise. I'll hack something up and
evaluate the impact.

The real question is the semantics of this mechanism. In your proposed
patch you define it as (if I read it correctly):

   1) The default signal protection is the same as the default for fork,
      which is PKEY0 unless user space changes it.

   2) pkey_alloc() with PKEY_ALLOC_SETSIGNAL set propagates the
      protection to the signal mask/permission set

   3) The permissions on signal delivery are:

          (default & signal_mask) | signal_perms

I'm not entirely sure whether #3 is the right thing to do. My initial
thought was to keep the current permission set at the point where the
task got interrupted and expand it with the signal permissions, i.e:

          (current & signal_mask) | signal_perms

Both variants can be argued for, but we have to agree on one them :)

Thanks,

        tglx