[LTP] [PATCH v2 0/2] Add mseal() testing suite

[LTP] [PATCH v2 0/2] Add mseal() testing suite

[Andrea Cervesato]

Smoke test for mseal() syscall added in the kernel 6.10. All information
can be found at the following link:

https://docs.kernel.org/userspace-api/mseal.html

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
Changes in v2:
- don't use TST_ABI32 var anymore, but let tst_syscall handling ENOSYS 
- call protection key syscalls via tst_syscall
- Link to v1: https://lore.kernel.org/r/20240610-mseal-v1-0-f659b9e97efa@suse.com

---
Andrea Cervesato (2):
      Add mseal() syscall declaration
      Add mseal01 test

 include/lapi/syscalls/aarch64.in           |   1 +
 include/lapi/syscalls/arc.in               |   1 +
 include/lapi/syscalls/arm.in               |   1 +
 include/lapi/syscalls/hppa.in              |   1 +
 include/lapi/syscalls/i386.in              |   1 +
 include/lapi/syscalls/ia64.in              |   1 +
 include/lapi/syscalls/loongarch.in         |   1 +
 include/lapi/syscalls/mips_n32.in          |   1 +
 include/lapi/syscalls/mips_n64.in          |   1 +
 include/lapi/syscalls/mips_o32.in          |   1 +
 include/lapi/syscalls/powerpc.in           |   1 +
 include/lapi/syscalls/powerpc64.in         |   1 +
 include/lapi/syscalls/s390.in              |   1 +
 include/lapi/syscalls/s390x.in             |   1 +
 include/lapi/syscalls/sh.in                |   1 +
 include/lapi/syscalls/sparc.in             |   1 +
 include/lapi/syscalls/sparc64.in           |   1 +
 include/lapi/syscalls/x86_64.in            |   1 +
 testcases/kernel/syscalls/mseal/.gitignore |   1 +
 testcases/kernel/syscalls/mseal/Makefile   |   7 ++
 testcases/kernel/syscalls/mseal/mseal01.c  | 173 +++++++++++++++++++++++++++++
 21 files changed, 199 insertions(+)
---
base-commit: c5d95b6d34e2356bd19e6b646da06f1bce66a024
change-id: 20240607-mseal-dfac12675096

Best regards,
-- 
Andrea Cervesato <andrea.cervesato@suse.com>


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH v2 1/2] Add mseal() syscall declaration

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

---
 include/lapi/syscalls/aarch64.in   | 1 +
 include/lapi/syscalls/arc.in       | 1 +
 include/lapi/syscalls/arm.in       | 1 +
 include/lapi/syscalls/hppa.in      | 1 +
 include/lapi/syscalls/i386.in      | 1 +
 include/lapi/syscalls/ia64.in      | 1 +
 include/lapi/syscalls/loongarch.in | 1 +
 include/lapi/syscalls/mips_n32.in  | 1 +
 include/lapi/syscalls/mips_n64.in  | 1 +
 include/lapi/syscalls/mips_o32.in  | 1 +
 include/lapi/syscalls/powerpc.in   | 1 +
 include/lapi/syscalls/powerpc64.in | 1 +
 include/lapi/syscalls/s390.in      | 1 +
 include/lapi/syscalls/s390x.in     | 1 +
 include/lapi/syscalls/sh.in        | 1 +
 include/lapi/syscalls/sparc.in     | 1 +
 include/lapi/syscalls/sparc64.in   | 1 +
 include/lapi/syscalls/x86_64.in    | 1 +
 18 files changed, 18 insertions(+)

diff --git a/include/lapi/syscalls/aarch64.in b/include/lapi/syscalls/aarch64.in
index 3e7797718..7e08c63f3 100644
--- a/include/lapi/syscalls/aarch64.in
+++ b/include/lapi/syscalls/aarch64.in
@@ -300,4 +300,5 @@ landlock_create_ruleset 444
 landlock_add_rule 445
 landlock_restrict_self 446
 futex_waitv 449
+mseal 462
 _sysctl 1078
diff --git a/include/lapi/syscalls/arc.in b/include/lapi/syscalls/arc.in
index 7fde1d263..94ae09a4b 100644
--- a/include/lapi/syscalls/arc.in
+++ b/include/lapi/syscalls/arc.in
@@ -320,3 +320,4 @@ landlock_create_ruleset 444
 landlock_add_rule 445
 landlock_restrict_self 446
 futex_waitv 449
+mseal 462
diff --git a/include/lapi/syscalls/arm.in b/include/lapi/syscalls/arm.in
index 8e76ad164..95c7b20f9 100644
--- a/include/lapi/syscalls/arm.in
+++ b/include/lapi/syscalls/arm.in
@@ -399,3 +399,4 @@ landlock_add_rule (__NR_SYSCALL_BASE+445)
 landlock_restrict_self (__NR_SYSCALL_BASE+446)
 memfd_secret (__NR_SYSCALL_BASE+447)
 futex_waitv (__NR_SYSCALL_BASE+449)
+mseal (__NR_SYSCALL_BASE+462)
diff --git a/include/lapi/syscalls/hppa.in b/include/lapi/syscalls/hppa.in
index 60c02aff2..a16bb74d8 100644
--- a/include/lapi/syscalls/hppa.in
+++ b/include/lapi/syscalls/hppa.in
@@ -47,3 +47,4 @@ landlock_create_ruleset 444
 landlock_add_rule 445
 landlock_restrict_self 446
 futex_waitv 449
+mseal 462
diff --git a/include/lapi/syscalls/i386.in b/include/lapi/syscalls/i386.in
index 31ec1ecb2..99e7aa5ba 100644
--- a/include/lapi/syscalls/i386.in
+++ b/include/lapi/syscalls/i386.in
@@ -434,3 +434,4 @@ landlock_create_ruleset 444
 landlock_add_rule 445
 landlock_restrict_self 446
 futex_waitv 449
+mseal 462
diff --git a/include/lapi/syscalls/ia64.in b/include/lapi/syscalls/ia64.in
index 2e56da7f9..6cdd161ad 100644
--- a/include/lapi/syscalls/ia64.in
+++ b/include/lapi/syscalls/ia64.in
@@ -347,3 +347,4 @@ landlock_create_ruleset 1468
 landlock_add_rule 1469
 landlock_restrict_self 1470
 futex_waitv 1473
+mseal 1486
diff --git a/include/lapi/syscalls/loongarch.in b/include/lapi/syscalls/loongarch.in
index 301f611f6..0215e9cd5 100644
--- a/include/lapi/syscalls/loongarch.in
+++ b/include/lapi/syscalls/loongarch.in
@@ -305,3 +305,4 @@ memfd_secret 447
 process_mrelease 448
 futex_waitv 449
 set_mempolicy_home_node 450
+mseal 462
diff --git a/include/lapi/syscalls/mips_n32.in b/include/lapi/syscalls/mips_n32.in
index 5f0fe65eb..199295b9b 100644
--- a/include/lapi/syscalls/mips_n32.in
+++ b/include/lapi/syscalls/mips_n32.in
@@ -374,3 +374,4 @@ landlock_create_ruleset 6444
 landlock_add_rule 6445
 landlock_restrict_self 6446
 futex_waitv 6449
+mseal 6462
diff --git a/include/lapi/syscalls/mips_n64.in b/include/lapi/syscalls/mips_n64.in
index f81c60e66..49f875a9e 100644
--- a/include/lapi/syscalls/mips_n64.in
+++ b/include/lapi/syscalls/mips_n64.in
@@ -350,3 +350,4 @@ landlock_create_ruleset 5444
 landlock_add_rule 5445
 landlock_restrict_self 5446
 futex_waitv 5449
+mseal 5462
diff --git a/include/lapi/syscalls/mips_o32.in b/include/lapi/syscalls/mips_o32.in
index c2beffb75..b379e52c7 100644
--- a/include/lapi/syscalls/mips_o32.in
+++ b/include/lapi/syscalls/mips_o32.in
@@ -420,3 +420,4 @@ landlock_create_ruleset 4444
 landlock_add_rule 4445
 landlock_restrict_self 4446
 futex_waitv 4449
+mseal 4462
diff --git a/include/lapi/syscalls/powerpc.in b/include/lapi/syscalls/powerpc.in
index 5460e4197..e35e114ad 100644
--- a/include/lapi/syscalls/powerpc.in
+++ b/include/lapi/syscalls/powerpc.in
@@ -427,3 +427,4 @@ landlock_create_ruleset 444
 landlock_add_rule 445
 landlock_restrict_self 446
 futex_waitv 449
+mseal 462
diff --git a/include/lapi/syscalls/powerpc64.in b/include/lapi/syscalls/powerpc64.in
index 5460e4197..e35e114ad 100644
--- a/include/lapi/syscalls/powerpc64.in
+++ b/include/lapi/syscalls/powerpc64.in
@@ -427,3 +427,4 @@ landlock_create_ruleset 444
 landlock_add_rule 445
 landlock_restrict_self 446
 futex_waitv 449
+mseal 462
diff --git a/include/lapi/syscalls/s390.in b/include/lapi/syscalls/s390.in
index 275b27f47..1207551cb 100644
--- a/include/lapi/syscalls/s390.in
+++ b/include/lapi/syscalls/s390.in
@@ -414,3 +414,4 @@ landlock_create_ruleset 444
 landlock_add_rule 445
 landlock_restrict_self 446
 futex_waitv 449
+mseal 462
diff --git a/include/lapi/syscalls/s390x.in b/include/lapi/syscalls/s390x.in
index c200d02b2..503419282 100644
--- a/include/lapi/syscalls/s390x.in
+++ b/include/lapi/syscalls/s390x.in
@@ -362,3 +362,4 @@ landlock_create_ruleset 444
 landlock_add_rule 445
 landlock_restrict_self 446
 futex_waitv 449
+mseal 462
diff --git a/include/lapi/syscalls/sh.in b/include/lapi/syscalls/sh.in
index 6f482a77b..060ab613c 100644
--- a/include/lapi/syscalls/sh.in
+++ b/include/lapi/syscalls/sh.in
@@ -408,3 +408,4 @@ landlock_create_ruleset 444
 landlock_add_rule 445
 landlock_restrict_self 446
 futex_waitv 449
+mseal 462
diff --git a/include/lapi/syscalls/sparc.in b/include/lapi/syscalls/sparc.in
index 7181e80a0..6821f053c 100644
--- a/include/lapi/syscalls/sparc.in
+++ b/include/lapi/syscalls/sparc.in
@@ -413,3 +413,4 @@ landlock_create_ruleset 444
 landlock_add_rule 445
 landlock_restrict_self 446
 futex_waitv 449
+mseal 462
diff --git a/include/lapi/syscalls/sparc64.in b/include/lapi/syscalls/sparc64.in
index c96ab2021..661db0cae 100644
--- a/include/lapi/syscalls/sparc64.in
+++ b/include/lapi/syscalls/sparc64.in
@@ -378,3 +378,4 @@ landlock_create_ruleset 444
 landlock_add_rule 445
 landlock_restrict_self 446
 futex_waitv 449
+mseal 462
diff --git a/include/lapi/syscalls/x86_64.in b/include/lapi/syscalls/x86_64.in
index 3082ca110..af6ab689f 100644
--- a/include/lapi/syscalls/x86_64.in
+++ b/include/lapi/syscalls/x86_64.in
@@ -355,6 +355,7 @@ landlock_create_ruleset 444
 landlock_add_rule 445
 landlock_restrict_self 446
 futex_waitv 449
+mseal 462
 rt_sigaction 512
 rt_sigreturn 513
 ioctl 514

-- 
2.43.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v2 1/2] Add mseal() syscall declaration

[Cyril Hrubis]

Hi!
This patch obviously does not apply after I've merged cachestat. I guess
that the easiest solution is to have a one patch that adds all these
fallbacks for all new syscalls you are working on pushed first,
otherwise there will be conflicts for each patchset.

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v2 1/2] Add mseal() syscall declaration

[Andrea Cervesato via ltp]

I can send v3 if needed.

On 7/24/24 13:25, Cyril Hrubis wrote:
> Hi!
> This patch obviously does not apply after I've merged cachestat. I guess
> that the easiest solution is to have a one patch that adds all these
> fallbacks for all new syscalls you are working on pushed first,
> otherwise there will be conflicts for each patchset.
>
Andrea


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v2 1/2] Add mseal() syscall declaration

[Cyril Hrubis]

Hi!
> I can send v3 if needed.

But that would solve only mseal() and the fhcmodat2() has the same
collision and would need a v3 that would apply on the top of mseal().
The syscall in files are unfortunatelly contetion point so I'm
suggesting to add all the definitions you are going to need in a single
patch instead.

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v2 1/2] Add mseal() syscall declaration

[Andrea Cervesato via ltp]

Sorry but I don’t get it. Resolving conflicts is really something up to people who push the code on the mainline (:
Also it should be pretty easy since it requires to accept both head and coming changes.

Andrea

> On 24 Jul 2024, at 16:59, Cyril Hrubis <chrubis@suse.cz> wrote:
> 
> Hi!
>> I can send v3 if needed.
> 
> But that would solve only mseal() and the fhcmodat2() has the same
> collision and would need a v3 that would apply on the top of mseal().
> The syscall in files are unfortunatelly contetion point so I'm
> suggesting to add all the definitions you are going to need in a single
> patch instead.
> 
> --
> Cyril Hrubis
> chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v2 1/2] Add mseal() syscall declaration

[Cyril Hrubis]

Hi!
> Sorry but I don’t get it. Resolving conflicts is really something up
> to people who push the code on the mainline (: Also it should be
> pretty easy since it requires to accept both head and coming changes.

I'm pretty sure you would get some pretty hars word if you send patches
to linux kernel that does not apply on the top of each other...

Anyways I'm just trying to get to a solution that would save time for
everyone, because manually fixing a patch that fails to add a line into
18 different files is not something I want to do for each new syscall
patchset you send...

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH v2 2/2] Add mseal01 test

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

This is a smoke test that verifies if mseal() protects specific VMA
portions of a process. According to documentation, the syscall should
protect memory from the following actions:

- unmapping, moving to another location, and shrinking the size, via
  munmap() and mremap()
- moving or expanding a different VMA into the current location, via
  mremap()
- modifying a VMA via mmap(MAP_FIXED)
- mprotect() and pkey_mprotect()
- destructive madvice() behaviors (e.g. MADV_DONTNEED) for anonymous
  memory, when users don’t have write permission to the memory

Any of the described actions is recognized via EPERM errno.

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 testcases/kernel/syscalls/mseal/.gitignore |   1 +
 testcases/kernel/syscalls/mseal/Makefile   |   7 ++
 testcases/kernel/syscalls/mseal/mseal01.c  | 173 +++++++++++++++++++++++++++++
 3 files changed, 181 insertions(+)

diff --git a/testcases/kernel/syscalls/mseal/.gitignore b/testcases/kernel/syscalls/mseal/.gitignore
new file mode 100644
index 000000000..e13090994
--- /dev/null
+++ b/testcases/kernel/syscalls/mseal/.gitignore
@@ -0,0 +1 @@
+mseal01
diff --git a/testcases/kernel/syscalls/mseal/Makefile b/testcases/kernel/syscalls/mseal/Makefile
new file mode 100644
index 000000000..35317f446
--- /dev/null
+++ b/testcases/kernel/syscalls/mseal/Makefile
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (C) 2023 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
+
+top_srcdir		?= ../../../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/syscalls/mseal/mseal01.c b/testcases/kernel/syscalls/mseal/mseal01.c
new file mode 100644
index 000000000..13f1a0b92
--- /dev/null
+++ b/testcases/kernel/syscalls/mseal/mseal01.c
@@ -0,0 +1,173 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+/*\
+ * [Description]
+ *
+ * This is a smoke test that verifies if mseal() protects specific VMA portions
+ * of a process. According to documentation, the syscall should protect memory
+ * from the following actions:
+ *
+ * - unmapping, moving to another location, and shrinking the size, via munmap()
+ *   and mremap()
+ * - moving or expanding a different VMA into the current location, via mremap()
+ * - modifying a VMA via mmap(MAP_FIXED)
+ * - mprotect() and pkey_mprotect()
+ * - destructive madvice() behaviors (e.g. MADV_DONTNEED) for anonymous memory,
+ *   when users don’t have write permission to the memory
+ *
+ * Any of the described actions is recognized via EPERM errno.
+ */
+
+#define _GNU_SOURCE
+
+#include "tst_test.h"
+#include "lapi/syscalls.h"
+
+#define MEMPAGES 8
+#define MEMSEAL 2
+
+static void *mem_addr;
+static int mem_size;
+static int mem_offset;
+static int mem_alignment;
+
+static inline int sys_mseal(void *start, size_t len)
+{
+	return tst_syscall(__NR_mseal, start, len, 0);
+}
+
+static void test_mprotect(void)
+{
+	TST_EXP_FAIL(mprotect(mem_addr, mem_size, PROT_NONE), EPERM);
+}
+
+static void test_pkey_mprotect(void)
+{
+	int ret;
+	int pkey;
+
+	pkey = tst_syscall(__NR_pkey_alloc, 0, 0);
+	if (pkey == -1) {
+		if (errno == EINVAL)
+			tst_brk(TCONF, "pku is not supported on this CPU");
+
+		tst_brk(TBROK | TERRNO, "pkey_alloc() error");
+	}
+
+	TST_EXP_FAIL(tst_syscall(__NR_pkey_mprotect,
+		mem_addr, mem_size,
+		PROT_NONE,
+		pkey),
+		EPERM);
+
+	ret = tst_syscall(__NR_pkey_free, pkey);
+	if (ret == -1)
+		tst_brk(TBROK | TERRNO, "pkey_free() error");
+}
+
+static void test_madvise(void)
+{
+	TST_EXP_FAIL(madvise(mem_addr, mem_size, MADV_DONTNEED), EPERM);
+}
+
+static void test_munmap(void)
+{
+	TST_EXP_FAIL(munmap(mem_addr, mem_size), EPERM);
+}
+
+static void test_mremap_resize(void)
+{
+	void *new_addr;
+	size_t new_size = 2 * mem_alignment;
+
+	new_addr = SAFE_MMAP(NULL, mem_size,
+		PROT_READ,
+		MAP_ANONYMOUS | MAP_PRIVATE,
+		-1, 0);
+
+	TST_EXP_FAIL_PTR_VOID(mremap(mem_addr, mem_size, new_size,
+		MREMAP_MAYMOVE | MREMAP_FIXED,
+		new_addr),
+		EPERM);
+
+	SAFE_MUNMAP(new_addr, new_size);
+}
+
+static void test_mmap_change_prot(void)
+{
+	TST_EXP_FAIL_PTR_VOID(mmap(mem_addr, mem_size,
+		PROT_READ,
+		MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED,
+		-1, 0), EPERM);
+}
+
+static struct tcase {
+	void (*func_test)(void);
+	int prot;
+	char *message;
+} tcases[] = {
+	{test_mprotect, PROT_READ | PROT_WRITE, "mprotect() availability"},
+	{test_pkey_mprotect, PROT_READ | PROT_WRITE, "pkey_mprotect() availability"},
+	{test_madvise, PROT_READ, "madvise() availability"},
+	{test_munmap, PROT_READ | PROT_WRITE, "munmap() availability from child"},
+	{test_mremap_resize, PROT_READ | PROT_WRITE, "mremap() address move/resize"},
+	{test_mmap_change_prot, PROT_READ | PROT_WRITE, "mmap() protection change"},
+};
+
+static void child(unsigned int n)
+{
+	struct tcase *tc = &tcases[n];
+
+	mem_addr = SAFE_MMAP(NULL, mem_size,
+		tc->prot,
+		MAP_ANONYMOUS | MAP_PRIVATE,
+		-1, 0);
+
+	tst_res(TINFO, "Testing %s", tc->message);
+
+	TST_EXP_PASS(sys_mseal(mem_addr + mem_offset, mem_alignment));
+
+	tc->func_test();
+}
+
+static void run(unsigned int n)
+{
+	/* the reason why we spawn a child is that mseal() will
+	 * protect VMA until process will call _exit()
+	 */
+	if (!SAFE_FORK()) {
+		child(n);
+		_exit(0);
+	}
+
+	tst_reap_children();
+
+	if (mem_addr != MAP_FAILED)
+		SAFE_MUNMAP(mem_addr, mem_size);
+}
+
+static void setup(void)
+{
+	mem_alignment = getpagesize();
+	mem_size = mem_alignment * MEMPAGES;
+	mem_offset = mem_alignment * MEMSEAL;
+}
+
+static void cleanup(void)
+{
+	if (mem_addr != MAP_FAILED)
+		SAFE_MUNMAP(mem_addr, mem_size);
+}
+
+static struct tst_test test = {
+	.test = run,
+	.tcnt = ARRAY_SIZE(tcases),
+	.setup = setup,
+	.cleanup = cleanup,
+	.min_kver = "6.10",
+	.forks_child = 1,
+};
+

-- 
2.43.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v2 2/2] Add mseal01 test

[Cyril Hrubis]

Hi!
> +static void child(unsigned int n)
> +{
> +	struct tcase *tc = &tcases[n];
> +
> +	mem_addr = SAFE_MMAP(NULL, mem_size,
> +		tc->prot,
> +		MAP_ANONYMOUS | MAP_PRIVATE,
> +		-1, 0);
> +
> +	tst_res(TINFO, "Testing %s", tc->message);
> +
> +	TST_EXP_PASS(sys_mseal(mem_addr + mem_offset, mem_alignment));
> +
> +	tc->func_test();
> +}
> +
> +static void run(unsigned int n)
> +{
> +	/* the reason why we spawn a child is that mseal() will
> +	 * protect VMA until process will call _exit()
> +	 */
> +	if (!SAFE_FORK()) {
> +		child(n);
> +		_exit(0);
> +	}
> +
> +	tst_reap_children();
> +
> +	if (mem_addr != MAP_FAILED)
> +		SAFE_MUNMAP(mem_addr, mem_size);

The memory is mapped in the child, it's hence not propagated to the
parent. With fork() only changes done in parent before the fork happens
are visible in child as well, since the memory is CoW.

> +}
> +
> +static void setup(void)
> +{
> +	mem_alignment = getpagesize();
> +	mem_size = mem_alignment * MEMPAGES;
> +	mem_offset = mem_alignment * MEMSEAL;
> +}
> +
> +static void cleanup(void)
> +{
> +	if (mem_addr != MAP_FAILED)
> +		SAFE_MUNMAP(mem_addr, mem_size);

Here as well, this is useless, since the memory was allocated in child,
and freed automatically when the child exits.


The rest look fine.

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp