From nobody Thu Dec 18 09:42:58 2025
Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com
 [209.85.214.170])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 897AE1D8DFB
	for <linux-kernel@vger.kernel.org>; Wed, 12 Feb 2025 03:21:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.170
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1739330520; cv=none;
 b=uFj3ZhfcRyEUqOIJwbaQVqJNMPrT081GOrP6DBE9HDmSl2g4NFvG35jSGkgkPkboSpUyO4Sb2iOFEc+U2PTKFl4zMeV4VLNhFGxn+GkdbXdrqswUqyEK3ZHykWvBh8o6YZYTBDroA5jZTEkQXKuzHrM6iQ6Oe3mduX5YMY5vkRE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1739330520; c=relaxed/simple;
	bh=3VXEI9CDqujeRW1KtdOvB9JLbbeUVXm1g3iGikU4Xtw=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=QrlVr2tIAu9vW9XV0O5M9kn2YRiWe2WIRxxfQaYAPn+K6GNX314IQM3uBRXJxlD6/zC/ehSfeTFtcbhr28JPXFfnPquZ5xJy++XhTifDxa5P+i45wHScjrdfZNKpcMRstNSpBz1FwLqUsO8BhLTmpGZSA+BQVxke1oke/E02Hi4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=mfShiWRs; arc=none smtp.client-ip=209.85.214.170
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="mfShiWRs"
Received: by mail-pl1-f170.google.com with SMTP id
 d9443c01a7336-21f3826e88cso11821265ad.0
        for <linux-kernel@vger.kernel.org>;
 Tue, 11 Feb 2025 19:21:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1739330518; x=1739935318;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=DGlgtnJud/tm4lyrsEmm3OjwE2GDthkuHJ1JyP15EEc=;
        b=mfShiWRsz7p9LTRqrjCqns4GtsKPBZkJw4/FHb0eg1hga8xrlkfsJU4tmRa+07c079
         m9VoRdh8qg3Sx/jqaUb877lZQPbpaWNekSzjYJZEYRr4lb2cFvFQeZkGgpNsRgkieXsW
         iDsxQTGX8hoW1Fv1Bu+XSi/wacNvQloD8+7zs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739330518; x=1739935318;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=DGlgtnJud/tm4lyrsEmm3OjwE2GDthkuHJ1JyP15EEc=;
        b=w6ycAGaIYDElZk2SHByJis3MnreFeHbcFra9XgbViX0Q456WOAw3lkXqxz02pKyd5u
         PD7YkXhKHI9CXseGKmA+/RAk5JCG7eRWK2ZzztcV0r1Ia/wx1VRwvmFeyOb6S4YIoFKP
         rZFRN40+5TaG2BOSajJdBqmUxfcm97H62aAapFQpLB654dYaE8gAaahh8eB+XSejAcqo
         h1ij4hUi1o0LoXLvKDoxAUMRq6q97CFhynhC0wQLlaD/0UF4A4rt8VF+uigF/pWo/eb2
         0WgmVqxkanqWUfjj6bWCaKI17Zs5NlhTAE+b0sEfyUuQgvYsWUAXlWKxfBAjad9e4y+8
         kI/g==
X-Gm-Message-State: AOJu0YwocWPbHOxxuRIsxc0qS0EaxKpp/qp8KQi3VAXXqYQHXQbZBzw0
	D3WApDK8doNucCn/DGGrhP4shPogRkfT0OseaM4CHxWXkV35d1Zr9YRJ6CxtOQ==
X-Gm-Gg: ASbGncuT7EEwpEOWJunKbNfg9kQGaTPPQ/lCEVJN5cDgffWdYFZyl9sIT2LpsE0LPc4
	nZwPm91KSHycZTSkoTTxhAsNAervhYJT3lPm0nvw6zo8C72I4LBlp0iTmmuXS4mJfT8lDB4VMqW
	e982Y24REV89b/qjVVMU2CtvEgJnqQoXOF8vHki3sr7FeiNb/wK/qY/o6i6b1tKptMdST6cJ9HR
	Lng4nkfZLp+TgvoWMWtl0BF2b7fa3fTAPuKgskGDrb4MIgS9At36PSx038lJ4jBkVskZifegeDn
	rRyhnJY0ga1vQAKLVAeaxMX4eYm2X4lLp+5hPqx7LHzxV49/PQ==
X-Google-Smtp-Source: 
 AGHT+IEURlNafHcVNKrTKgOcgxh+gG6kKLNCaOgM84jrdUBBOm8abnn5+RM1CQymWz2I341kNGd0sw==
X-Received: by 2002:a17:903:22c5:b0:21b:d105:26a7 with SMTP id
 d9443c01a7336-220bbb045admr10702145ad.6.1739330517663;
        Tue, 11 Feb 2025 19:21:57 -0800 (PST)
Received: from localhost (9.184.168.34.bc.googleusercontent.com.
 [34.168.184.9])
        by smtp.gmail.com with UTF8SMTPSA id
 98e67ed59e1d1-2fbf999b5cesm299750a91.34.2025.02.11.19.21.57
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 11 Feb 2025 19:21:57 -0800 (PST)
From: jeffxu@chromium.org
To: akpm@linux-foundation.org,
	keescook@chromium.org,
	jannh@google.com,
	torvalds@linux-foundation.org,
	vbabka@suse.cz,
	lorenzo.stoakes@oracle.com,
	Liam.Howlett@Oracle.com,
	adhemerval.zanella@linaro.org,
	oleg@redhat.com,
	avagin@gmail.com,
	benjamin@sipsolutions.net
Cc: linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org,
	linux-mm@kvack.org,
	jorgelo@chromium.org,
	sroettger@google.com,
	hch@lst.de,
	ojeda@kernel.org,
	thomas.weissschuh@linutronix.de,
	adobriyan@gmail.com,
	johannes@sipsolutions.net,
	pedro.falcato@gmail.com,
	hca@linux.ibm.com,
	willy@infradead.org,
	anna-maria@linutronix.de,
	mark.rutland@arm.com,
	linus.walleij@linaro.org,
	Jason@zx2c4.com,
	deller@gmx.de,
	rdunlap@infradead.org,
	davem@davemloft.net,
	peterx@redhat.com,
	f.fainelli@gmail.com,
	gerg@kernel.org,
	dave.hansen@linux.intel.com,
	mingo@kernel.org,
	ardb@kernel.org,
	mhocko@suse.com,
	42.hyeyoo@gmail.com,
	peterz@infradead.org,
	ardb@google.com,
	enh@google.com,
	rientjes@google.com,
	groeck@chromium.org,
	mpe@ellerman.id.au,
	aleksandr.mikhalitsyn@canonical.com,
	mike.rapoport@gmail.com,
	Jeff Xu <jeffxu@chromium.org>
Subject: [RFC PATCH v5 1/7] mseal,
 system mappings: kernel config and header change
Date: Wed, 12 Feb 2025 03:21:49 +0000
Message-ID: <20250212032155.1276806-2-jeffxu@google.com>
X-Mailer: git-send-email 2.48.1.502.g6dc24dfdaf-goog
In-Reply-To: <20250212032155.1276806-1-jeffxu@google.com>
References: <20250212032155.1276806-1-jeffxu@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Jeff Xu <jeffxu@chromium.org>

Provide infrastructure to mseal system mappings. Establish
two kernel configs (CONFIG_MSEAL_SYSTEM_MAPPINGS,
ARCH_HAS_MSEAL_SYSTEM_MAPPINGS) and a header file (userprocess.h)
for future patches.

As discussed during mseal() upstream process [1], mseal() protects
the VMAs of a given virtual memory range against modifications, such
as the read/write (RW) and no-execute (NX) bits. For complete
descriptions of memory sealing, please see mseal.rst [2].

The mseal() is useful to mitigate memory corruption issues where a
corrupted pointer is passed to a memory management system. For
example, such an attacker primitive can break control-flow integrity
guarantees since read-only memory that is supposed to be trusted can
become writable or .text pages can get remapped.

The system mappings are readonly only, memory sealing can protect
them from ever changing to writable or unmmap/remapped as different
attributes.

System mappings such as vdso, vvar, and sigpage (arm), vectors (arm)
are created by the kernel during program initialization, and could
be sealed after creation.

Unlike the aforementioned mappings, the uprobe mapping is not
established during program startup. However, its lifetime is the same
as the process's lifetime [3]. It could be sealed from creation.

The vsyscall on x86-64 uses a special address (0xffffffffff600000),
which is outside the mm managed range. This means mprotect, munmap, and
mremap won't work on the vsyscall. Since sealing doesn't enhance
the vsyscall's security, it is skipped in this patch. If we ever seal
the vsyscall, it is probably only for decorative purpose, i.e. showing
the 'sl' flag in the /proc/pid/smaps. For this patch, it is ignored.

It is important to note that the CHECKPOINT_RESTORE feature (CRIU) may
alter the system mappings during restore operations. UML(User Mode Linux)
and gVisor are also known to change the vdso/vvar mappings. Consequently,
this feature cannot be universally enabled across all systems. As such,
CONFIG_MSEAL_SYSTEM_MAPPINGS is disabled by default.

To support mseal of system mappings, architectures must define
CONFIG_ARCH_HAS_MSEAL_SYSTEM_MAPPINGS and update their special mappings
calls to pass mseal flag. Additionally, architectures must confirm they
do not unmap/remap system mappings during the process lifetime.

In this version, we've improved the handling of system mapping sealing from
previous versions, instead of modifying the _install_special_mapping
function itself, which would affect all architectures, we now call
_install_special_mapping with a sealing flag only within the specific
architecture that requires it. This targeted approach offers two key
advantages: 1) It limits the code change's impact to the necessary
architectures, and 2) It aligns with the software architecture by keeping
the core memory management within the mm layer, while delegating the
decision of sealing system mappings to the individual architecture, which
is particularly relevant since 32-bit architectures never require sealing.

Additionally, this patch introduces a new header,
include/linux/usrprocess.h, which contains the mseal_system_mappings()
function. This function helps the architecture determine if system
mapping is enabled within the current kernel configuration. It can be
extended in the future to handle opt-in/out prctl for enabling system
mapping sealing at the process level or a kernel cmdline feature.

A new header file was introduced because it was difficult to find the
best location for this function. Although include/linux/mm.h was
considered, this feature is more closely related to user processes
than core memory management. Additionally, future prctl or kernel
cmd-line implementations for this feature would not fit within the
scope of core memory management or mseal.c. This is relevant because
if we add unit-tests for mseal.c in the future, we would want to limit
mseal.c's dependencies to core memory management.

Prior to this patch series, we explored sealing special mappings from
userspace using glibc's dynamic linker. This approach revealed several
issues:
- The PT_LOAD header may report an incorrect length for vdso, (smaller
  than its actual size). The dynamic linker, which relies on PT_LOAD
  information to determine mapping size, would then split and partially
  seal the vdso mapping. Since each architecture has its own vdso/vvar
  code, fixing this in the kernel would require going through each
  archiecture. Our initial goal was to enable sealing readonly mappings,
  e.g. .text, across all architectures, sealing vdso from kernel since
  creation appears to be simpler than sealing vdso at glibc.
- The [vvar] mapping header only contains address information, not length
  information. Similar issues might exist for other special mappings.
- Mappings like uprobe are not covered by the dynamic linker,
  and there is no effective solution for them.

This feature's security enhancements will benefit ChromeOS, Android,
and other high security systems.

Testing:
This feature was tested on ChromeOS and Android for both x86-64 and ARM64.
- Enable sealing and verify vdso/vvar, sigpage, vector are sealed properly,
  i.e. "sl" shown in the smaps for those mappings, and mremap is blocked.
- Passing various automation tests (e.g. pre-checkin) on ChromeOS and
  Android to ensure the sealing doesn't affect the functionality of
  Chromebook and Android phone.

I also tested the feature on Ubuntu on x86-64:
- With config disabled, vdso/vvar is not sealed,
- with config enabled, vdso/vvar is sealed, and booting up Ubuntu is OK,
  normal operations such as browsing the web, open/edit doc are OK.

In addition, Benjamin Berg tested this on UML.

Link: https://lore.kernel.org/all/20240415163527.626541-1-jeffxu@chromium.o=
rg/ [1]
Link: Documentation/userspace-api/mseal.rst [2]
Link: https://lore.kernel.org/all/CABi2SkU9BRUnqf70-nksuMCQ+yyiWjo3fM4XkRkL=
-NrCZxYAyg@mail.gmail.com/ [3]

Signed-off-by: Jeff Xu <jeffxu@chromium.org>
---
 include/linux/userprocess.h | 18 ++++++++++++++++++
 init/Kconfig                | 18 ++++++++++++++++++
 security/Kconfig            | 18 ++++++++++++++++++
 3 files changed, 54 insertions(+)
 create mode 100644 include/linux/userprocess.h

diff --git a/include/linux/userprocess.h b/include/linux/userprocess.h
new file mode 100644
index 000000000000..bd11e2e972c5
--- /dev/null
+++ b/include/linux/userprocess.h
@@ -0,0 +1,18 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _LINUX_USER_PROCESS_H
+#define _LINUX_USER_PROCESS_H
+#include <linux/mm.h>
+
+/*
+ * mseal of userspace process's system mappings.
+ */
+static inline unsigned long mseal_system_mappings(void)
+{
+#ifdef CONFIG_MSEAL_SYSTEM_MAPPINGS
+	return VM_SEALED;
+#else
+	return 0;
+#endif
+}
+
+#endif
diff --git a/init/Kconfig b/init/Kconfig
index d0d021b3fa3b..892d2bcdf397 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1882,6 +1882,24 @@ config ARCH_HAS_MEMBARRIER_CALLBACKS
 config ARCH_HAS_MEMBARRIER_SYNC_CORE
 	bool
=20
+config ARCH_HAS_MSEAL_SYSTEM_MAPPINGS
+	bool
+	help
+	  Control MSEAL_SYSTEM_MAPPINGS access based on architecture.
+
+	  A 64-bit kernel is required for the memory sealing feature.
+	  No specific hardware features from the CPU are needed.
+
+	  To enable this feature, the architecture needs to update their
+	  speical mappings calls to include the sealing flag and confirm
+	  that it doesn't unmap/remap system mappings during the life
+	  time of the process. After the architecture enables this, a
+	  distribution can set CONFIG_MSEAL_SYSTEM_MAPPING to manage access
+	  to the feature.
+
+	  For complete descriptions of memory sealing, please see
+	  Documentation/userspace-api/mseal.rst
+
 config HAVE_PERF_EVENTS
 	bool
 	help
diff --git a/security/Kconfig b/security/Kconfig
index f10dbf15c294..bfb35fc7a3c6 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -51,6 +51,24 @@ config PROC_MEM_NO_FORCE
=20
 endchoice
=20
+config MSEAL_SYSTEM_MAPPINGS
+	bool "mseal system mappings"
+	depends on 64BIT
+	depends on ARCH_HAS_MSEAL_SYSTEM_MAPPINGS
+	depends on !CHECKPOINT_RESTORE
+	help
+	  Seal system mappings such as vdso, vvar, sigpage, uprobes, etc.
+
+	  A 64-bit kernel is required for the memory sealing feature.
+	  No specific hardware features from the CPU are needed.
+
+	  Note: CHECKPOINT_RESTORE, UML, gVisor are known to relocate or
+	  unmap system mapping, therefore this config can't be enabled
+	  universally.
+
+	  For complete descriptions of memory sealing, please see
+	  Documentation/userspace-api/mseal.rst
+
 config SECURITY
 	bool "Enable different security models"
 	depends on SYSFS
--=20
2.48.1.502.g6dc24dfdaf-goog
From nobody Thu Dec 18 09:42:58 2025
Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com
 [209.85.216.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8229E1D8A10
	for <linux-kernel@vger.kernel.org>; Wed, 12 Feb 2025 03:21:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1739330521; cv=none;
 b=ZQlUK+2Pvu6gOHEtM0LaJ9vVhGB14zzM6Wi1gPcTxz/Rq+PM6e26omPGUXFS2lrNPmoANGzx1LN3DgMR8lyyz0e6YPryGXjSvM0Aw6aGf9Rwam+plur+DEXMMHAHhUiV49MYHIhgg+u6mIg8gj6NPL7YjSraQUTDqGToloikCqY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1739330521; c=relaxed/simple;
	bh=w05nUehMgqwD35vj2y2xYw7+UYzGcB8hX3kEdKcacUM=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=s49qqmYEFmqj9yTp1FNiNdArlTS2ALKiuuxLigviA2m/MH3XwGfyebReRChmRQntHj7y455CvcCBk+A1VbgT7eXHk4TocYDkFN/rCKstEyykETdNo2+xUNjaJFuC1xKx3XFu7WOWqgarQqjLDBGUbNSrNQ3Muh40zNGsQZK541E=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=IawSfX5q; arc=none smtp.client-ip=209.85.216.44
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="IawSfX5q"
Received: by mail-pj1-f44.google.com with SMTP id
 98e67ed59e1d1-2fa18088594so1370930a91.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 11 Feb 2025 19:21:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1739330519; x=1739935319;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ncxizXOAVrQ+BWFck4tB/XehU76xAVIOQApqyTjKcXY=;
        b=IawSfX5qB2NIA773BpHMcYG7zdu1MGJW2P8MV+XmDVUcVx/AytsNNwZnoIm1Pi4s99
         hkQFSyRGCnTD6eqrdjnatsKPmMP0K9OHmosSfvrViiZiLvVkPP67mVmDU8Y5hGNqfWP5
         spnLjP2rCy5bRZIlxyIzozQUjzYj5fgPhQR3M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739330519; x=1739935319;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ncxizXOAVrQ+BWFck4tB/XehU76xAVIOQApqyTjKcXY=;
        b=bxMHrelZr0+etw76LPjAih6BPs6n8mUl8nhsC1CNLOCkUnfNeM70b594zlI0x8WrZe
         vEXwHA+aXbWtm5H63zgYK0rfQCg7l+64+PiHoBDBFI2JZsk/yXhtQqAYoZ9tOH3uPvJN
         mVdOR7QY8PqhSBea2FMU2Qlna0lSXFp51/ODuaTmyTx1AoadqIHq5hgwxddlTc83rvnZ
         81BUxBiu9CvPwKHRut63egaOm/Xhd6QLULH9q5oaVVqgCyjTmS43jKRKdRG4+81t1GO3
         hA9U7h+BfrKAZI8Zhz8uzfwbPw/aOj3yaHVkLO2JsHoVZCG1whpfWgH2KgupR2H2drOv
         SYNw==
X-Gm-Message-State: AOJu0YwDWkWk3VFBcYljqEkV7A8TYRkMhCn6oeA8H0NIF2j6frTHN72D
	gGcxaUZVW4cks4R0DmvRd93btKNRRvQV6Ob7mdqnO/u2IkriXHv5BlSTxIUVzA==
X-Gm-Gg: ASbGnctU0txOrpjD9WSssOn/sSVT91dWkUvml2bLu8qhSJpyR5r2EpjYQy8QgM3wcji
	9ttKnCQ95v3WfhQqTGXY3V7tezAakhL+GdiGlSGv+QkAH4k5x92vSgDCJZfeXXvan+NjXbiq6R3
	l7ADO78YjJRNqjQCqlagSlUSnu1/2haGtWYypvZr8a8fIdS/aPfbGfkYRuoi8wxMEvmi9zSiAbu
	A8qHEZkfO1EqxVAbwtv+zuAFnp7fOFe0Suf9tiSK18W3bMXf9p5BV+hi/NCVm+K/0ZCJx3pKSCr
	fy0h8Bp9xUtUPLzz1H4RD6dqIS5s5o+DUJHBWCWnJUl4QfmFyg==
X-Google-Smtp-Source: 
 AGHT+IE4/7BwbuwtwfhXwLsB0i3Q5aZn7rPFgpOtvzT4ULZm4VcW3dgNVOfd6aFz9L3M8GZfkNV1AQ==
X-Received: by 2002:a05:6a00:181a:b0:730:8cfb:d5f5 with SMTP id
 d2e1a72fcca58-7322c4031d2mr872747b3a.6.1739330518746;
        Tue, 11 Feb 2025 19:21:58 -0800 (PST)
Received: from localhost (9.184.168.34.bc.googleusercontent.com.
 [34.168.184.9])
        by smtp.gmail.com with UTF8SMTPSA id
 d2e1a72fcca58-73089c88552sm5087106b3a.93.2025.02.11.19.21.58
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 11 Feb 2025 19:21:58 -0800 (PST)
From: jeffxu@chromium.org
To: akpm@linux-foundation.org,
	keescook@chromium.org,
	jannh@google.com,
	torvalds@linux-foundation.org,
	vbabka@suse.cz,
	lorenzo.stoakes@oracle.com,
	Liam.Howlett@Oracle.com,
	adhemerval.zanella@linaro.org,
	oleg@redhat.com,
	avagin@gmail.com,
	benjamin@sipsolutions.net
Cc: linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org,
	linux-mm@kvack.org,
	jorgelo@chromium.org,
	sroettger@google.com,
	hch@lst.de,
	ojeda@kernel.org,
	thomas.weissschuh@linutronix.de,
	adobriyan@gmail.com,
	johannes@sipsolutions.net,
	pedro.falcato@gmail.com,
	hca@linux.ibm.com,
	willy@infradead.org,
	anna-maria@linutronix.de,
	mark.rutland@arm.com,
	linus.walleij@linaro.org,
	Jason@zx2c4.com,
	deller@gmx.de,
	rdunlap@infradead.org,
	davem@davemloft.net,
	peterx@redhat.com,
	f.fainelli@gmail.com,
	gerg@kernel.org,
	dave.hansen@linux.intel.com,
	mingo@kernel.org,
	ardb@kernel.org,
	mhocko@suse.com,
	42.hyeyoo@gmail.com,
	peterz@infradead.org,
	ardb@google.com,
	enh@google.com,
	rientjes@google.com,
	groeck@chromium.org,
	mpe@ellerman.id.au,
	aleksandr.mikhalitsyn@canonical.com,
	mike.rapoport@gmail.com,
	Jeff Xu <jeffxu@chromium.org>
Subject: [RFC PATCH v5 2/7] selftests: x86: test_mremap_vdso: skip if vdso is
 msealed
Date: Wed, 12 Feb 2025 03:21:50 +0000
Message-ID: <20250212032155.1276806-3-jeffxu@google.com>
X-Mailer: git-send-email 2.48.1.502.g6dc24dfdaf-goog
In-Reply-To: <20250212032155.1276806-1-jeffxu@google.com>
References: <20250212032155.1276806-1-jeffxu@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Jeff Xu <jeffxu@chromium.org>

Add code to detect if the vdso is memory sealed, skip the test
if it is.

Signed-off-by: Jeff Xu <jeffxu@chromium.org>
---
 .../testing/selftests/x86/test_mremap_vdso.c  | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/tools/testing/selftests/x86/test_mremap_vdso.c b/tools/testing=
/selftests/x86/test_mremap_vdso.c
index d53959e03593..c68077c56b22 100644
--- a/tools/testing/selftests/x86/test_mremap_vdso.c
+++ b/tools/testing/selftests/x86/test_mremap_vdso.c
@@ -14,6 +14,7 @@
 #include <errno.h>
 #include <unistd.h>
 #include <string.h>
+#include <stdbool.h>
=20
 #include <sys/mman.h>
 #include <sys/auxv.h>
@@ -55,13 +56,50 @@ static int try_to_remap(void *vdso_addr, unsigned long =
size)
=20
 }
=20
+#define VDSO_NAME "[vdso]"
+#define VMFLAGS "VmFlags:"
+#define MSEAL_FLAGS "sl"
+#define MAX_LINE_LEN 512
+
+bool vdso_sealed(FILE *maps)
+{
+	char line[MAX_LINE_LEN];
+	bool has_vdso =3D false;
+
+	while (fgets(line, sizeof(line), maps)) {
+		if (strstr(line, VDSO_NAME))
+			has_vdso =3D true;
+
+		if (has_vdso && !strncmp(line, VMFLAGS, strlen(VMFLAGS))) {
+			if (strstr(line, MSEAL_FLAGS))
+				return true;
+
+			return false;
+		}
+	}
+
+	return false;
+}
+
 int main(int argc, char **argv, char **envp)
 {
 	pid_t child;
+	FILE *maps;
=20
 	ksft_print_header();
 	ksft_set_plan(1);
=20
+	maps =3D fopen("/proc/self/smaps", "r");
+	if (!maps) {
+		ksft_test_result_skip("Could not open /proc/self/smaps\n");
+		return 0;
+	}
+
+	if (vdso_sealed(maps)) {
+		ksft_test_result_skip("vdso is sealed\n");
+		return 0;
+	}
+
 	child =3D fork();
 	if (child =3D=3D -1)
 		ksft_exit_fail_msg("failed to fork (%d): %m\n", errno);
--=20
2.48.1.502.g6dc24dfdaf-goog
From nobody Thu Dec 18 09:42:58 2025
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com
 [209.85.214.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7CE551DB933
	for <linux-kernel@vger.kernel.org>; Wed, 12 Feb 2025 03:22:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1739330522; cv=none;
 b=OzL1QEehq53asuyGc5tWPO1RuEYHBZcORUAPL4QuTlxOlwrRMrQd6JUPfWNnzULP5kTjYnnHNBs94rvD9tfKGKskJTayQspR+FMr8pJz979C4sVJNbrwVPR0TLDmayQLGTUKGK6NUDhfa13osSPNTCF+KoH7bH5FqF9v3mMMIrI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1739330522; c=relaxed/simple;
	bh=l7hq5FUIDAkHBVw6OKr53T6zReeP1iwdJbypvd6CNes=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=bjWyTjJigMig03oBII/gNicmJIm9Im/liLxEo1p7clgNufHoqolFJMbx8z4r0oLgKIAEU7mY+rKI8dHxu7e7WW2HgVCx+fCCHt8hfeXmtJ6GPDQZ2CR3EAGscmh3YZBcgwVpDVTaZfsTWy9NmwsAH8vyQYEj72zmu//EwcsIcro=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=DvKsIggC; arc=none smtp.client-ip=209.85.214.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="DvKsIggC"
Received: by mail-pl1-f171.google.com with SMTP id
 d9443c01a7336-21f6fb68502so7469875ad.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 11 Feb 2025 19:22:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1739330520; x=1739935320;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=QF+XsAOZtoeX6mlWsDERSJyrasHSdBo5DRJV2HHqSDI=;
        b=DvKsIggCl4elQjG5VJYQlLuE59jue/Pr6e8h4fPvq5X1W+UcbT91teA1Dkr8QjZXVN
         D8KAGlfnSnQOIPNkAqvolth3KVcMybise8IgMIksvXSAIIZ9Hh24jPluiIug3j51im6B
         NHfvMrFYfYu7d81+w8evXpprkxvHPbzujRa+s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739330520; x=1739935320;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=QF+XsAOZtoeX6mlWsDERSJyrasHSdBo5DRJV2HHqSDI=;
        b=QTpfA4I3Ssspvj5ijVj3Mqtvg6e7uzOz+obpB09PjFxHJ1w9o9k+w1/UWmgOsZMibG
         xO4Y1TtoDabxPvsACvhz1577ZbLDn2PF+hlD36YIikPCQigyOyOhbF2JwpGuHJUUlzT0
         mtR+FEA+J9NlD5CRqEyFekyKZTDNZ7Y2cR+xjoW66xDy2hXZ+vEsOk2vNgMkY3TO4U1d
         uKPyu8XI/w6/kQkQSx7HN6x8PHOPPNFxtuqI6dQUpZ7tPy0r54lhweLp4BTSkKvSSwIN
         e54eJLdrwq3lxFVD4mNej0BC5LgAZajEbBZBZ70t7FQTEg2UBXJZfXThE4CENcU4R6I5
         x74Q==
X-Gm-Message-State: AOJu0YxTzMdUT4B0aZ4NE3d8DYIUo7E77Syl0pEquxUta8LZ3zdkop2/
	U4AL3+LaoaNDbCCnH38noO5IIUVBTomche04a1W88nQ7+F5TF9BGhEt44BYsQA==
X-Gm-Gg: ASbGncvDsfmq7avXnsvvNaVht5kIbzgYmVLldKfyngcpdg4xEUkmuSw2lfUvpdFmhQz
	j0c2RcA/ceijOyAOTeFETK410YQnww6L8QOUZwr6zl/wlDxjrMIvr/jqyEnuek8l55sZiNLipkT
	qdNaAqosenjvsBYgChS7OlDfnbeGbPsiRoDN+KhTXxXFiz3chcV/h5uwTo2nfatlRL/WkszuJna
	bPMw6dccziyK01L77S+ATJKoj0BWaDozkbMZn4NLZkDXe5i60xNDPE2Fsiua7e/1PL48PayxbBm
	DDFTxp16rVVhcHWiO/A7e8H0ZbbKBzcuYmw8oJJ9tVx1VmVg1Q==
X-Google-Smtp-Source: 
 AGHT+IHHM7M1gkeTK0DkmrzJae9kr1fBnAHXJ9XN96tPbv9kYILCpzpkfCEUqgGotDXyfntPOksCow==
X-Received: by 2002:a17:902:f68f:b0:21f:207:bd88 with SMTP id
 d9443c01a7336-220bbf0220fmr10761195ad.3.1739330519734;
        Tue, 11 Feb 2025 19:21:59 -0800 (PST)
Received: from localhost (9.184.168.34.bc.googleusercontent.com.
 [34.168.184.9])
        by smtp.gmail.com with UTF8SMTPSA id
 d9443c01a7336-21f3683db25sm102503155ad.134.2025.02.11.19.21.59
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 11 Feb 2025 19:21:59 -0800 (PST)
From: jeffxu@chromium.org
To: akpm@linux-foundation.org,
	keescook@chromium.org,
	jannh@google.com,
	torvalds@linux-foundation.org,
	vbabka@suse.cz,
	lorenzo.stoakes@oracle.com,
	Liam.Howlett@Oracle.com,
	adhemerval.zanella@linaro.org,
	oleg@redhat.com,
	avagin@gmail.com,
	benjamin@sipsolutions.net
Cc: linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org,
	linux-mm@kvack.org,
	jorgelo@chromium.org,
	sroettger@google.com,
	hch@lst.de,
	ojeda@kernel.org,
	thomas.weissschuh@linutronix.de,
	adobriyan@gmail.com,
	johannes@sipsolutions.net,
	pedro.falcato@gmail.com,
	hca@linux.ibm.com,
	willy@infradead.org,
	anna-maria@linutronix.de,
	mark.rutland@arm.com,
	linus.walleij@linaro.org,
	Jason@zx2c4.com,
	deller@gmx.de,
	rdunlap@infradead.org,
	davem@davemloft.net,
	peterx@redhat.com,
	f.fainelli@gmail.com,
	gerg@kernel.org,
	dave.hansen@linux.intel.com,
	mingo@kernel.org,
	ardb@kernel.org,
	mhocko@suse.com,
	42.hyeyoo@gmail.com,
	peterz@infradead.org,
	ardb@google.com,
	enh@google.com,
	rientjes@google.com,
	groeck@chromium.org,
	mpe@ellerman.id.au,
	aleksandr.mikhalitsyn@canonical.com,
	mike.rapoport@gmail.com,
	Jeff Xu <jeffxu@chromium.org>
Subject: [RFC PATCH v5 3/7] mseal, system mappings: enable x86-64
Date: Wed, 12 Feb 2025 03:21:51 +0000
Message-ID: <20250212032155.1276806-4-jeffxu@google.com>
X-Mailer: git-send-email 2.48.1.502.g6dc24dfdaf-goog
In-Reply-To: <20250212032155.1276806-1-jeffxu@google.com>
References: <20250212032155.1276806-1-jeffxu@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Jeff Xu <jeffxu@chromium.org>

Provide support for CONFIG_MSEAL_SYSTEM_MAPPINGS on x86-64,
covering the vdso, vvar, vvar_vclock.

Production release testing passes on Android and Chrome OS.

Signed-off-by: Jeff Xu <jeffxu@chromium.org>
---
 arch/x86/Kconfig          |  1 +
 arch/x86/entry/vdso/vma.c | 17 +++++++++++------
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 87198d957e2f..8fa17032ca46 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -26,6 +26,7 @@ config X86_64
 	depends on 64BIT
 	# Options that are inherently 64-bit kernel only:
 	select ARCH_HAS_GIGANTIC_PAGE
+	select ARCH_HAS_MSEAL_SYSTEM_MAPPINGS
 	select ARCH_SUPPORTS_INT128 if CC_HAS_INT128
 	select ARCH_SUPPORTS_PER_VMA_LOCK
 	select ARCH_SUPPORTS_HUGE_PFNMAP if TRANSPARENT_HUGEPAGE
diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c
index 39e6efc1a9ca..b5273dadd64a 100644
--- a/arch/x86/entry/vdso/vma.c
+++ b/arch/x86/entry/vdso/vma.c
@@ -13,6 +13,7 @@
 #include <linux/random.h>
 #include <linux/elf.h>
 #include <linux/cpu.h>
+#include <linux/userprocess.h>
 #include <linux/ptrace.h>
 #include <linux/time_namespace.h>
=20
@@ -247,6 +248,7 @@ static int map_vdso(const struct vdso_image *image, uns=
igned long addr)
 	struct mm_struct *mm =3D current->mm;
 	struct vm_area_struct *vma;
 	unsigned long text_start;
+	unsigned long vm_flags;
 	int ret =3D 0;
=20
 	if (mmap_write_lock_killable(mm))
@@ -264,11 +266,12 @@ static int map_vdso(const struct vdso_image *image, u=
nsigned long addr)
 	/*
 	 * MAYWRITE to allow gdb to COW and set breakpoints
 	 */
+	vm_flags =3D VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC;
+	vm_flags |=3D mseal_system_mappings();
 	vma =3D _install_special_mapping(mm,
 				       text_start,
 				       image->size,
-				       VM_READ|VM_EXEC|
-				       VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
+				       vm_flags,
 				       &vdso_mapping);
=20
 	if (IS_ERR(vma)) {
@@ -276,11 +279,12 @@ static int map_vdso(const struct vdso_image *image, u=
nsigned long addr)
 		goto up_fail;
 	}
=20
+	vm_flags =3D VM_READ|VM_MAYREAD|VM_IO|VM_DONTDUMP|VM_PFNMAP;
+	vm_flags |=3D mseal_system_mappings();
 	vma =3D _install_special_mapping(mm,
 				       addr,
 				       (__VVAR_PAGES - VDSO_NR_VCLOCK_PAGES) * PAGE_SIZE,
-				       VM_READ|VM_MAYREAD|VM_IO|VM_DONTDUMP|
-				       VM_PFNMAP,
+				       vm_flags,
 				       &vvar_mapping);
=20
 	if (IS_ERR(vma)) {
@@ -289,11 +293,12 @@ static int map_vdso(const struct vdso_image *image, u=
nsigned long addr)
 		goto up_fail;
 	}
=20
+	vm_flags =3D VM_READ|VM_MAYREAD|VM_IO|VM_DONTDUMP|VM_PFNMAP;
+	vm_flags |=3D mseal_system_mappings();
 	vma =3D _install_special_mapping(mm,
 				       addr + (__VVAR_PAGES - VDSO_NR_VCLOCK_PAGES) * PAGE_SIZE,
 				       VDSO_NR_VCLOCK_PAGES * PAGE_SIZE,
-				       VM_READ|VM_MAYREAD|VM_IO|VM_DONTDUMP|
-				       VM_PFNMAP,
+				       vm_flags,
 				       &vvar_vclock_mapping);
=20
 	if (IS_ERR(vma)) {
--=20
2.48.1.502.g6dc24dfdaf-goog
From nobody Thu Dec 18 09:42:58 2025
Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com
 [209.85.216.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8BED91DA60F
	for <linux-kernel@vger.kernel.org>; Wed, 12 Feb 2025 03:22:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.50
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1739330523; cv=none;
 b=BfCrnAH8VLRoSpNGl+uHGVmKrCD4ZpC0dulpMOQpmVZTCfDUxyrszPyAPpuuqU3PgYysyQQt1gao+DcLaVkSeZk4eLT9l1doP/9Qgz5o09UyiImM85NOzZne4QU4zn3VPSKSUvZqExNSkln/dlyYWWujHLdGWoZJ9rIrGnEUVAg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1739330523; c=relaxed/simple;
	bh=rbKCgrhSnltAq4HphfqxDQL2WDHmk7Ibm7vobAi6Ezk=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=DXboqkF8BacApswKnH3PjdUgXuojx7uViDqYU/aMhJS94lObLtEiogadKADd1FYzMk06TE3+mznI+qzGLx8WTDudaeLpcrgNh11YBP1BKiRdqUrie2o2+4wzGtsViq8Vx7kzsQCjTASdT5JUCpbt9J6c4kvfJKdUQJsb4deqLDk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=ZxpavU03; arc=none smtp.client-ip=209.85.216.50
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="ZxpavU03"
Received: by mail-pj1-f50.google.com with SMTP id
 98e67ed59e1d1-2fa1c3ac70cso1387782a91.0
        for <linux-kernel@vger.kernel.org>;
 Tue, 11 Feb 2025 19:22:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1739330521; x=1739935321;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=l7pPl+80co4+z7JP7yvzolDYDYVYpoOhsDUrxcZkGCI=;
        b=ZxpavU03xFkpCelm5FYcB82bogOeN93OZfk0WyvdJHXoBuBCLZcjLWeCKYOquRgSQ2
         Gzn45gr/KMF1DbDg2DSJIFeFHITzgy4KFc4zq7Ta2rPlOTkNPrdjXRSKI7zK3Jvl2KgN
         l9UM4N3k9cQ7wWtg86ODmAvy8RmOWO65QKhFk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739330521; x=1739935321;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=l7pPl+80co4+z7JP7yvzolDYDYVYpoOhsDUrxcZkGCI=;
        b=s5R/5557pAhHKa23hqv1ClSAxiYOTutm0OZJ8mv7wwUMK72gyHjaxPqfSOtg+Ggi7C
         Lv56CY/q0M3zFfcs9MSx1EWHgmd9f+p6cdpmGfzu6lAKFB90ByIHyBjOm25RqTR0bhqG
         +aJoXv8mpNqnFKBgCa0oLUqqJ8dMforf4Trp2PIZlI1mO4E1t9aqWArUYa3fdnSlM7c2
         v1208MCFchKsnWVQg4qBXZs+RijRu+3ExIkE49+dJPEqaOzLu8C6e5JDfZkTGrwaVfOw
         RS+ETwVH7QPjTTj1O0x0Mp3PGDeopBOhtWpoGhUFxW8kt1oCILxn7wLw3FdxiaPTrAgb
         Mhjg==
X-Gm-Message-State: AOJu0YzwCc01mFT2waSuvp9kglHG29RzOE+Vhc381QBeCwZ8/Gz8OEUW
	HAthWTpyO16j6fVgSnrC7M0B9qMNn6rJYZHGuH8D+3AC6PbKozoQYe7twJ1bmg==
X-Gm-Gg: ASbGncuE6IMBLswa9ig/S7T4oiw/hRRStrXsGufspXq9NZjS/7rhndsxFPk5st+JVNw
	r5zLIEBULJcmzfwWXCBeD2uKUplqNIBBAQvgMePBLl309DG6hA2O+no3hbNzGwqS8elDs6sURB4
	rPOajXNMCMP/Gunitq3qxBBgJYb1ESoJOlaDgEaCDr3wN/f2YPDTcvgcgnytzDqzYGiyMb8mV0B
	co3KrOGZm3Sk/lr0gJT86hCKedhbJ+6jnLBjYacPUaXlavLK6WJu1M4U4MAtGCMQE9qP0aAGDPZ
	vH3OP/N3t2XcOlveysh5cfigoT08ck11HSlh1MX69SkT1I9DMg==
X-Google-Smtp-Source: 
 AGHT+IEQjI3mXwIsERllpCdgEEkG55fGZ2UKV6IZsw6M1hblfR3OjmOt9QtTdXsaFePhUPJi1BBTqA==
X-Received: by 2002:a05:6a00:ac06:b0:725:46cc:719a with SMTP id
 d2e1a72fcca58-7322c3780fdmr864380b3a.1.1739330520652;
        Tue, 11 Feb 2025 19:22:00 -0800 (PST)
Received: from localhost (9.184.168.34.bc.googleusercontent.com.
 [34.168.184.9])
        by smtp.gmail.com with UTF8SMTPSA id
 d2e1a72fcca58-7309569d6efsm4018014b3a.92.2025.02.11.19.22.00
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 11 Feb 2025 19:22:00 -0800 (PST)
From: jeffxu@chromium.org
To: akpm@linux-foundation.org,
	keescook@chromium.org,
	jannh@google.com,
	torvalds@linux-foundation.org,
	vbabka@suse.cz,
	lorenzo.stoakes@oracle.com,
	Liam.Howlett@Oracle.com,
	adhemerval.zanella@linaro.org,
	oleg@redhat.com,
	avagin@gmail.com,
	benjamin@sipsolutions.net
Cc: linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org,
	linux-mm@kvack.org,
	jorgelo@chromium.org,
	sroettger@google.com,
	hch@lst.de,
	ojeda@kernel.org,
	thomas.weissschuh@linutronix.de,
	adobriyan@gmail.com,
	johannes@sipsolutions.net,
	pedro.falcato@gmail.com,
	hca@linux.ibm.com,
	willy@infradead.org,
	anna-maria@linutronix.de,
	mark.rutland@arm.com,
	linus.walleij@linaro.org,
	Jason@zx2c4.com,
	deller@gmx.de,
	rdunlap@infradead.org,
	davem@davemloft.net,
	peterx@redhat.com,
	f.fainelli@gmail.com,
	gerg@kernel.org,
	dave.hansen@linux.intel.com,
	mingo@kernel.org,
	ardb@kernel.org,
	mhocko@suse.com,
	42.hyeyoo@gmail.com,
	peterz@infradead.org,
	ardb@google.com,
	enh@google.com,
	rientjes@google.com,
	groeck@chromium.org,
	mpe@ellerman.id.au,
	aleksandr.mikhalitsyn@canonical.com,
	mike.rapoport@gmail.com,
	Jeff Xu <jeffxu@chromium.org>
Subject: [RFC PATCH v5 4/7] mseal, system mappings: enable arm64
Date: Wed, 12 Feb 2025 03:21:52 +0000
Message-ID: <20250212032155.1276806-5-jeffxu@google.com>
X-Mailer: git-send-email 2.48.1.502.g6dc24dfdaf-goog
In-Reply-To: <20250212032155.1276806-1-jeffxu@google.com>
References: <20250212032155.1276806-1-jeffxu@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Jeff Xu <jeffxu@chromium.org>

Provide support for CONFIG_MSEAL_SYSTEM_MAPPINGS on arm64, covering
the vdso, vvar, and compat-mode vectors and sigpage mappings.

Production release testing passes on Android and Chrome OS.

Signed-off-by: Jeff Xu <jeffxu@chromium.org>
---
 arch/arm64/Kconfig       |  1 +
 arch/arm64/kernel/vdso.c | 23 ++++++++++++++++-------
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index fcdd0ed3eca8..39202aa9a5af 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -38,6 +38,7 @@ config ARM64
 	select ARCH_HAS_KEEPINITRD
 	select ARCH_HAS_MEMBARRIER_SYNC_CORE
 	select ARCH_HAS_MEM_ENCRYPT
+	select ARCH_HAS_MSEAL_SYSTEM_MAPPINGS
 	select ARCH_HAS_NMI_SAFE_THIS_CPU_OPS
 	select ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
 	select ARCH_HAS_NONLEAF_PMD_YOUNG if ARM64_HAFT
diff --git a/arch/arm64/kernel/vdso.c b/arch/arm64/kernel/vdso.c
index e8ed8e5b713b..cfe2f5b344c4 100644
--- a/arch/arm64/kernel/vdso.c
+++ b/arch/arm64/kernel/vdso.c
@@ -15,6 +15,7 @@
 #include <linux/gfp.h>
 #include <linux/kernel.h>
 #include <linux/mm.h>
+#include <linux/userprocess.h>
 #include <linux/sched.h>
 #include <linux/signal.h>
 #include <linux/slab.h>
@@ -183,6 +184,7 @@ static int __setup_additional_pages(enum vdso_abi abi,
 {
 	unsigned long vdso_base, vdso_text_len, vdso_mapping_len;
 	unsigned long gp_flags =3D 0;
+	unsigned long vm_flags;
 	void *ret;
=20
 	BUILD_BUG_ON(VVAR_NR_PAGES !=3D __VVAR_PAGES);
@@ -197,8 +199,10 @@ static int __setup_additional_pages(enum vdso_abi abi,
 		goto up_fail;
 	}
=20
+	vm_flags =3D VM_READ|VM_MAYREAD|VM_PFNMAP;
+	vm_flags |=3D mseal_system_mappings();
 	ret =3D _install_special_mapping(mm, vdso_base, VVAR_NR_PAGES * PAGE_SIZE,
-				       VM_READ|VM_MAYREAD|VM_PFNMAP,
+				       vm_flags,
 				       &vvar_map);
 	if (IS_ERR(ret))
 		goto up_fail;
@@ -208,9 +212,10 @@ static int __setup_additional_pages(enum vdso_abi abi,
=20
 	vdso_base +=3D VVAR_NR_PAGES * PAGE_SIZE;
 	mm->context.vdso =3D (void *)vdso_base;
+	vm_flags =3D VM_READ|VM_EXEC|gp_flags|VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC;
+	vm_flags |=3D mseal_system_mappings();
 	ret =3D _install_special_mapping(mm, vdso_base, vdso_text_len,
-				       VM_READ|VM_EXEC|gp_flags|
-				       VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
+				       vm_flags,
 				       vdso_info[abi].cm);
 	if (IS_ERR(ret))
 		goto up_fail;
@@ -326,6 +331,7 @@ arch_initcall(aarch32_alloc_vdso_pages);
 static int aarch32_kuser_helpers_setup(struct mm_struct *mm)
 {
 	void *ret;
+	unsigned long vm_flags;
=20
 	if (!IS_ENABLED(CONFIG_KUSER_HELPERS))
 		return 0;
@@ -334,9 +340,10 @@ static int aarch32_kuser_helpers_setup(struct mm_struc=
t *mm)
 	 * Avoid VM_MAYWRITE for compatibility with arch/arm/, where it's
 	 * not safe to CoW the page containing the CPU exception vectors.
 	 */
+	vm_flags =3D VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYEXEC;
+	vm_flags |=3D mseal_system_mappings();
 	ret =3D _install_special_mapping(mm, AARCH32_VECTORS_BASE, PAGE_SIZE,
-				       VM_READ | VM_EXEC |
-				       VM_MAYREAD | VM_MAYEXEC,
+				       vm_flags,
 				       &aarch32_vdso_maps[AA32_MAP_VECTORS]);
=20
 	return PTR_ERR_OR_ZERO(ret);
@@ -345,6 +352,7 @@ static int aarch32_kuser_helpers_setup(struct mm_struct=
 *mm)
 static int aarch32_sigreturn_setup(struct mm_struct *mm)
 {
 	unsigned long addr;
+	unsigned long vm_flags;
 	void *ret;
=20
 	addr =3D get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
@@ -357,9 +365,10 @@ static int aarch32_sigreturn_setup(struct mm_struct *m=
m)
 	 * VM_MAYWRITE is required to allow gdb to Copy-on-Write and
 	 * set breakpoints.
 	 */
+	vm_flags =3D VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC;
+	vm_flags |=3D mseal_system_mappings();
 	ret =3D _install_special_mapping(mm, addr, PAGE_SIZE,
-				       VM_READ | VM_EXEC | VM_MAYREAD |
-				       VM_MAYWRITE | VM_MAYEXEC,
+				       vm_flags,
 				       &aarch32_vdso_maps[AA32_MAP_SIGPAGE]);
 	if (IS_ERR(ret))
 		goto out;
--=20
2.48.1.502.g6dc24dfdaf-goog
From nobody Thu Dec 18 09:42:58 2025
Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com
 [209.85.214.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6CFC91DB958
	for <linux-kernel@vger.kernel.org>; Wed, 12 Feb 2025 03:22:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1739330524; cv=none;
 b=eYbUCku3otyBshQdJH629ZNII22WatGG6P8FweybnLCgI4flfcEN6eIA/ljyUWhxCYuB2Hk8JGyZbXegiutJ0rvSJdWo8wpUDpgevzZFOQn+nFhCJNfW6Tz0Gx8gnmj7MY/0cnmgQHDgknCAABu7uX/gEnaiAeRDP0iAaVZVzFM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1739330524; c=relaxed/simple;
	bh=vaPHeEEUVjAtZeidG2hNXfFKCf7yTmWopFw9HmRLawQ=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=k1ziLNdhFGHrZOPynvsfI72d6xvW2QIP+nWpwa2IhFTu0LBqVrYWhTOeMCVw2TKZi73tqNCo8nKyPGpWvA91AzL1lN7IPIHcHy10eJbUpv97KhbYIgY/ylCYiXDWRh5XPRi3P59Hc6h8WE19mt8tpsKPpOVivYdLdPND0btGGTg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=g4fzrQYR; arc=none smtp.client-ip=209.85.214.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="g4fzrQYR"
Received: by mail-pl1-f179.google.com with SMTP id
 d9443c01a7336-218c8ac69faso13351665ad.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 11 Feb 2025 19:22:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1739330522; x=1739935322;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=9CGVA5eSPFfsHEVs7rjQnee/yKRru+0Ft1a+zzsFXds=;
        b=g4fzrQYRZQn8oU/MkluKtm4c4tfyjg0lKP1WP/EccputHeDTs9CVEGRC21WSYmUW9P
         9GYsvTmiMKZ9IcV/oeH2zzR41YqIf6gMQwX0OIUazmdE+Nk1yQFqe/i98OeqMscwY6Ev
         SYGHcSePt1WWnh2Aim2cwItO2U4IPkMEgLO/0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739330522; x=1739935322;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=9CGVA5eSPFfsHEVs7rjQnee/yKRru+0Ft1a+zzsFXds=;
        b=DWcb3XE/7IFU3pSUgTiot8OwK3WnDxhVN6O9XqhSmt07paKA8HDBcIw9mVI0gRv077
         6M2HLI+fuaELLN3M4Ogr77NnmuDYTxprkC0MAF/F8yAfgofywySgrq1R3eCTGiQ0MSoO
         /in4OzRq2RtVbMuajAHMc8lWeDryNMUsfNX2Nji6wMcuLjZ2TOhSfKA88TWcuT66tO6t
         2VDndsxs1hqoZo5v72UNwKtBCYNoQevZTPA6jJ0NJxySCLae1SCbXEp4kNEOS/aUG0vN
         XZ8v8aqSfefg1Vc9CeUqWMg73JrY2b+xKo7JNV/vWrD0hpgTVbBOiD69ljKtJZszijZL
         2QoQ==
X-Gm-Message-State: AOJu0YxkhRvpTuuiDLvo6qO8v7UCuvIgmDvaPKraAcpwEzIVojY9lZb4
	o49dzqCkRmBgijs/C1YZ9ER8CYPK0VEH6LoTpHtztYXDFK5hhjI67ZA4lnWgEQ==
X-Gm-Gg: ASbGncvby1ugWpNmQtHmomjm5cp42j7qFpIBZsRxKCCDG4xvaq0nrECeva6faPfnKWo
	7U7g8D5+Gr3XeroYrm04FREV0ZPH2wXhE2E5KpcPik64maQ/o73YDWjrAChVJnK7jfzKXtEYv5I
	yHcz8y6ATsAlZ8/f99MVAITvmX/9VIqitKdy69itWxmlLM1uLDvVS3Vn6qbynN2AaH+tYP5vqny
	UkHbEHX1mINWo6ZeeYU9d3645SEspTGxoxUcuqvqMp1hwGsnjZt8r4bq1lafLkz5xakQ6t5LLE3
	8wmtNWR/hgiJiyIPBw+MXFif5S6xcu8qqyfU8HWWBUKFSSRK9Q==
X-Google-Smtp-Source: 
 AGHT+IGRZPknLjE2cjsyC6HVD4KIdBjVV6wxieEwLxc5+sxlPK5wduEZddMX8O/rsN2prx5qJfmRrA==
X-Received: by 2002:a17:903:22c5:b0:21b:d105:26a7 with SMTP id
 d9443c01a7336-220bbb045admr10703335ad.6.1739330521639;
        Tue, 11 Feb 2025 19:22:01 -0800 (PST)
Received: from localhost (9.184.168.34.bc.googleusercontent.com.
 [34.168.184.9])
        by smtp.gmail.com with UTF8SMTPSA id
 d9443c01a7336-21f3683d8b2sm102324115ad.119.2025.02.11.19.22.01
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 11 Feb 2025 19:22:01 -0800 (PST)
From: jeffxu@chromium.org
To: akpm@linux-foundation.org,
	keescook@chromium.org,
	jannh@google.com,
	torvalds@linux-foundation.org,
	vbabka@suse.cz,
	lorenzo.stoakes@oracle.com,
	Liam.Howlett@Oracle.com,
	adhemerval.zanella@linaro.org,
	oleg@redhat.com,
	avagin@gmail.com,
	benjamin@sipsolutions.net
Cc: linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org,
	linux-mm@kvack.org,
	jorgelo@chromium.org,
	sroettger@google.com,
	hch@lst.de,
	ojeda@kernel.org,
	thomas.weissschuh@linutronix.de,
	adobriyan@gmail.com,
	johannes@sipsolutions.net,
	pedro.falcato@gmail.com,
	hca@linux.ibm.com,
	willy@infradead.org,
	anna-maria@linutronix.de,
	mark.rutland@arm.com,
	linus.walleij@linaro.org,
	Jason@zx2c4.com,
	deller@gmx.de,
	rdunlap@infradead.org,
	davem@davemloft.net,
	peterx@redhat.com,
	f.fainelli@gmail.com,
	gerg@kernel.org,
	dave.hansen@linux.intel.com,
	mingo@kernel.org,
	ardb@kernel.org,
	mhocko@suse.com,
	42.hyeyoo@gmail.com,
	peterz@infradead.org,
	ardb@google.com,
	enh@google.com,
	rientjes@google.com,
	groeck@chromium.org,
	mpe@ellerman.id.au,
	aleksandr.mikhalitsyn@canonical.com,
	mike.rapoport@gmail.com,
	Jeff Xu <jeffxu@chromium.org>,
	Benjamin Berg <benjamin.berg@intel.com>
Subject: [RFC PATCH v5 5/7] mseal, system mappings: enable uml architecture
Date: Wed, 12 Feb 2025 03:21:53 +0000
Message-ID: <20250212032155.1276806-6-jeffxu@google.com>
X-Mailer: git-send-email 2.48.1.502.g6dc24dfdaf-goog
In-Reply-To: <20250212032155.1276806-1-jeffxu@google.com>
References: <20250212032155.1276806-1-jeffxu@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Jeff Xu <jeffxu@chromium.org>

Provide support for CONFIG_MSEAL_SYSTEM_MAPPINGS on UML, covering
the vdso.

Testing passes on UML.

Signed-off-by: Jeff Xu <jeffxu@chromium.org>
Tested-by: Benjamin Berg <benjamin.berg@intel.com>
---
 arch/um/Kconfig        | 1 +
 arch/x86/um/vdso/vma.c | 7 +++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/arch/um/Kconfig b/arch/um/Kconfig
index 18051b1cfce0..eb2d439a5334 100644
--- a/arch/um/Kconfig
+++ b/arch/um/Kconfig
@@ -10,6 +10,7 @@ config UML
 	select ARCH_HAS_FORTIFY_SOURCE
 	select ARCH_HAS_GCOV_PROFILE_ALL
 	select ARCH_HAS_KCOV
+	select ARCH_HAS_MSEAL_SYSTEM_MAPPINGS
 	select ARCH_HAS_STRNCPY_FROM_USER
 	select ARCH_HAS_STRNLEN_USER
 	select HAVE_ARCH_AUDITSYSCALL
diff --git a/arch/x86/um/vdso/vma.c b/arch/x86/um/vdso/vma.c
index f238f7b33cdd..a68919db0ff7 100644
--- a/arch/x86/um/vdso/vma.c
+++ b/arch/x86/um/vdso/vma.c
@@ -6,6 +6,7 @@
 #include <linux/slab.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
+#include <linux/userprocess.h>
 #include <asm/page.h>
 #include <asm/elf.h>
 #include <linux/init.h>
@@ -54,6 +55,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm=
, int uses_interp)
 {
 	struct vm_area_struct *vma;
 	struct mm_struct *mm =3D current->mm;
+	unsigned long vm_flags;
 	static struct vm_special_mapping vdso_mapping =3D {
 		.name =3D "[vdso]",
 	};
@@ -65,9 +67,10 @@ int arch_setup_additional_pages(struct linux_binprm *bpr=
m, int uses_interp)
 		return -EINTR;
=20
 	vdso_mapping.pages =3D vdsop;
+	vm_flags =3D VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC;
+	vm_flags |=3D mseal_system_mappings();
 	vma =3D _install_special_mapping(mm, um_vdso_addr, PAGE_SIZE,
-		VM_READ|VM_EXEC|
-		VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
+		vm_flags,
 		&vdso_mapping);
=20
 	mmap_write_unlock(mm);
--=20
2.48.1.502.g6dc24dfdaf-goog
From nobody Thu Dec 18 09:42:58 2025
Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com
 [209.85.214.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 573BD1E7C20
	for <linux-kernel@vger.kernel.org>; Wed, 12 Feb 2025 03:22:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.176
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1739330526; cv=none;
 b=EB/NhotjTR0IhFNTmqsIPqCKk0jbhvuV8f4KbQBc0OvV4FuzwT7jQp1EfPy7NlycPJu4p8p5i+De252HzwbQNxBlVsBlwLfnUbrIx3qQwWZwaXQkveBK3TqgaXEOQvBXLwZNeyVaCjAsvBIPMUOABQ9pGrzsZzHh5kMXNYVAQFE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1739330526; c=relaxed/simple;
	bh=rT7bFBNt1F+exb7tPl5r3kNd1kDl3uip2zjF/VDFZKc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=MQFjqnM/RIxIxcA+3GuiZTMg4OXMIDeOrlpWHKZ2+WpkviiWhgIJvMLK3euNgYLGvaOczIBuNkOd90o0lClS6ZGcjhFXSSscpzaJawIR4AS+KiDQ/v/7i8gKd+oJ27iMyh9PZjO4uZGeEEwl5ajw15RFceoRwyt0v7WiaM/IeRQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=oMBtQLEh; arc=none smtp.client-ip=209.85.214.176
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="oMBtQLEh"
Received: by mail-pl1-f176.google.com with SMTP id
 d9443c01a7336-2166db59927so13166995ad.0
        for <linux-kernel@vger.kernel.org>;
 Tue, 11 Feb 2025 19:22:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1739330522; x=1739935322;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ZDmXk529F7J07bTvTA0+iYc1CKNvDiUkVRu5HOXs43g=;
        b=oMBtQLEhicnC/QBq+zDSHW76MzQFFq0HsIZFVCPUMsGqjbq6p2X6iIpbKBy27li2lA
         I97CnA5u5B93kl85ZqwGNjcA8aBHHgKk3XC5kLLPgDZiFzFf0WN0Y7cFyxsHqIGkMpdS
         2OsnraFHHbuZkA0x7tFnh3mu+zolDMtXz0YsM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739330522; x=1739935322;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ZDmXk529F7J07bTvTA0+iYc1CKNvDiUkVRu5HOXs43g=;
        b=osd9P4JXp96qxQhBOBMhXkSsZuw/pX3eRc7jIIIVyKn+204307pHZFmq80ra1gXSJH
         OSCu6gZXnTBTq3qR+kjV/sXsAelNxpRpPpXybafF3gu5000okotH9Mo39mcAcpDkRVib
         7ftaYAkl8dcRzO98LShn1PPL0Nkix4KCOcH5r9nIz7TMASi9Qv5BE7PZHnbv9wZ8KTNl
         Q/3qpkFFw9uQhhEhhbIViV/D+ZyLGn8hrlSknoOO3Qw8W5xjOlv+icFYajAu35lIMdE2
         AyYgZGEC7liFRlygymSWY7+n1Td6Pj2pd6YQZI7a4RCUGa97QsMyLm+jIbkmj7cvMuoL
         xjfQ==
X-Gm-Message-State: AOJu0YzyFBzPUrVcOU8z/3zGN5x0iKB7jLz4PupqjS+5upPnAaH5uS41
	iABeayLAI9g04ixmxPLsBFQ1hEGzs8jjRGv2KTe09HmoQF/o1YNvpcT63mSYlw==
X-Gm-Gg: ASbGncvJJnGqcNnvpsElxk22BihxSHvuQxgnRamjd82U5P1xRwpBRbaIcxf7w6zqy5t
	erdY+0yv62XPIVrwQxsmott0LPwSt9KNKewPR6DCM2GrQS4KAW81jjPdnEiu6KuP9U34ahPzDgB
	QJ2ghUciM50BZEfnZT/irLMnI82Yfu1iu1stzcdD/IZXBubiGL5Q1Trj9rxacl+N3TawS5nN8J7
	KTiKpjD89nvOHoonG/06bNaOY43BDQW/LTwoNLzDR6HaPFFxNr8kj2AZ8iuwCZ9ajzuB85gpIba
	ESXA35n6o3xNvqVxK4pYc6BbkwtzX9mkH0fQrqEcXCPzCCP/GQ==
X-Google-Smtp-Source: 
 AGHT+IGLyjV6DGNlQC70XXyU6c8VYNX9NRu9NY3TAy8HoniHcIPDAY3iv7rogZ2WB1DXQE04jazm3Q==
X-Received: by 2002:a17:902:f791:b0:20c:da9a:d5b9 with SMTP id
 d9443c01a7336-220bbad0cf2mr11063425ad.5.1739330522551;
        Tue, 11 Feb 2025 19:22:02 -0800 (PST)
Received: from localhost (9.184.168.34.bc.googleusercontent.com.
 [34.168.184.9])
        by smtp.gmail.com with UTF8SMTPSA id
 d9443c01a7336-21f36897faesm102883195ad.213.2025.02.11.19.22.02
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 11 Feb 2025 19:22:02 -0800 (PST)
From: jeffxu@chromium.org
To: akpm@linux-foundation.org,
	keescook@chromium.org,
	jannh@google.com,
	torvalds@linux-foundation.org,
	vbabka@suse.cz,
	lorenzo.stoakes@oracle.com,
	Liam.Howlett@Oracle.com,
	adhemerval.zanella@linaro.org,
	oleg@redhat.com,
	avagin@gmail.com,
	benjamin@sipsolutions.net
Cc: linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org,
	linux-mm@kvack.org,
	jorgelo@chromium.org,
	sroettger@google.com,
	hch@lst.de,
	ojeda@kernel.org,
	thomas.weissschuh@linutronix.de,
	adobriyan@gmail.com,
	johannes@sipsolutions.net,
	pedro.falcato@gmail.com,
	hca@linux.ibm.com,
	willy@infradead.org,
	anna-maria@linutronix.de,
	mark.rutland@arm.com,
	linus.walleij@linaro.org,
	Jason@zx2c4.com,
	deller@gmx.de,
	rdunlap@infradead.org,
	davem@davemloft.net,
	peterx@redhat.com,
	f.fainelli@gmail.com,
	gerg@kernel.org,
	dave.hansen@linux.intel.com,
	mingo@kernel.org,
	ardb@kernel.org,
	mhocko@suse.com,
	42.hyeyoo@gmail.com,
	peterz@infradead.org,
	ardb@google.com,
	enh@google.com,
	rientjes@google.com,
	groeck@chromium.org,
	mpe@ellerman.id.au,
	aleksandr.mikhalitsyn@canonical.com,
	mike.rapoport@gmail.com,
	Jeff Xu <jeffxu@chromium.org>
Subject: [RFC PATCH v5 6/7] mseal, system mappings: uprobe mapping
Date: Wed, 12 Feb 2025 03:21:54 +0000
Message-ID: <20250212032155.1276806-7-jeffxu@google.com>
X-Mailer: git-send-email 2.48.1.502.g6dc24dfdaf-goog
In-Reply-To: <20250212032155.1276806-1-jeffxu@google.com>
References: <20250212032155.1276806-1-jeffxu@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Jeff Xu <jeffxu@chromium.org>

Provide support to mseal the uprobe mapping.

Unlike other system mappings, the uprobe mapping is not
established during program startup. However, its lifetime is the same
as the process's lifetime. It could be sealed from creation.

Signed-off-by: Jeff Xu <jeffxu@chromium.org>
---
 kernel/events/uprobes.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 2ca797cbe465..55e0fa21eee6 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -22,6 +22,7 @@
 #include <linux/ptrace.h>	/* user_enable_single_step */
 #include <linux/kdebug.h>	/* notifier mechanism */
 #include <linux/percpu-rwsem.h>
+#include <linux/userprocess.h>
 #include <linux/task_work.h>
 #include <linux/shmem_fs.h>
 #include <linux/khugepaged.h>
@@ -1662,6 +1663,7 @@ static const struct vm_special_mapping xol_mapping =
=3D {
 static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
 {
 	struct vm_area_struct *vma;
+	unsigned long vm_flags;
 	int ret;
=20
 	if (mmap_write_lock_killable(mm))
@@ -1682,8 +1684,10 @@ static int xol_add_vma(struct mm_struct *mm, struct =
xol_area *area)
 		}
 	}
=20
+	vm_flags =3D VM_EXEC|VM_MAYEXEC|VM_DONTCOPY|VM_IO;
+	vm_flags |=3D mseal_system_mappings();
 	vma =3D _install_special_mapping(mm, area->vaddr, PAGE_SIZE,
-				VM_EXEC|VM_MAYEXEC|VM_DONTCOPY|VM_IO,
+				vm_flags,
 				&xol_mapping);
 	if (IS_ERR(vma)) {
 		ret =3D PTR_ERR(vma);
--=20
2.48.1.502.g6dc24dfdaf-goog
From nobody Thu Dec 18 09:42:58 2025
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6941E1D7E50
	for <linux-kernel@vger.kernel.org>; Wed, 12 Feb 2025 03:22:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1739330526; cv=none;
 b=LNgGGFgzHcf40WlJvSesjo+oyEXBdKfXL8+8Bq+Lt8tobA9PH67G8GDCp7sUMA6LAyjWxxd6VuE8oeH35j7GHicbwX07PyBRS8M7bFO9p4zAQ1OG705/PZNAv6Lukua6HYpnVUSFHPeSmW+busarEQ5F0qfdDa0qwnuD8J3K1YI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1739330526; c=relaxed/simple;
	bh=PT30LLdMtYpa2VkGGccvOtXA9HUhUF4omPyr+dgwXow=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=udHZBND1yYOi8C4Y67xyicGrW3VOQwU9ubC4HbavzN6QHObW85RgDk3LkjMR3EFd5X0jA8cGzSTWW0c+8UduhYX/IhCJ1nSJ4BVSmLbXMCLx3S0j92AloERXLhf3W2sse5dO5FWtokDk1ndZrcyW/uKPy+UctdyVbRw8q6KRlSs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=fKW9fDp2; arc=none smtp.client-ip=209.85.214.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="fKW9fDp2"
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-2166db59927so13167095ad.0
        for <linux-kernel@vger.kernel.org>;
 Tue, 11 Feb 2025 19:22:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1739330523; x=1739935323;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=wlSoQdNptgY7247+UT5J4unGLwbIYWVI4vHulpaAU8w=;
        b=fKW9fDp2tFP/xaBH4j02xTqPENg0CY4C1V9yvjlbf2JfdBiPP4Egi1G/IKpypaxKLn
         jaJiyhvJ/NiT7MUyqWdXIKuODWWjfvj4ZHx4nIrcspQDdNAqCjCfCbnQxyO+qFoHJ+3r
         Gc7JYbGnUCUbrW8xYgwHZJ66xs7dgjcMkNcTs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739330523; x=1739935323;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=wlSoQdNptgY7247+UT5J4unGLwbIYWVI4vHulpaAU8w=;
        b=u0H1ZW1Z6+aLjwMQ+c/RXWr7I2kgPSNvXx87dvusGBZziB/JopS7JK4zYFh0FxfDEa
         4R8GbnFHsdAcA82D6hPgAukbFEa+LmRdDahjl7jd8gKoT5AXeSlL4XvQThz1JdUPe9au
         4wCnzzLJhugLDM/PsFPyUAXyeojfEKMkjO8N2AABLeHiXbiOIJTSemaG2wlPG5VDaPrv
         wMkihly+9iTpVfaCpRRk/YhaFdrg9mXz2rO3xck+6Ufdqz6UsFI9QnqCBsh4OtYR5kxi
         QS7In2OmW2SFNnA64ifkssJKrWneDL23CNsgkBC+UiVrffEXpVo3NoKx6TVQkscA9NYq
         46nA==
X-Gm-Message-State: AOJu0YwU6cZH1xy71Q4bTpeFLNtbBC0OH7kYM+xaQHjJ1IZVOxZ9E2zd
	v3WxwIsDdMNlFQ0ECKsLVpxghN7IxSky5PpbcLn+fXQO8DPp31LMUXOYbbDmfQ==
X-Gm-Gg: ASbGncv3gccYKsqK3ief/3TLdrgbgICT3VQbHCRcGd5dNRljxfRTVoaFvzmT10yHQ/H
	kgWSfKtzYKIYBE8TIVyKTg2vYit4fmIos01q+Wm5XIYTTB8uzLc0LpFSi3nkXCxXRQQxVTeS92n
	za/mio15Tg8jvXCTNW/NlTfAwVYSQmxT9ufYJhbrxTmBLWjkdHuvB0q/RuA2F3ApAYummzvY2Qp
	cnXh4F14DkxsEmZv/YmD5GmX8PO10lgfvIYunRz6wbO9+O6S+3smBb8VrZJHjM0FvZq/orEjuGZ
	dI8OXSPO0eBZ+KBQpPIaCcIX8/OdAxOQMaJeo60eJkuenuirMw==
X-Google-Smtp-Source: 
 AGHT+IHih9DPBHtIxeZtSPdWvKIHKG8FUBtw2uxCsB6lpgOAKvHZ+pA5HJl7oCK9T6pOYiqVU0U5tA==
X-Received: by 2002:a17:903:2bcb:b0:21f:356:758f with SMTP id
 d9443c01a7336-220bbaae950mr11340995ad.3.1739330523575;
        Tue, 11 Feb 2025 19:22:03 -0800 (PST)
Received: from localhost (9.184.168.34.bc.googleusercontent.com.
 [34.168.184.9])
        by smtp.gmail.com with UTF8SMTPSA id
 d9443c01a7336-21faa49249dsm32295415ad.158.2025.02.11.19.22.02
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 11 Feb 2025 19:22:03 -0800 (PST)
From: jeffxu@chromium.org
To: akpm@linux-foundation.org,
	keescook@chromium.org,
	jannh@google.com,
	torvalds@linux-foundation.org,
	vbabka@suse.cz,
	lorenzo.stoakes@oracle.com,
	Liam.Howlett@Oracle.com,
	adhemerval.zanella@linaro.org,
	oleg@redhat.com,
	avagin@gmail.com,
	benjamin@sipsolutions.net
Cc: linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org,
	linux-mm@kvack.org,
	jorgelo@chromium.org,
	sroettger@google.com,
	hch@lst.de,
	ojeda@kernel.org,
	thomas.weissschuh@linutronix.de,
	adobriyan@gmail.com,
	johannes@sipsolutions.net,
	pedro.falcato@gmail.com,
	hca@linux.ibm.com,
	willy@infradead.org,
	anna-maria@linutronix.de,
	mark.rutland@arm.com,
	linus.walleij@linaro.org,
	Jason@zx2c4.com,
	deller@gmx.de,
	rdunlap@infradead.org,
	davem@davemloft.net,
	peterx@redhat.com,
	f.fainelli@gmail.com,
	gerg@kernel.org,
	dave.hansen@linux.intel.com,
	mingo@kernel.org,
	ardb@kernel.org,
	mhocko@suse.com,
	42.hyeyoo@gmail.com,
	peterz@infradead.org,
	ardb@google.com,
	enh@google.com,
	rientjes@google.com,
	groeck@chromium.org,
	mpe@ellerman.id.au,
	aleksandr.mikhalitsyn@canonical.com,
	mike.rapoport@gmail.com,
	Jeff Xu <jeffxu@chromium.org>
Subject: [RFC PATCH v5 7/7] mseal, system mappings: update mseal.rst
Date: Wed, 12 Feb 2025 03:21:55 +0000
Message-ID: <20250212032155.1276806-8-jeffxu@google.com>
X-Mailer: git-send-email 2.48.1.502.g6dc24dfdaf-goog
In-Reply-To: <20250212032155.1276806-1-jeffxu@google.com>
References: <20250212032155.1276806-1-jeffxu@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Jeff Xu <jeffxu@chromium.org>

Update memory sealing documentation to include details about system
mappings.

Signed-off-by: Jeff Xu <jeffxu@chromium.org>
---
 Documentation/userspace-api/mseal.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Documentation/userspace-api/mseal.rst b/Documentation/userspac=
e-api/mseal.rst
index 41102f74c5e2..1e4c996dfb75 100644
--- a/Documentation/userspace-api/mseal.rst
+++ b/Documentation/userspace-api/mseal.rst
@@ -130,6 +130,11 @@ Use cases
=20
 - Chrome browser: protect some security sensitive data structures.
=20
+- System mappings:
+  If supported by an architecture (via CONFIG_ARCH_HAS_MSEAL_SYSTEM_MAPPIN=
GS),
+  the CONFIG_MSEAL_SYSTEM_MAPPINGS seals system mappings, e.g. vdso, vvar,
+  uprobes, sigpage, vectors, etc.
+
 When not to use mseal
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 Applications can apply sealing to any virtual memory region from userspace,
--=20
2.48.1.502.g6dc24dfdaf-goog