may_mprotect()

Borislav Petkov Thu, 25 Jun 2020 10:15:27 -0700

On Thu, Jun 18, 2020 at 01:08:32AM +0300, Jarkko Sakkinen wrote:
> From: Sean Christopherson <sean.j.christopher...@intel.com>
> 
> Add vm_ops()->may_mprotect() to check additional constraints.
> 
> SGX uses this callback to add two constraints:
> 
> 1. Verify that the address range does not have holes: for each page
>    address, there is an actual enclave page created.
> 2. Mapped permissions do not surpass the lowest enclave page permissions
>    in the address range.
> 
> linux...@kvack.org
> Andrew Morton <a...@linux-foundation.org>


Something ate the Cc:s. Lemme add the mm list, akpm is already on Cc.

Leaving in the rest for mm folks.

> Acked-by: Jethro Beekman <jet...@fortanix.com>
> Signed-off-by: Sean Christopherson <sean.j.christopher...@intel.com>
> Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com>
> ---
>  include/linux/mm.h |  2 ++
>  mm/mprotect.c      | 14 +++++++++++---
>  2 files changed, 13 insertions(+), 3 deletions(-)
> 
> diff --git a/include/linux/mm.h b/include/linux/mm.h
> index dc7b87310c10..be40b9c29327 100644
> --- a/include/linux/mm.h
> +++ b/include/linux/mm.h
> @@ -542,6 +542,8 @@ struct vm_operations_struct {
>       void (*close)(struct vm_area_struct * area);
>       int (*split)(struct vm_area_struct * area, unsigned long addr);
>       int (*mremap)(struct vm_area_struct * area);
> +     int (*may_mprotect)(struct vm_area_struct *vma, unsigned long start,
> +                         unsigned long end, unsigned long prot);
>       vm_fault_t (*fault)(struct vm_fault *vmf);
>       vm_fault_t (*huge_fault)(struct vm_fault *vmf,
>                       enum page_entry_size pe_size);
> diff --git a/mm/mprotect.c b/mm/mprotect.c
> index ce8b8a5eacbb..f7731dc13ff0 100644
> --- a/mm/mprotect.c
> +++ b/mm/mprotect.c
> @@ -603,13 +603,21 @@ static int do_mprotect_pkey(unsigned long start, size_t 
> len,
>                       goto out;
>               }
>  
> +             tmp = vma->vm_end;
> +             if (tmp > end)
> +                     tmp = end;
> +
> +             if (vma->vm_ops && vma->vm_ops->may_mprotect) {
> +                     error = vma->vm_ops->may_mprotect(vma, nstart, tmp,
> +                                                       prot);
> +                     if (error)
> +                             goto out;
> +             }
> +
>               error = security_file_mprotect(vma, reqprot, prot);
>               if (error)
>                       goto out;
>  
> -             tmp = vma->vm_end;
> -             if (tmp > end)
> -                     tmp = end;
>               error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
>               if (error)
>                       goto out;
> -- 
> 2.25.1
> 

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH v33 10/21] mm: Introduce vm_ops->may_mprotect()

Reply via email to