[PATCH] arm64: Introduce execute-only page access permissions

Catalin Marinas catalin.marinas at arm.com
Fri May 2 10:13:37 PDT 2014


On Fri, May 02, 2014 at 06:00:28PM +0100, Will Deacon wrote:
> On Fri, May 02, 2014 at 04:49:52PM +0100, Catalin Marinas wrote:
> > The ARMv8 architecture allows execute-only user permissions by clearing
> > the PTE_UXN and PTE_USER bits. The kernel, however, can still access
> > such page.
> > 
> > This patch changes the arm64 __P100 and __S100 protection_map[] macros
> > to the new __PAGE_EXECONLY attributes. A side effect is that
> > pte_valid_user() no longer triggers for __PAGE_EXECONLY since PTE_USER
> > isn't set. To work around this, the check is done on the PTE_NG bit via
> > the pte_valid_ng() macro. VM_READ is also checked now for page faults.
> 
> How does this interact with things like ptrace and pipes? Can I get the
> kernel to read my text for me?

access_process_vm() would work fine since this is done using the kernel
linear mapping (and get_user_pages). Also, if you get_user etc. it would
still work since LDR/STR in EL1 mode would not be restricted (only
LDRT/STRT but we don't use them).

But note that this is only for pages explicitly marked PROT_EXEC only.
Standard user apps just use r-x mappings, so not affected.

> Also: do we really want to differ from x86 here?

x86 has a hardware limitation IIUC, same as ARMv7. This was a request
from security people and they claim it's a feature they would like
(apparently on Chrome OS). Of course, they have to adapt their tools/JIT
to avoid literal pools on such mappings but there is ongoing work
already.

We could make it configurable, though assume that it doesn't break any
user ABI (so far OK but it needs more testing), we could make it the
default.

-- 
Catalin



More information about the linux-arm-kernel mailing list