[PATCH] arm64: Introduce execute-only page access permissions

Catalin Marinas catalin.marinas at arm.com
Tue May 6 07:14:08 PDT 2014 

On Fri, May 02, 2014 at 07:07:07PM +0100, Will Deacon wrote:
> On Fri, May 02, 2014 at 06:13:37PM +0100, Catalin Marinas wrote:
> > On Fri, May 02, 2014 at 06:00:28PM +0100, Will Deacon wrote:
> > > On Fri, May 02, 2014 at 04:49:52PM +0100, Catalin Marinas wrote:
> > > > The ARMv8 architecture allows execute-only user permissions by clearing
> > > > the PTE_UXN and PTE_USER bits. The kernel, however, can still access
> > > > such page.
> > > > 
> > > > This patch changes the arm64 __P100 and __S100 protection_map[] macros
> > > > to the new __PAGE_EXECONLY attributes. A side effect is that
> > > > pte_valid_user() no longer triggers for __PAGE_EXECONLY since PTE_USER
> > > > isn't set. To work around this, the check is done on the PTE_NG bit via
> > > > the pte_valid_ng() macro. VM_READ is also checked now for page faults.
> > > 
> > > How does this interact with things like ptrace and pipes? Can I get the
> > > kernel to read my text for me?
> > 
> > access_process_vm() would work fine since this is done using the kernel
> > linear mapping (and get_user_pages). Also, if you get_user etc. it would
> > still work since LDR/STR in EL1 mode would not be restricted (only
> > LDRT/STRT but we don't use them).
> 
> Depends on how you define `work fine'!

My definition of "working fine" is that they are not affected ;).

> 
> > But note that this is only for pages explicitly marked PROT_EXEC only.
> > Standard user apps just use r-x mappings, so not affected.
> 
> Ok, but it does mean that any task being subjected to --x permissions can
> trivially read from that mapping via a syscall, so this patch only makes
> sense in the context of something like seccomp, where you additionally
> restrict the set of syscalls available to the target.

Yes. For copy_from_user etc. we could (with a specific config option)
use LDRT/STRT and some pointer indirection changed by set_fs() but I
wouldn't bother for now.

> > > Also: do we really want to differ from x86 here?
> > 
> > x86 has a hardware limitation IIUC, same as ARMv7. This was a request
> > from security people and they claim it's a feature they would like
> > (apparently on Chrome OS). Of course, they have to adapt their tools/JIT
> > to avoid literal pools on such mappings but there is ongoing work
> > already.
> > 
> > We could make it configurable, though assume that it doesn't break any
> > user ABI (so far OK but it needs more testing), we could make it the
> > default.
> 
> Why not make it depend on SECCOMP or AUDIT? I don't think it's at all
> useful without them.

That's potentially a user ABI change, so we should make sure we spot any
abuse of the --x permission independent of the kernel config options.

-- 
Catalin

More information about the linux-arm-kernel mailing list