1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Implement mseal() syscall. 4 * 5 * Copyright (c) 2023,2024 Google, Inc. 6 * 7 * Author: Jeff Xu <jeffxu@chromium.org> 8 */ 9 10 #include <linux/mempolicy.h> 11 #include <linux/mman.h> 12 #include <linux/mm.h> 13 #include <linux/mm_inline.h> 14 #include <linux/mmu_context.h> 15 #include <linux/syscalls.h> 16 #include <linux/sched.h> 17 #include "internal.h" 18 set_vma_sealed(struct vm_area_struct * vma)19 static inline void set_vma_sealed(struct vm_area_struct *vma) 20 { 21 vm_flags_set(vma, VM_SEALED); 22 } 23 is_madv_discard(int behavior)24 static bool is_madv_discard(int behavior) 25 { 26 switch (behavior) { 27 case MADV_FREE: 28 case MADV_DONTNEED: 29 case MADV_DONTNEED_LOCKED: 30 case MADV_REMOVE: 31 case MADV_DONTFORK: 32 case MADV_WIPEONFORK: 33 return true; 34 } 35 36 return false; 37 } 38 is_ro_anon(struct vm_area_struct * vma)39 static bool is_ro_anon(struct vm_area_struct *vma) 40 { 41 /* check anonymous mapping. */ 42 if (vma->vm_file || vma->vm_flags & VM_SHARED) 43 return false; 44 45 /* 46 * check for non-writable: 47 * PROT=RO or PKRU is not writeable. 48 */ 49 if (!(vma->vm_flags & VM_WRITE) || 50 !arch_vma_access_permitted(vma, true, false, false)) 51 return true; 52 53 return false; 54 } 55 56 /* 57 * Check if a vma is allowed to be modified by madvise. 58 */ can_modify_vma_madv(struct vm_area_struct * vma,int behavior)59 bool can_modify_vma_madv(struct vm_area_struct *vma, int behavior) 60 { 61 if (!is_madv_discard(behavior)) 62 return true; 63 64 if (unlikely(!can_modify_vma(vma) && is_ro_anon(vma))) 65 return false; 66 67 /* Allow by default. */ 68 return true; 69 } 70 mseal_fixup(struct vma_iterator * vmi,struct vm_area_struct * vma,struct vm_area_struct ** prev,unsigned long start,unsigned long end,vm_flags_t newflags)71 static int mseal_fixup(struct vma_iterator *vmi, struct vm_area_struct *vma, 72 struct vm_area_struct **prev, unsigned long start, 73 unsigned long end, vm_flags_t newflags) 74 { 75 int ret = 0; 76 vm_flags_t oldflags = vma->vm_flags; 77 78 if (newflags == oldflags) 79 goto out; 80 81 vma = vma_modify_flags(vmi, *prev, vma, start, end, newflags); 82 if (IS_ERR(vma)) { 83 ret = PTR_ERR(vma); 84 goto out; 85 } 86 87 set_vma_sealed(vma); 88 out: 89 *prev = vma; 90 return ret; 91 } 92 93 /* 94 * Check for do_mseal: 95 * 1> start is part of a valid vma. 96 * 2> end is part of a valid vma. 97 * 3> No gap (unallocated address) between start and end. 98 * 4> map is sealable. 99 */ check_mm_seal(unsigned long start,unsigned long end)100 static int check_mm_seal(unsigned long start, unsigned long end) 101 { 102 struct vm_area_struct *vma; 103 unsigned long nstart = start; 104 105 VMA_ITERATOR(vmi, current->mm, start); 106 107 /* going through each vma to check. */ 108 for_each_vma_range(vmi, vma, end) { 109 if (vma->vm_start > nstart) 110 /* unallocated memory found. */ 111 return -ENOMEM; 112 113 if (vma->vm_end >= end) 114 return 0; 115 116 nstart = vma->vm_end; 117 } 118 119 return -ENOMEM; 120 } 121 122 /* 123 * Apply sealing. 124 */ apply_mm_seal(unsigned long start,unsigned long end)125 static int apply_mm_seal(unsigned long start, unsigned long end) 126 { 127 unsigned long nstart; 128 struct vm_area_struct *vma, *prev; 129 130 VMA_ITERATOR(vmi, current->mm, start); 131 132 vma = vma_iter_load(&vmi); 133 /* 134 * Note: check_mm_seal should already checked ENOMEM case. 135 * so vma should not be null, same for the other ENOMEM cases. 136 */ 137 prev = vma_prev(&vmi); 138 if (start > vma->vm_start) 139 prev = vma; 140 141 nstart = start; 142 for_each_vma_range(vmi, vma, end) { 143 int error; 144 unsigned long tmp; 145 vm_flags_t newflags; 146 147 newflags = vma->vm_flags | VM_SEALED; 148 tmp = vma->vm_end; 149 if (tmp > end) 150 tmp = end; 151 error = mseal_fixup(&vmi, vma, &prev, nstart, tmp, newflags); 152 if (error) 153 return error; 154 nstart = vma_iter_end(&vmi); 155 } 156 157 return 0; 158 } 159 160 /* 161 * mseal(2) seals the VM's meta data from 162 * selected syscalls. 163 * 164 * addr/len: VM address range. 165 * 166 * The address range by addr/len must meet: 167 * start (addr) must be in a valid VMA. 168 * end (addr + len) must be in a valid VMA. 169 * no gap (unallocated memory) between start and end. 170 * start (addr) must be page aligned. 171 * 172 * len: len will be page aligned implicitly. 173 * 174 * Below VMA operations are blocked after sealing. 175 * 1> Unmapping, moving to another location, and shrinking 176 * the size, via munmap() and mremap(), can leave an empty 177 * space, therefore can be replaced with a VMA with a new 178 * set of attributes. 179 * 2> Moving or expanding a different vma into the current location, 180 * via mremap(). 181 * 3> Modifying a VMA via mmap(MAP_FIXED). 182 * 4> Size expansion, via mremap(), does not appear to pose any 183 * specific risks to sealed VMAs. It is included anyway because 184 * the use case is unclear. In any case, users can rely on 185 * merging to expand a sealed VMA. 186 * 5> mprotect and pkey_mprotect. 187 * 6> Some destructive madvice() behavior (e.g. MADV_DONTNEED) 188 * for anonymous memory, when users don't have write permission to the 189 * memory. Those behaviors can alter region contents by discarding pages, 190 * effectively a memset(0) for anonymous memory. 191 * 192 * flags: reserved. 193 * 194 * return values: 195 * zero: success. 196 * -EINVAL: 197 * invalid input flags. 198 * start address is not page aligned. 199 * Address arange (start + len) overflow. 200 * -ENOMEM: 201 * addr is not a valid address (not allocated). 202 * end (start + len) is not a valid address. 203 * a gap (unallocated memory) between start and end. 204 * -EPERM: 205 * - In 32 bit architecture, sealing is not supported. 206 * Note: 207 * user can call mseal(2) multiple times, adding a seal on an 208 * already sealed memory is a no-action (no error). 209 * 210 * unseal() is not supported. 211 */ do_mseal(unsigned long start,size_t len_in,unsigned long flags)212 int do_mseal(unsigned long start, size_t len_in, unsigned long flags) 213 { 214 size_t len; 215 int ret = 0; 216 unsigned long end; 217 struct mm_struct *mm = current->mm; 218 219 ret = can_do_mseal(flags); 220 if (ret) 221 return ret; 222 223 start = untagged_addr(start); 224 if (!PAGE_ALIGNED(start)) 225 return -EINVAL; 226 227 len = PAGE_ALIGN(len_in); 228 /* Check to see whether len was rounded up from small -ve to zero. */ 229 if (len_in && !len) 230 return -EINVAL; 231 232 end = start + len; 233 if (end < start) 234 return -EINVAL; 235 236 if (end == start) 237 return 0; 238 239 if (mmap_write_lock_killable(mm)) 240 return -EINTR; 241 242 /* 243 * First pass, this helps to avoid 244 * partial sealing in case of error in input address range, 245 * e.g. ENOMEM error. 246 */ 247 ret = check_mm_seal(start, end); 248 if (ret) 249 goto out; 250 251 /* 252 * Second pass, this should success, unless there are errors 253 * from vma_modify_flags, e.g. merge/split error, or process 254 * reaching the max supported VMAs, however, those cases shall 255 * be rare. 256 */ 257 ret = apply_mm_seal(start, end); 258 259 out: 260 mmap_write_unlock(current->mm); 261 return ret; 262 } 263 SYSCALL_DEFINE3(mseal,unsigned long,start,size_t,len,unsigned long,flags)264 SYSCALL_DEFINE3(mseal, unsigned long, start, size_t, len, unsigned long, 265 flags) 266 { 267 return do_mseal(start, len, flags); 268 } 269