mseal.rst - OpenGrok cross reference for /linux/Documentation/userspace-api/mseal.rst

Lines Matching +full:memory +full:- +full:mapping
1 .. SPDX-License-Identifier: GPL-2.0
9 Modern CPUs support memory permissions such as RW and NX bits. The memory
10 permission feature improves security stance on memory corruption bugs, i.e.
11 the attacker can’t just write to arbitrary memory and point the code to it,
12 the memory has to be marked with X bit, or else an exception will happen.
14 Memory sealing additionally protects the mapping itself against
15 modifications. This is useful to mitigate memory corruption issues where a
16 corrupted pointer is passed to a memory management system. For example,
17 such an attacker primitive can break control-flow integrity guarantees
18 since read-only memory that is supposed to be trusted can become writable
19 or .text pages can get remapped. Memory sealing can automatically be
29 -----------------------
32    **addr**/**len**: virtual memory address range.
34          - The start address must be in an allocated VMA.
35          - The start address must be page aligned.
36          - The end address (**addr** + **len**) must be in an allocated VMA.
37          - no gap (unallocated memory) between start and end address.
44       - **0**: Success.
45       - **-EINVAL**:
49       - **-ENOMEM**:
52          * A gap (unallocated memory) between start and end address.
53       - **-EPERM**:
54          * sealing is supported only on 64-bit CPUs, 32-bit is not supported.
57       - For above error cases, users can expect the given memory range is
59       - There might be other internal errors/cases not listed here, e.g.
62         memory range could happen. However, those cases should be rare.
65       mseal only works on 64-bit CPUs, not 32-bit CPUs.
68       users can call mseal multiple times. mseal on an already sealed memory
69       is a no-action (not error).
72       Once mapping is sealed, it can't be unsealed. The kernel should never
76 Blocked mm syscall for sealed mapping
77 -------------------------------------
78    It might be important to note: **once the mapping is sealed, it will
79    stay in the process's memory until the process terminates**.
90       - munmap
91       - mmap
92       - mremap
93       - mprotect and pkey_mprotect
94       - some destructive madvise behaviors: MADV_DONTNEED, MADV_FREE,
99    replacement with a new mapping with new set of attributes, or can
100    overwrite the existing mapping with another mapping.
103    protection bits (RWX) of the mapping.
107    risks when applied to anonymous memory by threads lacking write
111    operation on the anonymous memory.
113    Kernel will return -EPERM for blocked syscalls.
115    When blocked syscall return -EPERM due to sealing, the memory regions may
118       - munmap: munmap is atomic. If one of VMAs in the given range is
120       - mprotect, pkey_mprotect, madvise: partial update might happen, e.g.
122         VMAs before reaching the sealed VMA and return -EPERM.
123       - mmap and mremap: undefined behavior.
127 - glibc:
129   mapping segments.
131 - Chrome browser: protect some security sensitive data structures.
133 - System mappings:
135   vvar_vclock, vectors (arm compat-mode), sigpage (arm compat-mode), uprobes.
137   Those system mappings are readonly only or execute only, memory sealing can
139   attributes. This is useful to mitigate memory corruption issues where a
140   corrupted pointer is passed to a memory management system.
146   The following architectures currently support this feature: x86-64, arm64,
156 Applications can apply sealing to any virtual memory region from userspace,
157 but it is *crucial to thoroughly analyze the mapping's lifetime* prior to
158 apply the sealing. This is because the sealed mapping *won’t be unmapped*
162    - aio/shm
164      ksys_shmdt() in shm.c. The lifetimes of those mapping are not tied to
169    - ptr allocated by malloc (heap)
170      Don't use mseal on the memory ptr return from malloc().
172      allocate a ptr from brk or mapping created by mmap.
175      non-deterministic.
189 memory is immutable.
192 to RO memory, which is, in a way, by design. And those could be blocked
197    - Write to read-only memory through /proc/self/mem interface (FOLL_FORCE).
198    - Write to read-only memory through ptrace (such as PTRACE_POKETEXT).
199    - userfaultfd.
206 - [1] https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/…
207 - [2] https://man.openbsd.org/mimmutable.2
208 - [3] https://lore.kernel.org/lkml/CAG48ez3ShUYey+ZAFsU2i1RpQn0a5eOs2hzQ426FkcgnfUGLvA@mail.gmail.c…
209 - [4] https://docs.google.com/document/d/1O2jwK4dxI3nRcOJuPYkonhTkNQfbmwdvxQMyXgeaRHo/edit#heading=…