1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Implement mseal() syscall.
4 *
5 * Copyright (c) 2023,2024 Google, Inc.
6 *
7 * Author: Jeff Xu <jeffxu@chromium.org>
8 */
9
10 #include <linux/mempolicy.h>
11 #include <linux/mman.h>
12 #include <linux/mm.h>
13 #include <linux/mm_inline.h>
14 #include <linux/mmu_context.h>
15 #include <linux/syscalls.h>
16 #include <linux/sched.h>
17 #include "internal.h"
18
set_vma_sealed(struct vm_area_struct * vma)19 static inline void set_vma_sealed(struct vm_area_struct *vma)
20 {
21 vm_flags_set(vma, VM_SEALED);
22 }
23
is_madv_discard(int behavior)24 static bool is_madv_discard(int behavior)
25 {
26 switch (behavior) {
27 case MADV_FREE:
28 case MADV_DONTNEED:
29 case MADV_DONTNEED_LOCKED:
30 case MADV_REMOVE:
31 case MADV_DONTFORK:
32 case MADV_WIPEONFORK:
33 return true;
34 }
35
36 return false;
37 }
38
is_ro_anon(struct vm_area_struct * vma)39 static bool is_ro_anon(struct vm_area_struct *vma)
40 {
41 /* check anonymous mapping. */
42 if (vma->vm_file || vma->vm_flags & VM_SHARED)
43 return false;
44
45 /*
46 * check for non-writable:
47 * PROT=RO or PKRU is not writeable.
48 */
49 if (!(vma->vm_flags & VM_WRITE) ||
50 !arch_vma_access_permitted(vma, true, false, false))
51 return true;
52
53 return false;
54 }
55
56 /*
57 * Check if a vma is allowed to be modified by madvise.
58 */
can_modify_vma_madv(struct vm_area_struct * vma,int behavior)59 bool can_modify_vma_madv(struct vm_area_struct *vma, int behavior)
60 {
61 if (!is_madv_discard(behavior))
62 return true;
63
64 if (unlikely(!can_modify_vma(vma) && is_ro_anon(vma)))
65 return false;
66
67 /* Allow by default. */
68 return true;
69 }
70
mseal_fixup(struct vma_iterator * vmi,struct vm_area_struct * vma,struct vm_area_struct ** prev,unsigned long start,unsigned long end,vm_flags_t newflags)71 static int mseal_fixup(struct vma_iterator *vmi, struct vm_area_struct *vma,
72 struct vm_area_struct **prev, unsigned long start,
73 unsigned long end, vm_flags_t newflags)
74 {
75 int ret = 0;
76 vm_flags_t oldflags = vma->vm_flags;
77
78 if (newflags == oldflags)
79 goto out;
80
81 vma = vma_modify_flags(vmi, *prev, vma, start, end, newflags);
82 if (IS_ERR(vma)) {
83 ret = PTR_ERR(vma);
84 goto out;
85 }
86
87 set_vma_sealed(vma);
88 out:
89 *prev = vma;
90 return ret;
91 }
92
93 /*
94 * Check for do_mseal:
95 * 1> start is part of a valid vma.
96 * 2> end is part of a valid vma.
97 * 3> No gap (unallocated address) between start and end.
98 * 4> map is sealable.
99 */
check_mm_seal(unsigned long start,unsigned long end)100 static int check_mm_seal(unsigned long start, unsigned long end)
101 {
102 struct vm_area_struct *vma;
103 unsigned long nstart = start;
104
105 VMA_ITERATOR(vmi, current->mm, start);
106
107 /* going through each vma to check. */
108 for_each_vma_range(vmi, vma, end) {
109 if (vma->vm_start > nstart)
110 /* unallocated memory found. */
111 return -ENOMEM;
112
113 if (vma->vm_end >= end)
114 return 0;
115
116 nstart = vma->vm_end;
117 }
118
119 return -ENOMEM;
120 }
121
122 /*
123 * Apply sealing.
124 */
apply_mm_seal(unsigned long start,unsigned long end)125 static int apply_mm_seal(unsigned long start, unsigned long end)
126 {
127 unsigned long nstart;
128 struct vm_area_struct *vma, *prev;
129
130 VMA_ITERATOR(vmi, current->mm, start);
131
132 vma = vma_iter_load(&vmi);
133 /*
134 * Note: check_mm_seal should already checked ENOMEM case.
135 * so vma should not be null, same for the other ENOMEM cases.
136 */
137 prev = vma_prev(&vmi);
138 if (start > vma->vm_start)
139 prev = vma;
140
141 nstart = start;
142 for_each_vma_range(vmi, vma, end) {
143 int error;
144 unsigned long tmp;
145 vm_flags_t newflags;
146
147 newflags = vma->vm_flags | VM_SEALED;
148 tmp = vma->vm_end;
149 if (tmp > end)
150 tmp = end;
151 error = mseal_fixup(&vmi, vma, &prev, nstart, tmp, newflags);
152 if (error)
153 return error;
154 nstart = vma_iter_end(&vmi);
155 }
156
157 return 0;
158 }
159
160 /*
161 * mseal(2) seals the VM's meta data from
162 * selected syscalls.
163 *
164 * addr/len: VM address range.
165 *
166 * The address range by addr/len must meet:
167 * start (addr) must be in a valid VMA.
168 * end (addr + len) must be in a valid VMA.
169 * no gap (unallocated memory) between start and end.
170 * start (addr) must be page aligned.
171 *
172 * len: len will be page aligned implicitly.
173 *
174 * Below VMA operations are blocked after sealing.
175 * 1> Unmapping, moving to another location, and shrinking
176 * the size, via munmap() and mremap(), can leave an empty
177 * space, therefore can be replaced with a VMA with a new
178 * set of attributes.
179 * 2> Moving or expanding a different vma into the current location,
180 * via mremap().
181 * 3> Modifying a VMA via mmap(MAP_FIXED).
182 * 4> Size expansion, via mremap(), does not appear to pose any
183 * specific risks to sealed VMAs. It is included anyway because
184 * the use case is unclear. In any case, users can rely on
185 * merging to expand a sealed VMA.
186 * 5> mprotect and pkey_mprotect.
187 * 6> Some destructive madvice() behavior (e.g. MADV_DONTNEED)
188 * for anonymous memory, when users don't have write permission to the
189 * memory. Those behaviors can alter region contents by discarding pages,
190 * effectively a memset(0) for anonymous memory.
191 *
192 * flags: reserved.
193 *
194 * return values:
195 * zero: success.
196 * -EINVAL:
197 * invalid input flags.
198 * start address is not page aligned.
199 * Address arange (start + len) overflow.
200 * -ENOMEM:
201 * addr is not a valid address (not allocated).
202 * end (start + len) is not a valid address.
203 * a gap (unallocated memory) between start and end.
204 * -EPERM:
205 * - In 32 bit architecture, sealing is not supported.
206 * Note:
207 * user can call mseal(2) multiple times, adding a seal on an
208 * already sealed memory is a no-action (no error).
209 *
210 * unseal() is not supported.
211 */
do_mseal(unsigned long start,size_t len_in,unsigned long flags)212 int do_mseal(unsigned long start, size_t len_in, unsigned long flags)
213 {
214 size_t len;
215 int ret = 0;
216 unsigned long end;
217 struct mm_struct *mm = current->mm;
218
219 ret = can_do_mseal(flags);
220 if (ret)
221 return ret;
222
223 start = untagged_addr(start);
224 if (!PAGE_ALIGNED(start))
225 return -EINVAL;
226
227 len = PAGE_ALIGN(len_in);
228 /* Check to see whether len was rounded up from small -ve to zero. */
229 if (len_in && !len)
230 return -EINVAL;
231
232 end = start + len;
233 if (end < start)
234 return -EINVAL;
235
236 if (end == start)
237 return 0;
238
239 if (mmap_write_lock_killable(mm))
240 return -EINTR;
241
242 /*
243 * First pass, this helps to avoid
244 * partial sealing in case of error in input address range,
245 * e.g. ENOMEM error.
246 */
247 ret = check_mm_seal(start, end);
248 if (ret)
249 goto out;
250
251 /*
252 * Second pass, this should success, unless there are errors
253 * from vma_modify_flags, e.g. merge/split error, or process
254 * reaching the max supported VMAs, however, those cases shall
255 * be rare.
256 */
257 ret = apply_mm_seal(start, end);
258
259 out:
260 mmap_write_unlock(current->mm);
261 return ret;
262 }
263
SYSCALL_DEFINE3(mseal,unsigned long,start,size_t,len,unsigned long,flags)264 SYSCALL_DEFINE3(mseal, unsigned long, start, size_t, len, unsigned long,
265 flags)
266 {
267 return do_mseal(start, len, flags);
268 }
269